Docs Menu
Docs Home
/
MongoDB Manual
/ /

Collection-Level Access Control in Self-Managed Deployments

On this page

  • Privileges and Scope
  • Additional Information

Collection-level access control allows administrators to grant users privileges that are scoped to specific collections.

Administrators can implement collection-level access control through user-defined roles. By creating a role with privileges that are scoped to a specific collection in a particular database, administrators can provision users with roles that grant privileges on a collection level.

A privilege consists of actions and the resources upon which the actions are permissible; i.e. the resources define the scope of the actions for that privilege.

By specifying both the database and the collection in the resource document for a privilege, administrator can limit the privilege actions just to a specific collection in a specific database. Each privilege action in a role can be scoped to a different collection.

For example, a user defined role can contain the following privileges:

privileges: [
{ resource: { db: "products", collection: "inventory" }, actions: [ "find", "update", "insert" ] },
{ resource: { db: "products", collection: "orders" }, actions: [ "find" ] }
]

The first privilege scopes its actions to the inventory collection of the products database. The second privilege scopes its actions to the orders collection of the products database.

For more information on user-defined roles and MongoDB authorization model, see Role-Based Access Control in Self-Managed Deployments. For a tutorial on creating user-defined roles, see Manage Users and Roles on Self-Managed Deployments.

Back

Change Password & Custom Data

Next

LDAP Authorization