Custom Roles didnt work

MongoDB Atlas
1

Hello, Im using mongo db and I need to give out the permission to my backoffice to modify the database, I created the custom role but I didnt works as expected, can somebody enlight me?
Thank you

image_2022-03-09_22-12-55
image_2022-03-09_22-12-55759×237 19 KB

3

Hi @Nicolo_Bartolomei,

Welcome to the community :wave:

I created the custom role but I didnt works as expected, can somebody enlight me?

Could you provide the following information:

  • A list of command(s) being attempted by the database user(s) associated with the backoffice custom role.
  • The full error logs being returned when the database user associated with the backoffice role attempts such command(s).
  • Confirmation that the custom role is assigned to a database user(s).
  • Cluster tier
  • MongoDB version

Regards,
Jason

1 Like
4

Hi Jason, thank you for the reply.
So actually im not using code or terminal commands but im setting everything from the web site. I just want to be able to limit a user that I created to do on my specific database user only the find, insert, update operations and nothing else but when I select from the list those elements and save the user cant see the database. I havent error logs.
The custom role is assigned to my user
Cluster tier the free one
MongoDB version I guess is the latest
In the database users tab I have my user with these mongoDb roles backoffice@admin, meanwhile if you use the predefined it tell me backoffice@myDbName.
These are the permission I gave in the custom role

image
image720×323 26.2 KB

In the db i put myDbName and in the collection I inserted 3 to test it out, pressed save, waited 1min then connect using MongoDB Compass and nothing showed.
I dont understand how the custom role works.
Instead If I chose readAndWrite, the default one, the user can see everything but I dont want that he will be able to delete o see other collections.
Thank you

5

Hi @Nicolo_Bartolomei,

From the steps you’ve described it does sound like you are doing this correctly. However, just to clarify I’ve tried reproducing the possible issue. Let me know if any of the steps you are trying are different:

  1. Created the custom role fiuCustomRole with find,insert and update permissions on a database named testdb1:

    image
    image2030×174 13 KB

  2. Assigned the custom role fiuCustomRole to the Database User testuser:

    image
    image3168×116 5.68 KB

  3. Authenticated with Database User testuser to my test Atlas cluster connecting through Compass and the below is what I can see:

    image
    image2000×1926 322 KB

You can see in the terminal in Compass that the user was able to:

  • insert a document into a test collection in the database testdb1
  • find document(s) in the test collection in database testdb1
  • update the document(s) in the test collection in database testdb1

They were not authorized to:

  • use show collections
  • delete document(s)

Please take note that the authenticated user cannot see any collections in the Compass UI shown in the above example

In the db i put myDbName and in the collection I inserted 3 to test it out, pressed save, waited 1min then connect using MongoDB Compass and nothing showed.
Instead If I chose readAndWrite, the default one, the user can see everything but I dont want that he will be able to delete o see other collections.

From what it sounds like, you cannot see the collections in Compass. This is expected as the actions you’ve provided for the user allow it to only find, insert and update on a collection and not list the collection(s). There is a particular action listCollections that will show the collections however it cannot be restricted to showing a single collection.

Could you provide further information regarding the use case of wanting to allowing a user to see only a specific collection name?

Hope this helps.

Regards,
Jason

6

Hi Jason, thank you again. I tested the listCollection action but nothing. Can’t see the database

image
image873×151 7.39 KB

I also see that there is another role called listDatabases, I tried that and now all databases are displayed and also the collection that I inserted. in the rule above. ANyway only with listDatabases I can see stuff on Compass. At this point I guess it is a bug on compass… Im gonna try it on my Mac later today and reply again.
Regarding your last question, Im trying to create a role for the backoffice (only see the database and can only insert, modify and find stuff, he can not delete stuff, just the admin). Actually Im using Compass as a micro management for the backoffice instead of creating a frontend website or other stuff I will use Compass that already does what I need (almost xD )
Can’t understand this behaviour

7

Just tried on Macbook, same behaviour…

8

Hi Jason, thank you again. I tested the listCollection action but nothing. Can’t see the database

Could you show a screenshot of what you are seeing in Compass for both the database & collection sections (like the example screenshots below) and provide what version of Compass you are using? In addition to this, please confirm what actions are assigned to the database user when the screenshot(s) are taken. Please redact any sensitive or personal information.

I’m currently utilising 1.29.6 of Compass in my reproduction environment for this issue. With the following actions I can still see the database testdb1.

image
image2022×204 13.1 KB

Although these are for testdb1 (all collections). The database I can see is testdb1 in Compass:

image
image1448×780 39.9 KB

However, since I do not have listCollections action for the custom role assigned to my database user, it cannot see any collections (expected behaviour):

image
image1340×780 35.5 KB

Regards,
Jason

1 Like