Securing Custom User Data

The documentation indicates that one way to secure custom user data is by denying access to the collection to all users and then use a system function to manage custom user data on behalf of users.

This is what I would like to do, but I’m just a little unsure about how this should work. My initial thought was that I should set a denyAllAccess role on the custom user data collection. However, if I do this, won’t that also deny the system function from accessing the collection or do functions that have their Authentication set to System just ignore the roles entirely?

Hi Wilber,

The system auth function will ignore the rule as mentioned here.

A system function runs as the system user instead of a specific application user. System functions have full access to MongoDB CRUD and Aggregation APIs and bypass all rules and schema validation.


This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.