Securing Custom User Data

Wilber_Olive · July 31, 2023, 8:59pm

The documentation indicates that one way to secure custom user data is by denying access to the collection to all users and then use a system function to manage custom user data on behalf of users.

This is what I would like to do, but I’m just a little unsure about how this should work. My initial thought was that I should set a denyAllAccess role on the custom user data collection. However, if I do this, won’t that also deny the system function from accessing the collection or do functions that have their Authentication set to System just ignore the roles entirely?

Mansoor_Omar · August 2, 2023, 12:24am

Hi Wilber,

The system auth function will ignore the rule as mentioned here.

A system function runs as the system user instead of a specific application user. System functions have full access to MongoDB CRUD and Aggregation APIs and bypass all rules and schema validation.

Regards

system · August 24, 2023, 9:30pm

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.