Docs Menu

Collection-Level Access Control in Self-Managed Deployments

Collection-level access control allows administrators to grant users privileges that are scoped to specific collections.

Administrators can implement collection-level access control through user-defined roles. By creating a role with privileges that are scoped to a specific collection in a particular database, administrators can provision users with roles that grant privileges on a collection level.

A privilege consists of actions and the resources upon which the actions are permissible; i.e. the resources define the scope of the actions for that privilege.

By specifying both the database and the collection in the resource document for a privilege, administrator can limit the privilege actions just to a specific collection in a specific database. Each privilege action in a role can be scoped to a different collection.

For example, a user defined role can contain the following privileges:

privileges: [
{ resource: { db: "products", collection: "inventory" }, actions: [ "find", "update", "insert" ] },
{ resource: { db: "products", collection: "orders" }, actions: [ "find" ] }
]

The first privilege scopes its actions to the inventory collection of the products database. The second privilege scopes its actions to the orders collection of the products database.

As a best practice, avoid assigning createCollection privileges to users who don't have read privileges on the collection.

For more information on user-defined roles and MongoDB authorization model, see Role-Based Access Control in Self-Managed Deployments. For a tutorial on creating user-defined roles, see Manage Users and Roles on Self-Managed Deployments.