Docs Menu

Docs HomeDevelop ApplicationsMongoDB Manual

Resource Document

On this page

  • Database and/or Collection Resource
  • Cluster Resource
  • anyResource

The resource document specifies the resources upon which a privilege permits actions.

To specify databases and/or collections, use the following syntax:

{ db: <database>, collection: <collection> }

If the resource document specifies both the db and collection fields as non-empty strings, the resource is the specified collection in the specified database. For example, the following document specifies a resource of the inventory collection in the products database:

{ db: "products", collection: "inventory" }

For a user-defined role scoped for a non-admin database, the resource specification for its privileges must specify the same database as the role. User-defined roles scoped for the admin database can specify other databases.

If only the collection field is an empty string (""), the resource is the specified database, excluding the system collections. For example, the following resource document specifies the resource of the test database, excluding the system collections:

{ db: "test", collection: "" }

For a user-defined role scoped for a non-admin database, the resource specification for its privileges must specify the same database as the role. User-defined roles scoped for the admin database can specify other databases.

Note

When you specify a database as the resource, system collections are excluded, unless you name them explicitly, as in the following:

{ db: "test", collection: "system.js" }

System collections include but are not limited to the following:

If only the db field is an empty string (""), the resource is all collections with the specified name across all databases. For example, the following document specifies the resource of all the accounts collections across all the databases:

{ db: "", collection: "accounts" }

For user-defined roles, only roles scoped for the admin database can have this resource specification for their privileges.

If both the db and collection fields are empty strings (""), the resource is all collections, excluding the system collections, in all the databases:

{ db: "", collection: "" }

For user-defined roles, only roles scoped for the admin database can have this resource specification for their privileges.

To specify the cluster as the resource, use the following syntax:

{ cluster : true }

Use the cluster resource for actions that affect the state of the system rather than act on specific set of databases or collections. Examples of such actions are shutdown, replSetReconfig, and addShard. For example, the following document grants the action shutdown on the cluster.

{ resource: { cluster : true }, actions: [ "shutdown" ] }

For user-defined roles, only roles scoped for the admin database can have this resource specification for their privileges.

The internal resource anyResource gives access to every resource in the system and is intended for internal use. Do not use this resource, other than in exceptional circumstances. The syntax for this resource is { anyResource: true }.

←  system.users CollectionPrivilege Actions →