Docs Menu

Rules

In traditional applications, an application server exposes an API to client applications and handles database queries on their behalf. To prevent malicious, improper, or incorrect read and write operations, clients don't query the database directly.

MongoDB Realm provides a configurable and dynamic rules engine that enables you to run a MongoDB query from client applications while transparently preventing unauthorized reads and writes. Rules are defined for entire collections in a linked MongoDB Atlas cluster and apply to individual documents in the collection dynamically based on the application user that issued a query.

Note

Data Lake data sources do not support rules or schemas. You can only access a Data Lake data source in a system function.

The rules engine handles incoming queries with the following 4-step process:

1

MongoDB Realm evaluates the queried collection's Filters in the context of the incoming request. Filters dynamically add additional query predicates and projections to incoming queries based on an expression that you define.

After evaluating, MongoDB Realm applies all relevant filters to the incoming query and then finds all documents that match the filtered query.

Note
Filters

To learn how to configure a filter for a collection, see Filter Incoming Queries.

2

MongoDB Realm evaluates a Role with specific read and write permissions for each document that matches the filtered query. You define the roles for each collection, including the permissions they have and the conditions under which they apply.

Note
Roles

To learn how to configure role-based permissions for a collection, see Define Roles and Permissions.

To learn more about roles, explore the roles reference page. There you'll find more information, including configuration parameters, use-case examples, and details on how MongoDB Realm assigns roles to documents.

3

Once MongoDB Realm has evaluated a role for each document, it runs the filtered query and prevents reads and writes on each document unless the document's role allows them. If no role applies to a specific document, MongoDB Realm withholds that document entirely and prevents the query from reading or writing any fields.

4

If the query was a write operation, MongoDB Realm checks each affected document to ensure that they conform to the collection's Document Schema. If any document does not match the schema, MongoDB Realm rolls back the operation and rejects the query.

Tip
Give Feedback
MongoDB logo
© 2021 MongoDB, Inc.

About

  • Careers
  • Legal Notices
  • Privacy Notices
  • Security Information
  • Trust Center
© 2021 MongoDB, Inc.