How to assign distinct privileges to users and administrators in MongoDB?

Question

How to assign distinct privileges to users and administrators in MongoDB?

I am currently working on developing an application using Sails and MongoDB that requires three levels of users.

Super admin
Admin
User

My goal is to assign different privileges to each type of user

The Super admin should have access to the entire database.
An Admin can only access data related to their field
A User can only access data specific to that user.

How can I implement different schemas for each type of user and restrict access so one user cannot view resources belonging to another?

javascript mongodb mongoose sails.js

Answer 1

Answer №1

I am interested in establishing different access privileges for each user.

A Super admin has full access to the entire database.

An Admin can only access data related to their specific field.

A User is limited to accessing data pertinent to their own profile.

In order to achieve this, a document-level access control mechanism is required where access to a document is determined by the value in a particular field. However, up to version 3.0, MongoDB does not offer built-in support for document/field level access-control; ACLs are limited to the Collection-level.

How can I implement different schemas for distinct user types and prevent unauthorized access to resources?

Given the current limitations at the database level, achieving this solely through the database alone, especially in terms of restricting access to 'documents', is not feasible. Nevertheless, similar functionality can be implemented at the application level (such as with sailJS). At the database level, one workaround is to move user documents to separate collections and employ the createRole() method to establish roles and specify associated privileges.

For SuperAdmins:

db.createRole({ role: "SuperAdmin",
  privileges: [
    { resource: { db: "myCustomDB", collection: "" }, actions: [ "find", "update", "insert", "remove" ]}
  ],
  roles: []
})

SuperAdmins are granted full access to all collections within the myCustomDB database and can execute find, update, insert, and remove actions.

For Admins:

db.createRole({ role: "Admin",
  privileges: [
    { resource: { db: "myCustomDB", collection: "AdminCollection" }, actions: [ "find", "update", "insert", "remove" ]},
    { resource: { db: "myCustomDB", collection: "" }, actions: [ "find"]}
  ],
  roles: []
})

Admins have CRUD permissions on documents within their designated collection but only read-only access to other database collections.

For Users:

db.createRole({ role: "User",
  privileges: [
    { resource: { db: "myCustomDB", collection: "UserCollection" }, actions: [ "find", "update", "insert", "remove" ]}
  ],
  roles: []
})

Note: For users still on version 2.4 (or earlier), it may be necessary to relocate user collections to a separate database due to MongoDB's ACL limitations being restricted to Database-Level access in versions 2.4 and below.

Answer 2

I am interested in establishing different access privileges for each user.

A Super admin has full access to the entire database.

An Admin can only access data related to their specific field.

A User is limited to accessing data pertinent to their own profile.

In order to achieve this, a document-level access control mechanism is required where access to a document is determined by the value in a particular field. However, up to version 3.0, MongoDB does not offer built-in support for document/field level access-control; ACLs are limited to the Collection-level.

How can I implement different schemas for distinct user types and prevent unauthorized access to resources?

Given the current limitations at the database level, achieving this solely through the database alone, especially in terms of restricting access to 'documents', is not feasible. Nevertheless, similar functionality can be implemented at the application level (such as with sailJS). At the database level, one workaround is to move user documents to separate collections and employ the createRole() method to establish roles and specify associated privileges.

For SuperAdmins:

db.createRole({ role: "SuperAdmin",
  privileges: [
    { resource: { db: "myCustomDB", collection: "" }, actions: [ "find", "update", "insert", "remove" ]}
  ],
  roles: []
})

SuperAdmins are granted full access to all collections within the myCustomDB database and can execute find, update, insert, and remove actions.

For Admins:

db.createRole({ role: "Admin",
  privileges: [
    { resource: { db: "myCustomDB", collection: "AdminCollection" }, actions: [ "find", "update", "insert", "remove" ]},
    { resource: { db: "myCustomDB", collection: "" }, actions: [ "find"]}
  ],
  roles: []
})

Admins have CRUD permissions on documents within their designated collection but only read-only access to other database collections.

For Users:

db.createRole({ role: "User",
  privileges: [
    { resource: { db: "myCustomDB", collection: "UserCollection" }, actions: [ "find", "update", "insert", "remove" ]}
  ],
  roles: []
})

Note: For users still on version 2.4 (or earlier), it may be necessary to relocate user collections to a separate database due to MongoDB's ACL limitations being restricted to Database-Level access in versions 2.4 and below.

Answer 3

Answer №2

Imagine you're in the process of setting up a database called "records"

When using mongo shell >>

//SuperADMIN
use admin
db.createUser(
 {
   user: "superuser",
   pwd: "12345678",
   roles: [ "root" ]
 }
 )


 //ADMIN
 use records
 db.createUser
 (
   {
     user: "recordsUserAdmin",
     pwd: "password",
     roles: [ { role: "userAdmin", db: "records" } ]
   }
 )





//Any User
use records
db.createUser(
 {
    user: "recordUser",
    pwd: "12345678",
    roles: [
       { role: "read", db: "records" },
       { role: "read", db: "user" },
       { role: "read", db: "sales" },
       { role: "readWrite", db: "accounts" }
    ]
  }
 )

To learn more, visit:

Mongo tutorial create admin

Add user to mongo

Answer 4

Imagine you're in the process of setting up a database called "records"

When using mongo shell >>

//SuperADMIN
use admin
db.createUser(
 {
   user: "superuser",
   pwd: "12345678",
   roles: [ "root" ]
 }
 )


 //ADMIN
 use records
 db.createUser
 (
   {
     user: "recordsUserAdmin",
     pwd: "password",
     roles: [ { role: "userAdmin", db: "records" } ]
   }
 )





//Any User
use records
db.createUser(
 {
    user: "recordUser",
    pwd: "12345678",
    roles: [
       { role: "read", db: "records" },
       { role: "read", db: "user" },
       { role: "read", db: "sales" },
       { role: "readWrite", db: "accounts" }
    ]
  }
 )

To learn more, visit:

Mongo tutorial create admin

Add user to mongo

Answer 5

Answer №3

What you're trying to achieve cannot be done solely at the database level.

One workaround could involve creating a separate user account with different permissions for accessing and modifying the database. However, restricting a user to only view data related to themselves is not supported by traditional database setups. To accomplish this, authentication checks would need to be implemented within the application itself. This process typically involves verifying if a user has authorization to access certain data, based on criteria such as ownership. For instance, the application might determine whether "User ABC" owns "Data XYZ" before granting them access to view it.

Answer 6

What you're trying to achieve cannot be done solely at the database level.

One workaround could involve creating a separate user account with different permissions for accessing and modifying the database. However, restricting a user to only view data related to themselves is not supported by traditional database setups. To accomplish this, authentication checks would need to be implemented within the application itself. This process typically involves verifying if a user has authorization to access certain data, based on criteria such as ownership. For instance, the application might determine whether "User ABC" owns "Data XYZ" before granting them access to view it.

How to assign distinct privileges to users and administrators in MongoDB?

Answer №1

Answer №2

Answer №3

Similar questions

Including item from ajax not within $.when function finished

The value of an AngularJS service is not being reflected in the view

Error message in Node.js: Unable to establish connection to 127.0.0.1 on port 21 due to E

angularjs | clear input field by clicking on icon inside input

I am having trouble establishing a connection between my Node.js server and the Google Cloud Platform server

MongoError: The close method cannot be called on MongoClient

What is the best way to create 7 or 8 column grids with Vuetify's v-row and v-col components?

Verifying if checkboxes are selected in PHP using JavaScript

Having trouble accessing the properties of an undefined variable (reading 'VSCODE_TEXTMATE_DEBUG')

Error: Unable to locate module: 'fs' in Next.js

The average calculation malfunctioning after adjusting the input data

Utilizing a combination of a `for` loop and `setInterval

Can one open a unique custom pop-up before the window is about to close?

Trapped in the dilemma of encountering the error message "Anticipated an assignment or function: no-unused expressions"

The configuration settings for MongoDB database names are not properly recognized by Spring Webflux

Is my Socket.io application consuming excessive bandwidth? What might be causing this issue?

Transforming NIF to OBJ within the Blender 249.2 software results in an object that is not visible

Body not being populated in POST request

Creating a series of adjacent dropdown menus with JavaScript, HTML, and CSS

What could be causing my dangerouslySetInnerHTML to show altered content?