Watch keynotes and sessions from MongoDB.live, our virtual developer conference.

Creating group/application/user permissions around MongoDB documents

I’m trying to find a good way to manage permissions for a high number of mongo documents.

There may be any number of groups/users/applications that would have different permissions (view,edit,etc) and I won’t/don’t know the number upfront… and they can change.

What I don’t want to do: Update a ton of doc’s every time a new group/app/user etc is modified/deleted/added.

I was thinking the extended-reference-pattern may work… not really sure.
I’m not sure what design pattern should be used.

What I want to do: Apply group/user/and or application permissions to a large set of mongo documents.

Idea 1: Use mysql to control the relationship (con’s duplication of data, 2 diff systems)

Idea 2: Add metadata to each document (con’s: would have to update a ton of doc)

Idea 3: Create another collection to manage the relationship (leaning toward this)

I keep going in circles… posting here out of desperation. If anyone has a design pattern or any ideas I’d really appreciate it.

I’m dealing with high number of mongo docs (1 million+) and am trying to avoid the situation where I need to update a high number of doc’s every time a new group/application/permission is added for a doc or subset of doc’s.

I’d really appreciate if anyone could point me into the right direction.

One thing I was thinking… maybe use the attribute pattern along with the extended-reference-pattern.

// image doc
{
   _id : ObjectId(...)
    filename: "some image.png",
    owner: ....
    …
    groups: [
        {
        group id: "foo"
        },
        {
         group id: "bar"
        },
        … 
    ],
    … 
}
// group foo
{
    _id : ObjectId(...)
    name: "foo"
    …
    read : true
    write : false
   
    … 
}

The only drawback I can see with this approach is if I wanted specific permissions for a specific document… but am thinking maybe this is the way to go.