Mongo functionality - authorization settings specific to indiv. docs?

Hi there,

Totally new to Mongo - I’m in search of a database management system with some specific functionalities. I was working through the introductory course and noticed that they specify that Mongo doesn’t support authorization settings specific to individual documents - what exactly does this mean?

I’m hoping to eventually create a functionality where one set of users (a ‘student’ role) input data to MongoDB via HTML forms, and can then view only the forms that they’ve created. Another set of users (a ‘staff’ role) would be able to view the forms of their students and create new forms, but not view the forms of others’ students or their colleagues.

However, I think this may involve document-specific authorization settings. Will such a system be possible under Mongo, or should I look elsewhere? - Thanks!

Hi @Miranda_35055,

Correct! Only at collection level. This feature is still in the pipeline and has been for a considerably long time.

Considering you’re just starting out in MongoDB, some of the things I’ll mention may sound alien to you but here goes.

There’s some level of Fine-Grained Access Control that can be implemented in MongoDB using the following:

  1. existence of relevant fields per document (and sub-doc) to define access levels
  2. user-defined roles
  3. aggregation pipeline and $redact stage
  4. views

The only caveat here is that if a user runs an Explain/Execution Plan on the view/aggregation pipeline that implements $redact, they will be able to see the query/pipeline definition of the $redact. But then again, at the application layer, the connection string is obfuscated from the user so a typical user will not go down that level of hacking schema/query/view definitions. However, this may be a problem if you’re under very strict regulations.

If you’re still keen to understand all of this, you’ll need to take both the Developer and DBA learning paths paying more attention to the following courses:

  • MongoDB Basics (which I’m guessing you’re currently taking) - Developer and DBA
  • Basic Cluster Administration - Developer and DBA
  • The Aggregation Framework - Developer
  • MongoDB Security - DBA
  • Data Modelling - Developer

Lastly, if you require field level security, there’s a new feature in 4.2 where client-side field level encryption can be implemented.

PS: One of the MongoDB staff may provide some additional information re this