How can I implement field-level permissions for MongoDB?

Question

In MySQL I can grant permissions to update specific fields:

GRANT SELECT, UPDATE (col_Eagle) ON db_ANIMAL.tb_BIRD to 'JOHNNY'@'localhost';

MongoDB only has "read" or "readWrite" roles:

db.createUser(
    {
      user: "JOHNNY",
      pwd: "pass",
      roles: [
        { 
          role: "read", # or readWrite??
          db: "db_ANIMAL" 
        }
      ]
    }
)

How can I limit update permissions to specific fields in MongoDB 3.4?

Answer 1

As at MongoDB 3.4, the granularity of the built-in access control only goes as far as Collection-Level Access Control.

For example, you could create a user-defined role limiting privileges for a collection:

privileges: [
  { resource: { db: "db_ANIMAL", collection: "tb_BIRD" },  actions: [ "find", "update" ] }
]

For limiting read-only access to a subset of collection data, you could consider using the new Views functionality in MongoDB 3.4 or implementing Field Level Redaction using the $redact aggregation stage (MongoDB 2.6+).

If you need more granular access control for field-level updates you will currently have to implement this in your API or application code.

There are a few relevant feature requests you may want to watch/upvote in the MongoDB issue tracker:

• SERVER-648: Document level access control
• SERVER-27698: Materialized views

Answer 2

I just created a post in MongoDB's forums on this subject and a MongoDB employee pointed me towards the solution.

To implement field-level permission for end users (users interacting with an app that accesses the database directly), this can now be done using MongoDB Realm, as explained in the documentation.