How can I implement field-level permissions for MongoDB?

Question

In MySQL I can grant permissions to update specific fields:

GRANT SELECT, UPDATE (col_Eagle) ON db_ANIMAL.tb_BIRD to \'JOHNNY\'@\'localhost\';

Answer 1

As at MongoDB 3.4, the granularity of the built-in access control only goes as far as Collection-Level Access Control.

For example, you could create a user-defined role limiting privileges for a collection:

privileges: [
  { resource: { db: "db_ANIMAL", collection: "tb_BIRD" },  actions: [ "find", "update" ] }
]

For limiting read-only access to a subset of collection data, you could consider using the new Views functionality in MongoDB 3.4 or implementing Field Level Redaction using the $redact aggregation stage (MongoDB 2.6+).

If you need more granular access control for field-level updates you will currently have to implement this in your API or application code.

There are a few relevant feature requests you may want to watch/upvote in the MongoDB issue tracker:

• SERVER-648: Document level access control
• SERVER-27698: Materialized views