Resource Document
The resource document specifies the resources upon which a
privilege permits actions
.
Database and/or Collection Resource
To specify databases and/or collections, use the following syntax:
{ db: <database>, collection: <collection> }
Specify a Collection of a Database as Resource
If the resource document specifies both the db
and collection
fields as non-empty strings, the resource is the specified
collection in the specified database. For example, the following
document specifies a resource of the inventory
collection in the
products
database:
{ db: "products", collection: "inventory" }
For a user-defined role scoped for a non-admin
database, the
resource specification for its privileges must specify the same
database as the role. User-defined roles scoped for the
admin
database can specify other databases.
Specify a Database as Resource
If only the collection
field is an empty string (""
), the
resource is the specified database, excluding the system
collections. For example, the
following resource document specifies the resource of the test
database, excluding the system collections:
{ db: "test", collection: "" }
For a user-defined role scoped for a non-admin
database, the
resource specification for its privileges must specify the same
database as the role. User-defined roles scoped for the
admin
database can specify other databases.
Note
When you specify a database as the resource, system collections are excluded, unless you name them explicitly, as in the following:
{ db: "test", collection: "system.js" }
System collections include but are not limited to the following:
system.users
Collection in theadmin
databasesystem.roles
Collection in theadmin
database
Specify Collections Across Databases as Resource
If only the db
field is an empty string (""
), the resource is
all collections with the specified name across all databases. For
example, the following document specifies the resource of all
the accounts
collections across all the databases:
{ db: "", collection: "accounts" }
For user-defined roles, only roles scoped for the admin
database
can have this resource specification for their privileges.
Specify All Non-System Collections in All Databases
If both the db
and collection
fields are empty strings
(""
), the resource is all collections, excluding the system
collections, in all the databases:
{ db: "", collection: "" }
For user-defined roles, only roles scoped for the admin
database
can have this resource specification for their privileges.
Cluster Resource
To specify the cluster as the resource, use the following syntax:
{ cluster : true }
Use the cluster
resource for actions that affect the state of the
system rather than act on specific set of databases or collections.
Examples of such actions are shutdown
, replSetReconfig
, and
addShard
. For example, the following document grants the action
shutdown
on the cluster
.
{ resource: { cluster : true }, actions: [ "shutdown" ] }
For user-defined roles, only roles scoped for the admin
database
can have this resource specification for their privileges.
anyResource
The internal resource anyResource
gives access to every resource in
the system and is intended for internal use. Do not use this resource,
other than in exceptional circumstances. The syntax for this resource is
{ anyResource: true }
.