Hiding Fields in MongoDB: Views + Custom Roles

hiding fields in MongoDBA time ago we wrote about how personalized roles may help you to give specific permissions when it is needed. This time we want to discuss how a custom role, combined with a MongoDB View, can hide sensitive information from the client.

Hiding Fields in MongoDB

Suppose you have a collection that needs to be shared with a different team, but this team should not be able to see some fields – in our case, to make it easy: the salary field.

Views in MongoDB can hide sensitive information and change the data visualization as needed – It was discussed here. For this example, we will use the collection employee with some data, with a user that has permission. Let’s insert some objects in the percona database

Then let’s create a view for this collection:

If we type show dbs; we will be able to see both collections, so, a read-only user still able to read the employees collection.

In order to secure the employees’ collection, we are creating a custom role that one has permission to see the employees_names collection and nothing else. In that way the fields salary will never exist to the user:

Then we will create a user that only has permission to read data from the view (belongs to the role “view_views”);

Now the user can only see the collection employees_name in the percona database and nothing else.

Running the query as the user intern:

There are several ways to do that. For instance, if you were using an application it would do the same thing, but the purpose of this blog is to demonstrate how a combination of two technologies can help in hiding fields in MongoDB

I hope you liked the blog, feel free to reach out me on @AdamoTonete or @percona for questions.

Learn more about Percona Server for MongoDB

Share this post

Leave a Reply