Mongodb restriction on update to only allow “$push” operator

Question

Mongodb V 4.0

I want to restrict a user's role by only allowing new inserts to the collection. Either as a new document, or as an append to the document. I don't want the user to be able to update(overwrite) fields in the document, but update/(append/add) is fine. Is there any good strategies out there for this. My two options now are:

Create two collections. Restrict one and allow full updates in the other, once all updates are complete copy/move the document from one collection over to the other.

Alternative 2) limit roles to update.$push operator only, which is a type of append to array operator. I have not found a way to do that as of now.

Answer 1

MongoDB's server roles & permissions (as at MongoDB 4.0) don't provide the level of granularity you are after. However, I think this level of control is much better handled in your application logic.

For example, even if it were possible to limit write access to the $push operator, there are additional options such as $slice that could cause existing array elements to be removed.

Is there any good strategies out there for this.

Instead of providing direct access to MongoDB, I recommend providing an API for inserts and updates. You can implement any required validation & filtering in your API endpoints.

You may also want to consider implementing a versioning approach to track the history of modifications to individual documents so you can audit or rollback changes if required. There is a great series of posts on the Ask Asya blog with common examples and considerations:

• How to Track Versions with MongoDB
• Further Thoughts on How to Track Versions with MongoDB
• Best Versions with MongoDB