Resource Document

The resource document specifies the resources upon which aprivilege permits actions.

Database and/or Collection Resource

To specify databases and/or collections, use the following syntax:

{ db: <database>, collection: <collection> }

Specify a Collection of a Database as Resource

If the resource document species both the db and collectionfields as non-empty strings, the resource is the specifiedcollection in the specified database. For example, the followingdocument specifies a resource of the inventory collection in theproducts database:

{ db: "products", collection: "inventory" }

For a user-defined role scoped for a non-admin database, theresource specification for its privileges must specify the samedatabase as the role. User-defined roles scoped for theadmin database can specify other databases.

Specify a Database as Resource

If only the collection field is an empty string (""), theresource is the specified database, excluding the systemcollections. For example, thefollowing resource document specifies the resource of the testdatabase, excluding the system collections:

{ db: "test", collection: "" }

For a user-defined role scoped for a non-admin database, theresource specification for its privileges must specify the samedatabase as the role. User-defined roles scoped for theadmin database can specify other databases.

Note

When you specify a database as the resource, systemcollections are excluded, unless you name them explicitly, as in thefollowing:

{ db: "test", collection: "system.js" }

System collections include but are not limited to the following:

• <database>.system.profile
• <database>.system.js
• system.users Collection in the admin database
• system.roles Collection in the admin database

Specify Collections Across Databases as Resource

If only the db field is an empty string (""), the resource isall collections with the specified name across all databases. Forexample, the following document specifies the resource of allthe accounts collections across all the databases:

{ db: "", collection: "accounts" }

For user-defined roles, only roles scoped for the admin databasecan have this resource specification for their privileges.

Specify All Non-System Collections in All Databases

If both the db and collection fields are empty strings(""), the resource is all collections, excluding the systemcollections, in all the databases:

{ db: "", collection: "" }

For user-defined roles, only roles scoped for the admin databasecan have this resource specification for their privileges.

Cluster Resource

To specify the cluster as the resource, use the following syntax:

{ cluster : true }

Use the cluster resource for actions that affect the state of thesystem rather than act on specific set of databases or collections.Examples of such actions are shutdown, replSetReconfig, andaddShard. For example, the following document grants the actionshutdown on the cluster.

{ resource: { cluster : true }, actions: [ "shutdown" ] }

For user-defined roles, only roles scoped for the admin databasecan have this resource specification for their privileges.

anyResource

The internal resource anyResource gives access to every resource inthe system and is intended for internal use. Do not use this resource,other than in exceptional circumstances. The syntax for this resource is{ anyResource: true }.