MongoByte MongoDB Logo

Welcome to the new MongoDB Feedback Portal!

{Improvement: "Your idea"}
We’ve upgraded our system to better capture and act on your feedback.
Your feedback is meaningful and helps us build better products.

Add new feedback Subscribe
Status Completed
Categories Database
Created by Guest
Created on Jun 11, 2020

RELATED FEEDBACK

Allow views with programmatic role based access control rather than just declarative

Often Views, defined by an aggregation pipeline, are used to filter out certain fields, certain records and obfuscate parts of certain values to enable users with a specific restricted role to only see a subset of 'less sensitive' data from a collection. Views can be assigned to a role declaratively, but in some use cases it is also useful to allow the aggregation pipeline logic to be able to access the context of the current session's roles (e.g. $$ROLES) or user id (e.g. $$USER) to be able to make some programmatic decisions of what to show in the view based on current user & role (i.e. to perform programmatic role based access control). In some examples, this aggregation pipeline may even want to use $$ROLES or $$USER to then perform a $lookup on a different 'metadata' collection, to influence what it decides to return as the output of the view.
  • ADMIN RESPONSE
    Aug 1, 2025
    MongoDB 7.0 provides variable USER_ROLES that can be used in the view definition pipeline! Link to documentation ( https://www.mongodb.com/docs/upcoming/reference/aggregation-variables/#mongodb-variable-variable.USER_ROLES )
  • Attach files
  • Guest
    Jul 7, 2023
    Fantastic - thank you Katya and team!
    Reply
  • Guest
    Jul 7, 2023
    MongoDB 7.0 provides variable USER_ROLES that can be used in the view definition pipeline :tada: https://www.mongodb.com/docs/upcoming/reference/aggregation-variables/#mongodb-variable-variable.USER_ROLES
    Reply
  • Guest
    Feb 11, 2021
    I just got a customer request regarding this feature! It would be fantastic if we could get Data Masking based on User privileges without having to use views or aggregation pipeline. That would help us to address some local data privacy regulations such as LGPD (similar to GDPR but for Brazil).
    Reply
  • Guest
    Jun 11, 2020
    In theory, $listLocalSessions: {allUsers: false} can sort of be used to be able to understand current user context in an aggregation pipeline but this can only be run against a 'db' and not against a 'collection' so doesn't help here.
    Reply