Select Language:
If you’re working with Azure Cosmos DB for MongoDB vCore, you might notice that certain admin commands, like createRole, aren’t available. This is because those commands are managed directly by the service itself, and when you try to use them, you’ll see errors. This isn’t a mistake; it’s designed this way to simplify management. The vCore model streamlines administration by hiding some commands as part of its managed platform-as-a-service setup.
You can read more about this in the official documentation here: https://learn.microsoft.com/en-us/azure/cosmos-db/mongodb/vcore/compatibility-and-feature-support.
For users connecting to the database as secondaries in the native (DocumentDB) mode, there are some clear limitations. Microsoft specifies that:
– Secondary accounts can only be created using the built-in admin account, through the createUser command.
– The roles available are limited to fixed options such as cluster-level read, write, or read-only permissions (like clusterAdmin, readWriteAnyDatabase, readAnyDatabase).
– Assigning roles to specific databases or collections isn’t supported; only cluster-level roles are available.
This means that besides the fact that createRole isn’t supported, the vCore setup does not allow assigning roles based on databases or collections for secondary users.
You can create secondary users with the createUser command from the admin account, and assign them broad roles like:
– readAnyDatabase, which grants read-only access across all databases.
– readWriteAnyDatabase, for full read/write access across all databases.
However, this setup only grants access at the cluster level and doesn’t support more granular, per-database permissions.
To improve control, you can create custom Azure roles for your clusters and assign these to specific users or applications. These roles can help you manage who can connect or operate on each cluster, although they still don’t allow you to set permissions on individual databases or collections within a cluster. You can learn more about this here: https://learn.microsoft.com/en-us/azure/cosmos-db/mongodb/vcore/role-based-access-control.
If you need to restrict a user so that they can only write to database A, but not database B, the current best practice is to place each database in its own cluster. Then, you can assign the user only to the cluster that contains database A, giving them the appropriate permissions there, but no access to database B in its cluster.
ChatGPT
Perplexity
Gemini AI
Grok AI
