services / Azure / Cosmos DB MongoDB role definition

A MongoDB Role Definition is a data-plane RBAC role for the Cosmos DB for MongoDB API, specifying the set of database privileges (actions/resources) that can be granted to user definitions.

Defines the data-plane access-control model for a single database account's data store.


Microsoft.​DocumentDB/​databaseAccounts/​mongodbRoleDefinitions/​write

Creating or updating a MongoDB role definition lets an attacker craft or broaden a role's privileges (e.g. readWriteAnyDatabase), escalating the access of any user bound to that role within the database account.

Risks

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​azure.​permissions.​cloud/​iam/​Microsoft.​DocumentDB
  • https:​/​/​learn.​microsoft.​com/​en-​us/​azure/​role-​based-​access-​control/​resource-​provider-​operations
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog