I started to evaluate mongoDB for a product catalogue.
Regarding user management and access control: When to use the mongoDB’s built in user management and when build one on the application layer?
Let us say I have a product catalogue organised as a Tree. I want to define access rights on the nodes of the tree.
Access rights could the be inherited from the parent product group to all its products and articles.
2
MongoDB itself can only define access privileges per collection, not per document. You likely want all the nodes in the same collection so you can query them properly (MongoDB can’t query more than one collection in the same command). That means enforcing the access privilege on the database won’t be sufficient. You will have to implement access control on the application server.
For further reading about permissions in MongoDB I recommend the MongoDB User and Role Management Tutorial as well as the $redact aggregation stage which is primarily designed to filter documents based on application-defined permissions.
2