The latest articles on DEV Community by Dorottya Nyárády (@dorothy2019). https://dev.to/dorothy2019 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3635200%2F20af7e70-0717-4722-8369-1f42d3955800.jpg https://dev.to/dorothy2019 en Dorottya Nyárády Sat, 29 Nov 2025 21:25:21 +0000 https://dev.to/dorothy2019/your-database-isnt-a-teenagers-bedroom-why-privileges-actually-matter-4apo https://dev.to/dorothy2019/your-database-isnt-a-teenagers-bedroom-why-privileges-actually-matter-4apo <p>Remember when you lived at your parents’ house and you thought your bedroom was your personal kingdom?</p> <p>You closed the door, maybe even put up a “<strong>Do Not Enter</strong>” sign… and still, somehow, your parents always knew exactly what you were doing.<br> Why?</p> <p>Because <strong>they had the key</strong>.<br> They could walk in anytime — to check if you cleaned the room, what snacks you were hiding, or what series you were secretly binge-watching. Privacy: <strong>Denied</strong>.</p> <p>Now here’s the twist:</p> <blockquote> <p>This is exactly what happens to your database when you don’t control privileges properly.</p> </blockquote> <p>If a user has too many permissions, it’s basically handing them a <strong>master key to the whole house</strong>.</p> <p>They can:</p> <ul> <li>Read anything</li> <li>Write anything</li> <li>Update anything</li> <li>Drop things</li> <li>Delete things</li> <li>Poke around in rooms they shouldn’t even know exist</li> </ul> <p>Just like your childhood bedroom, your database has “doors.”<br> And just like your parents, an over-privileged user can walk through any of them.</p> <p>So let’s fix that.</p> <p>🎩 Explore: The Kozen IAM Utility (a.k.a. Your New Permission Inspector)</p> <p>Ah yes, the name.<br> It sounds like three unrelated words glued together.</p> <p>But behind that name is a surprisingly powerful idea — and a very practical tool.</p> <p>🧠 What does it do?</p> <p>The <strong><a href="https://github.com/mongodb-industry-solutions/mdb-iam-util-demo" rel="noopener noreferrer">Kozen IAM Utility</a></strong> checks whether the permissions your database users actually have match the ones they should have.</p> <p>In plain English:</p> <blockquote> <p>It tells you if you gave someone too many permissions, not enough permissions, or just the right amount.</p> </blockquote> <p>You provide:</p> <ul> <li>MongoDB connection string</li> <li>List of expected privileges</li> </ul> <p>And the tool shows you:<br> ✔️ Valid permissions<br> ❌ Missing permissions<br> ⚠️ Extra permissions (the dangerous ones)</p> <p>This is incredibly important in real-world systems, where privilege mistakes often go unnoticed until something breaks — or someone deletes something they shouldn’t.</p> <p>Because if you’ve ever worked with databases in the real world, you already know:</p> <ul> <li>Some users accidentally get way too many permissions</li> <li>Some roles miss crucial permissions</li> <li>And some apps run in production with privilege mismatches no one discovers until a build breaks (or worse)</li> </ul> <p>The Kozen IAM Utility solves this by acting like a privilege inspector.</p> <p>Now let’s get our hands dirty.</p> <p>🚀 Let’s Try Out the Demo Together (Setup Included)</p> <p>If you want to experience the permission-checking magic yourself, here’s your guided tour.<br> All you need is a terminal and a MongoDB connection string.</p> <p>1.Clone the repository<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>git clone https://github.com/mongodb-industry-solutions/mdb-iam-util-demo.git cd mdb-iam-util-demo </code></pre> </div> <p>2.Start everything with Docker (recommended)</p> <p>This is the easiest way:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>docker compose up --build </code></pre> </div> <p>This spins up:</p> <ul> <li>The backend on <a href="http://localhost:3001" rel="noopener noreferrer">http://localhost:3001</a> </li> <li>The frontend on <a href="http://localhost:5173" rel="noopener noreferrer">http://localhost:5173</a> </li> </ul> <p>Magic.</p> <p>3.Or run the backend manually<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>cd backend-node npm install npm run dev </code></pre> </div> <p>4.Run the frontend<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>cd ../frontend npm install npm run dev </code></pre> </div> <p>5.Open the UI</p> <p>Go to: <a href="http://localhost:5173" rel="noopener noreferrer">http://localhost:5173</a></p> <p>You’ll see a clean interface where you can:</p> <ul> <li>Paste your MongoDB connection string</li> <li>List the permissions your app should have</li> <li>Then click the button.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flphhui9c152wg5jxtclb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flphhui9c152wg5jxtclb.png" alt="Kozen IAM Utility Demo" width="800" height="533"></a></p> <p>Instantly, you’ll get:<br> ✔️ Permissions that match<br> ❌ Permissions your user is missing<br> ⚠️ Permissions they have but shouldn’t</p> <p>It’s genuinely satisfying — like running a diagnostic tool and watching it reveal the truth.</p> <p>🧠 Why This Tool Matters</p> <p>You don’t need a security breach to appreciate good privilege control.<br> Some of the most common real-world problems come from:</p> <ul> <li>Apps using admin users in production</li> <li>Forgotten roles with excessive privileges</li> <li>Services sharing users when they shouldn’t</li> <li>Teams unaware of what permissions an app really requires</li> </ul> <p>And just like those parents with the spare key…</p> <p>If you don’t control who can access what, someone will walk in eventually.<br> This utility gives you:</p> <ul> <li>Transparency</li> <li>Control</li> <li>Peace of mind</li> <li>Security best practices without the pain</li> </ul> <p>You can even integrate it into CI/CD pipelines to ensure no deployment goes forward with incorrect privileges.</p> <p>🔗 Want to Try It Yourself?</p> <p>Here’s the full repo with the demo:</p> <p>👉 <a href="https://github.com/mongodb-industry-solutions/mdb-iam-util-demo" rel="noopener noreferrer">https://github.com/mongodb-industry-solutions/mdb-iam-util-demo</a></p> <p>Go ahead — check who actually has the keys to your database.</p> security database tutorial kozen