Restrict specific users or client IPs to only Analytics node(s)
There are use-cases where certain users or client IPs need to be given access restricted to only the Analytics node(s) . While it is possible to grant such users read-only permissions at the database/collection level, and have them use the ANALYTICS replica set tag in their connection string URI, it might still be possible for those users to connect to a Primary or a Secondary node (when not using the Analytics replica set tag) and run their query there.
Therefore, a feature that will either restrict specific users access to only the Analytics node(s) or a functionality that will restrict access from certain client IPs to only the Analytics node(s), will help in such use-cases.
I also think it is imperative to restrict access at the network level to a read-only replica! So that certain users from certain addresses do not have access to the entire cluster, but only to a read-only replica.
Great idea: it's unfortunately more complex to implement than it sounds, requiring some core changes to the authorization model on the database engine. I will share with the right people though.