MongoDB currently allows a user with the insert privilege on a database to implicitly create a new collection by inserting into it — even if the user lacks the createCollection privilege. This behavior makes it difficult to enforce strict access control policies, particularly in security-conscious or regulated environments.

In contrast, traditional SQL databases like PostgreSQL and MySQL enforce a clear separation:

The INSERT privilege applies only to existing tables.
A separate CREATE privilege is required to define new tables.

We request that MongoDB introduce the ability to decouple insert from implicit collection creation, such as:

A new action like "insertExistingOnly", or
A configurable server or role-level option to disallow implicit collection creation via insert.

This would help:
1. Enforce stricter security models.
2. Align with least-privilege principles.
3. Reduce the risk of accidental or unauthorized schema drift.

Use Case:
In a multi-tenant or production environment, we want to allow users or apps to insert into specific collections but prevent them from creating new collections, whether intentionally or accidentally.

Thank you for considering this request to improve MongoDB's privilege granularity and security controls.