Privilege Actions

New in version 2.6.

On this page

Privilege actions define the operations a user can perform on a resource. A MongoDB privilege comprises a resource and the permitted actions. This page lists available actions grouped by common purpose.

MongoDB provides built-in roles with pre-defined pairings of resources and permitted actions. For lists of the actions granted, see Built-In Roles. To define custom roles, see Create a User-Defined Role.

Query and Write Actions

find

User can perform the following commands, and their equivalent helper methods:

aggregate for all pipeline operations except $collStats, $out, and $indexStats.
checkShardingIndex
count
dataSize
distinct
filemd5
find
geoNear
geoSearch
getLastError
getMore
getPrevError
group
killCursors, provided that the cursor is associated with a currently authenticated user.
listCollections
listIndexes
mapReduce with the {out: inline} option.
parallelCollectionScan
resetError

Required for the query portion of the mapReduce command and db.collection.mapReduce helper method when outputting to a collection.

Required for the query portion of the findAndModify command and db.collection.findAndModify helper method.

Required on the source collection for the cloneCollectionAsCapped and renameCollection commands and the db.collection.renameCollection() helper method.

Apply this action to database or collection resources.

insert

User can perform the following commands and their equivalent methods:

Required for the output portion of the mapReduce command and db.collection.mapReduce() helper method when outputting to a collection.

Required for the aggregate command and db.collection.aggregate() helper method when using the $out pipeline operator.

Required for the update and findAndModify commands and equivalent helper methods when used with the upsert option.

Required on the destination collection for the following commands and their helper methods:

Apply this action to database or collection resources.

remove

User can perform the delete command and equivalent helper method.

Required for the write portion of the findAndModify command and db.collection.findAndModify() method.

Required for the mapReduce command and db.collection.mapReduce() helper method when you specify the replace action when outputting to a collection.

Required for the aggregate command and db.collection.aggregate() helper method when using the $out pipeline operator.

Apply this action to database or collection resources.

update

User can perform the update command and equivalent helper methods.

Required for the mapReduce command and db.collection.mapReduce() helper method when outputting to a collection without specifying the replace action.

Required for the findAndModify command and db.collection.findAndModify() helper method.

Apply this action to database or collection resources.

bypassDocumentValidation

New in version 3.2.

Users can bypass document validation on commands and methods that support the bypassDocumentValidation option:

Command	Method
`aggregate`	`db.collection.aggregate()`
`applyOps`
`cloneCollection` on the destination collection
`clone` on the destination
`copydb` on the destination
`findAndModify`	`db.collection.findAndModify()`
`insert`
`mapReduce`	`db.collection.mapReduce()`
`update`

Apply this action to database or collection resources.

useUUID

New in version 3.6.

User can execute the following commands using a UUID as if it were a namespace:

For example, this privilege authorizes a user to run the following command which executes a find command on a collection with the given UUID. In order to be successful, this operation also requires that the user is authorized to execute the find command on the collection namespace corresponding to the given UUID.

copy

 
      db.runCommand({find: UUID("123e4567-e89b-12d3-a456-426655440000")})

For more information on collection UUIDs, see Collections.

Apply this action to the cluster resource.

Database Management Actions

changeCustomData: User can change the custom information of any user in the given database. Apply this action to database resources.

changeOwnCustomData: Users can change their own custom information. Apply this action to database resources. See also Change Your Password and Custom Data.

changeOwnPassword: Users can change their own passwords. Apply this action to database resources. See also Change Your Password and Custom Data.

changePassword: User can change the password of any user in the given database. Apply this action to database resources.

createCollection: User can perform the db.createCollection() method. Apply this action to database or collection resources.

createIndex: Provides access to the db.collection.createIndex() method and the createIndexes command. Apply this action to database or collection resources.

createRole: User can create new roles in the given database. Apply this action to database resources.

createUser: User can create new users in the given database. Apply this action to database resources.

dropCollection: User can perform the db.collection.drop() method. Apply this action to database or collection resources.

dropRole: User can delete any role from the given database. Apply this action to database resources.

dropUser: User can remove any user from the given database. Apply this action to database resources.

enableProfiler: User can perform the db.setProfilingLevel() method. Apply this action to database resources.

grantRole: User can grant any role in the database to any user from any database in the system. Apply this action to database resources.

killCursors

首页

Mongodb Manual

Privilege Actions

Query and Write Actions

Database Management Actions