Role-Based Access Control
MongoDB employs Role-Based Access Control (RBAC) to govern access to a MongoDB system. A user is granted one or more roles that determine the user’s access to database resources and operations. Outside of role assignments, the user has no access to the system.
MongoDB does not enable access control by default. You can enable authorization using the
--auth or the
security.authorization setting. Enabling internal authentication also enables client authorization.
Once access control is enabled, users must authenticate themselves.
A privilege consists of a specified resource and the actions permitted on the resource.
A resource is a database, collection, set of collections, or the cluster. If the resource is the cluster, the affiliated actions affect the state of the system rather than a specific database or collection. For information on the resource documents, see Resource Document.
A role can include one or more existing roles in its definition, in which case the role inherits all the privileges of the included roles.
A role can inherit privileges from other roles in its database. A role created on the
admin database can inherit privileges from roles in any database.
You can view the privileges for a role by issuing the
rolesInfo command with the
showBuiltinRoles fields both set to
You can assign roles to users during the user creation. You can also update existing users to grant or revoke roles. For a full list of user management methods, see User Management
A user assigned a role receives all the privileges of that role. A user can have multiple roles. By assigning to the user roles in various databases, a user created in one database can have permissions to act on other databases.
The first user created in the database should be a user administrator who has the privileges to manage other users. See Enable Auth.