On this page
MongoDB grants access to data and commands through role-based authorization and provides built-in roles that provide the different levels of access commonly needed in a database system. You can additionally create user-defined roles.
Each of MongoDB’s built-in roles defines access at the database level for all non-system collections in the role’s database and at the collection level for all system collections.
This section describes the privileges for each built-in role. You can also view the privileges for a built-in role at any time by issuing the
rolesInfo command with the
showBuiltinRoles fields both set to
Every database includes the following client roles:
Provides the ability to read data on all non-system collections and on the following system collections:
system.namespacescollections. The role provides read access by granting the following actions:
Every database includes the following database administration roles:
Provides the following actions on all non-system collections. This role does not include full read access on non-system collections:
Provides the ability to create and modify roles and users for a database. A user with this role on a database can assign any role or privilege to any user for that database, including themselves.
userAdminrole explicitly provides the following actions:
It is important to understand the security implications of granting the
userAdminrole: a user with this role for a database can assign themselves any privilege on that database. Granting the
userAdminrole on the
admindatabase has further security implications as this indirectly provides superuser access to a cluster. With
adminscope a user with the
userAdminrole can grant cluster-wide roles or privileges including
admin database includes the following roles for administering the whole system rather than just a single database. These roles include but are not limited to replica set and sharded cluster administrative functions.
Provides the greatest cluster-management access. This role combines the privileges granted by the
hostManagerroles. Additionally, the role provides the
Changed in version 3.4.
Provides management and monitoring actions on the cluster. A user with this role can access the
localdatabases, which are used in sharding and replication, respectively.
Provides the following actions on the cluster as a whole:
listSessions(New in version 3.6)
Provides the following actions on all databases in the cluster:
configdatabase, provides the following privileges:
Resource Actions All collections in the