Built-In Roles

MongoDB grants access to data and commands through role-based authorization and provides built-in roles that provide the different levels of access commonly needed in a database system. You can additionally create user-defined roles.

A role grants privileges to perform sets of actions on defined resources. A given role applies to the database on which it is defined and can grant access down to a collection level of granularity.

Each of MongoDB’s built-in roles defines access at the database level for all non-system collections in the role’s database and at the collection level for all system collections.

MongoDB provides the built-in database user and database administration roles on every database. MongoDB provides all other built-in roles only on the admin database.

This section describes the privileges for each built-in role. You can also view the privileges for a built-in role at any time by issuing the rolesInfo command with the showPrivileges and showBuiltinRoles fields both set to true.

Database User Roles

Every database includes the following client roles:

read

Provides the ability to read data on all non-system collections and on the following system collections: system.indexes, system.js, and system.namespaces collections. The role provides read access by granting the following actions:

readWrite

Provides all the privileges of the read role plus ability to modify data on all non-system collections and the system.js collection. The role provides the following actions on those collections:

Database Administration Roles

Every database includes the following database administration roles:

dbAdmin

Provides the following actions on the database’s system.indexes, system.namespaces, and system.profile collections:

Changed in version 2.6.4: dbAdmin added the createCollection for the system.profile collection. Previous versions only had the dropCollection on the system.profile collection.

Provides the following actions on all non-system collections. This role does not include full read access on non-system collections:

dbOwner

The database owner can perform any administrative action on the database. This role combines the privileges granted by the readWrite, dbAdmin and userAdmin roles.

userAdmin

Provides the ability to create and modify roles and users for a database. A user with this role on a database can assign any role or privilege to any user for that database, including themselves.

The userAdmin role explicitly provides the following actions:

Warning

It is important to understand the security implications of granting the userAdmin role: a user with this role for a database can assign themselves any privilege on that database. Granting the userAdmin role on the admin database has further security implications as this indirectly provides superuser access to a cluster. With admin scope a user with the userAdmin role can grant cluster-wide roles or privileges including userAdminAnyDatabase.

Cluster Administration Roles

The admin database includes the following roles for administering the whole system rather than just a single database. These roles include but are not limited to replica set and sharded cluster administrative functions.

clusterAdmin

Provides the greatest cluster-management access. This role combines the privileges granted by the clusterManager, clusterMonitor, and hostManager roles. Additionally, the role provides the dropDatabase action.

clusterManager

Changed in version 3.4.

Provides management and monitoring actions on the cluster. A user with this role can access the config and local databases, which are used in sharding and replication, respectively.

Provides the following actions on the cluster as a whole:

Provides the following actions on all databases in the cluster:

On the config database, provides the following privileges:

Resource Actions
All collections in the config database