Manage Users and Roles
On this page
This tutorial provides examples for user and role management under the MongoDB’s authorization model. Add Users describes how to add a new user to MongoDB.
If you have enabled access control for your deployment, you must authenticate as a user with the required privileges specified in each section. A user administrator with the
userAdminAnyDatabase role, or
userAdmin role in the specific databases, provides the required privileges to perform the operations listed in this tutorial. See Enable Auth for details on adding user administrator as the first user.
Roles grant users access to MongoDB resources. MongoDB provides a number of built-in roles that administrators can use to control access to a MongoDB system. However, if these roles cannot describe the desired set of privileges, you can create new roles in a particular database.
Except for roles created in the
admin database, a role can only include privileges that apply to its database and can only inherit from other roles in its database.
A role created in the
admin database can include privileges that apply to the
admin database, other databases or to the cluster resource, and can inherit from roles in other databases as well as the
To create a new role, use the
db.createRole() method, specifying the privileges in the
privileges array and the inherited roles in the
MongoDB uses the combination of the database name and the role name to uniquely define a role. Each role is scoped to the database in which you create the role, but MongoDB stores all role information in the
admin.system.roles collection in the
To create a role in a database, you must have:
createRoleaction on that database resource.
grantRoleaction on that database to specify privileges for the new role as well as to specify roles to inherit from.
manageOpRole has privileges that act on multiple databases as well as the cluster resource. As such, you must create the role in the
The new role grants permissions to kill any operations.
|||The built-in role
mongostatRole has privileges that act on the cluster resource. As such, you must create the role in the
|||The built-in role
The following example creates a role named
dropSystemViewsAnyDatabase that provides the privileges to drop the
system.views collection in any database.