Docs Menu
Docs Home
/
MongoDB Ops Manager
/

Ops Manager Roles

On this page

  • Organization Roles
  • Project Roles
  • Global Roles

Ops Manager roles allow you to grant users different levels of access to Ops Manager. You can grant a user the privileges needed to perform a specific set of tasks and no more.

If you use LDAP authentication for Ops Manager, you must:

  1. Create LDAP groups for each available role that follows.

  2. Assign users to these LDAP groups.

Neither the LDAP server nor Ops Manager synchronizes the groups and roles without user intervention.

To assign user roles, see Edit a User's or Team's Role in a Project. You can't assign your own roles.

Organization Role
Privileges
Organization Owner

An Ops Manager user with this organization role can:

  • Grants root access to the organization.

  • Grants Project Owner access to all projects in the organization, even if added to a project with a non-Owner role.

  • Use any privilege granted to any organization role.

  • Administer organization settings.

  • Add, edit, or delete users to the organization.

  • Delete the organization.

Organization Project Creator

An Ops Manager user with this organization role can:

Organization Read Only

An Ops Manager user with this organization role can grant read-only access to everything in the organization, including all projects in the organization.

Organization Member

An Ops Manager user with this organization role can grant read-only access to the organization (settings, users, and billing) and the projects to which they belong.

Within a project, an Organization Member's project role sets their project privileges.

A Project User Admin or Owner can add a new Ops Manager user to a project. This also adds this new Ops Manager user to that project's organization.

The following roles grant privileges within a project.

Project Role
Privileges
Project Read Only

An Ops Manager user with this project role can view most project components, including all:

  • Activity

  • Operational data

  • Ops Manager Users

  • Ops Manager User roles.

This user can't modify or delete anything.

Project User Admin

An Ops Manager user with this project role can:

  • Add an existing Ops Manager user to a project. If the added user does not currently belong to the organization, the user will be added to the organization as well.

  • Invite a new Ops Manager user to a project. After the Ops Manager user accepts the invite, Ops Manager also adds this user to the organization.

  • Remove an existing project invitation.

  • Deny a user's request to join a project. This can deny the user access to the project depending on the user's role in the organization.

  • Remove a user from a project.

  • Modify a user's role within a project.

Project Data Access Admin

An Ops Manager user with this project role can:

Project Data Access Read/Write

An Ops Manager user with this project role can:

Project Data Access Read Only

An Ops Manager user with this project role can:

Project Monitoring Admin

An Ops Manager user with this project role can:

  • Use any privilege granted to the Project Read Only role.

  • Administer alerts (create, modify, delete, enable/disable, acknowledge/unacknowledge).

  • Manage hosts (add, edit, delete).

  • Download Monitoring.

Project Backup Admin

An Ops Manager user with this project role can:

  • Use any privilege granted to the Project Read Only role.

  • Manage backups, including:

    • Starting, stopping, and terminating backups.

    • Requesting restores.

    • Viewing and editing the namespaces filter.

    • Viewing and editing host passwords.

    • Modifying backup settings.

    • Generating SSH keys.

    • Downloading the MongoDB Agent.

Project Automation Admin

An Ops Manager user with this project role can:

  • Use any privilege granted to the Project Read Only role.

  • View deployments.

  • Provision machines.

  • Edit configuration files.

  • Download the MongoDB Agent.

Project Owner

An Ops Manager user with this project role can:

  • Use any privilege granted to any of the other project roles.

  • Configure the Backup service.

    A user with Organization Owner role has Project Owner access for all projects in the organization, even if added to a project with a non-Owner role.

Global roles have all the same privileges as the equivalent Organization and Project roles, except that they have these privileges for all projects and organizations. They also have some additional privileges as noted in the following table.

The following roles grant privileges for all projects and organizations.

Global Role
Description
Global Read Only

Grants Project Read Only access to all projects and Organization Read Only for all organizations. The role additionally grants access to do the following:

  • View backups and other statistics through the admin console.

  • Global user search.

Global User Admin

Grants Project User Admin access to all projects and all organizations. The role additionally grants access to do the following:

  • Manage console messages.

  • Send test emails, SMS messages, and voice calls.

  • Edit user accounts.

  • Manage LDAP group mappings for organization and project roles.

Global Monitoring Admin

Grants Project Monitoring Admin access to all projects. The role additionally grants access to do the following:

  • View system statistics through the admin console.

Global Backup Admin

Grants Project Backup Admin access to all projects. The role additionally grants access to do the following:

  • View system statistics through the admin console.

  • Manage blockstore, daemon, and oplog store configurations.

  • Move jobs between daemons.

  • Approve backups in awaiting provisioning state.

Global Automation Admin

Grants Project Automation Admin access to all projects. The role additionally grants access to view system statistics through the admin console.

Global Owner

Grants privileges from all roles combined except those required to access Data Explorer:

Back

Programmatic Access to Ops Manager