Built-In Roles in Self-Managed Deployments
On this page
MongoDB grants access to data and commands through role-based authorization and provides built-in roles that provide the different levels of access commonly needed in a database system. You can additionally create user-defined roles.
A role grants privileges to perform sets of actions on defined resources. A given role applies to the database on which it is defined and can grant access down to a collection level of granularity.
System collections include those in:
<database>.system.*
namespacelocal.replset.*
replica set namespace
For details, see System Collections.
Non-system collections are those not in namespaces in the previous list.
Each of MongoDB's built-in roles defines access at the database level for all non-system collections in the role's database and at the collection level for all system collections.
This section describes the privileges for each built-in role. You can also
view the privileges for a built-in role at any time by issuing the
rolesInfo
command with the showPrivileges
and
showBuiltinRoles
fields both set to true
.
MongoDB Atlas deployments have different built-in roles than self-hosted deployments. See the following resources to learn more:
MongoDB Atlas Built-In Roles
For the built-in database user roles for deployments hosted in MongoDB Atlas, see Altas Built-In Roles and Privileges.
You can create database users and assign built-in roles in the MongoDB Atlas user interface. To learn more, see Add Database Users.
Self-Hosted Deployment Built-In Roles
MongoDB provides the following built-in roles for self-hosted deployments:
Database user and database administration roles on every database
All other roles only on the
admin
database
Database User Roles
Every database includes the following client roles:
read
Provides the ability to read data on all non-system collections and the
system.js
collection.Note
The role does not provide privileges to directly access the
system.namespaces
collection directly.The role provides read access by granting the following actions:
If the user does not have the
listDatabases
privilege action, users can run thelistDatabases
command to return a list of databases for which the user has privileges (including databases for which the user has privileges on specific collections) if the command is run withauthorizedDatabases
option unspecified or set totrue
.
Database Administration Roles
Every database includes the following database administration roles:
dbAdmin
Provides the ability to perform administrative tasks such as schema-related tasks, indexing, and gathering statistics. This role does not grant privileges for user and role management.
Specifically, the role provides the following privileges:
ResourcePermitted ActionsAll non-system collections (i.e. database resource)
dbOwner
The database owner can perform any administrative action on the database. This role combines the privileges granted by the
readWrite
,dbAdmin
anduserAdmin
roles.
userAdmin
Provides the ability to create and modify roles and users on the current database. Since the
userAdmin
role allows users to grant any privilege to any user, including themselves, the role also indirectly provides superuser access to either the database or, if scoped to theadmin
database, the cluster.The
userAdmin
role explicitly provides the following actions:Warning
It is important to understand the security implications of granting the
userAdmin
role: a user with this role for a database can assign themselves any privilege on that database. Granting theuserAdmin
role on theadmin
database has further security implications as this indirectly provides superuser access to a cluster. Withadmin
scope a user with theuserAdmin
role can grant cluster-wide roles or privileges includinguserAdminAnyDatabase
.
Cluster Administration Roles
The admin
database includes the following roles for administering the
whole system rather than just a single database. These roles include but are
not limited to replica set and sharded cluster administrative
functions.
clusterAdmin
Provides the greatest cluster-management access. This role combines the privileges granted by the
clusterManager
,clusterMonitor
, andhostManager
roles. Additionally, the role provides thedropDatabase
action.
clusterManager
Provides management and monitoring actions on the cluster. A user with this role can access the
config
andlocal
databases, which are used in sharding and replication, respectively.ResourceActionsAll databases
clusterManager
provides additional privileges for theconfig
andlocal
databases.On the
config
database, permits the following actions:ResourceActionsAll non-system collections in the
config
databaseOn the
local
database, permits the following actions:ResourceActionsAll non-system collections in the
local
databasesystem.replset
collection
clusterMonitor
Provides read-only access to monitoring tools, such as the MongoDB Cloud Manager and Ops Manager monitoring agent.
Permits the following actions on the cluster as a whole:
Permits the following actions on all databases in the cluster:
Permits the
find
action on allsystem.profile
collections in the cluster.On the
config
database, permits the following actions:ResourceActionsAll non-system collections in the
config
databasesystem.js
collectionOn the
local
database, permits the following actions:ResourceActionsAll non-system collections in the
local
databasesystem.js
collection
enableSharding
Provides the ability to enable sharding for a collection and modify existing shard keys.
Provides the following actions on all non-system collections:
hostManager
Provides the ability to monitor and manage servers.
On the cluster as a whole, provides the following actions:
rotateCertificates
(New in version 5.0)
On all databases in the cluster, provides the following actions:
Backup and Restoration Roles
The admin
database includes the following roles for backing up and
restoring data:
backup
Provides minimal privileges needed for backing up data. This role provides sufficient privileges to use the MongoDB Cloud Manager backup agent, Ops Manager backup agent, or to use
mongodump
to back up an entiremongod
instance.Provides the
insert
andupdate
actions on thesettings
collection in theconfig
database.On
anyResource
, provides thelistDatabases
actionlistCollections
actionlistIndexes
actionlistSearchIndexes
action
On the cluster as a whole, provides the
setUserWriteBlockMode
(Starting in MongoDB 6.0)
Provides the
find
action on the following:all non-system collections in the cluster, including those in the
config
andlocal
databasesThe following system collections in the cluster:
system.js
, andsystem.profile
The
admin.system.users
andadmin.system.roles
collectionsThe
config.settings
collectionLegacy
system.users
collections from versions of MongoDB prior to 2.6
Provides the
insert
andupdate
actions on theconfig.settings
collection.The
backup
role provides additional privileges to back up thesystem.profile
collection that exists when running with database profiling.
restore
Provides
convertToCapped
on non-system collections.Provides the necessary privileges to restore data from backups if the data does not include
system.profile
collection data and you runmongorestore
without the--oplogReplay
option.If the backup data includes
system.profile
collection data or you run with--oplogReplay
, you need additional privileges:system.profile
If the backup data includes
system.profile
collection data and the target database does not contain thesystem.profile
collection,mongorestore
attempts to create the collection even though the program does not actually restoresystem.profile
documents. As such, the user requires additional privileges to performcreateCollection
andconvertToCapped
actions on thesystem.profile
collection for a database.Both the built-in roles
dbAdmin
anddbAdminAnyDatabase
provide the additional privileges.--oplogReplay
To run with
--oplogReplay
, create a user-defined role that hasanyAction
onanyResource
.Grant only to users who must run
mongorestore
with--oplogReplay
.Provides the following action on the cluster as a whole:
Provides the following actions on all non-system collections:
Provides the following actions on
system.js
collection:Provides the following action on
anyResource
:Provides the following actions on all non-system collections on the
config
and thelocal
databases:Provides the following actions on
admin.system.version
Provides the following action on
admin.system.roles
Provides the following actions on
admin.system.users
and legacysystem.users
collections:Although,
restore
includes the ability to modify the documents in theadmin.system.users
collection using normal modification operations, only modify these data using the user management methods.Provides the following action on the
<database>.system.views
collection:dropCollection
(Starting in MongoDB 6.0)
On the cluster as a whole, provides the following actions:
bypassWriteBlockingMode
(Staring in MongoDB 6.0)setUserWriteBlockMode
(Starting in MongoDB 6.0)
All-Database Roles
The following roles are available on the admin
database and provide
privileges which apply to all databases except local
and
config
:
readAnyDatabase
Provides the same read-only privileges as
read
on all databases exceptlocal
andconfig
. The role also provides thelistDatabases
action on the cluster as a whole.See also the
clusterManager
andclusterMonitor
roles for access to theconfig
andlocal
databases.
readWriteAnyDatabase
Provides the same privileges as
readWrite
on all databases exceptlocal
andconfig
. The role also provides:the
listDatabases
action on the cluster as a wholethe
compactStructuredEncryptionData
action
See also the
clusterManager
andclusterMonitor
roles for access to theconfig
andlocal
databases.
userAdminAnyDatabase
Provides the same access to user administration operations as
userAdmin
on all databases exceptlocal
andconfig
.userAdminAnyDatabase
also provides the following privilege actions on the cluster:The role provides the following privilege actions on the
system.users
andsystem.roles
collections on theadmin
database, and on legacysystem.users
collections from versions of MongoDB prior to 2.6:The
userAdminAnyDatabase
role does not restrict the privileges that a user can grant. As a result,userAdminAnyDatabase
users can grant themselves privileges in excess of their current privileges and even can grant themselves all privileges, even though the role does not explicitly authorize privileges beyond user administration. This role is effectively a MongoDB system superuser.See also the
clusterManager
andclusterMonitor
roles for access to theconfig
andlocal
databases.
dbAdminAnyDatabase
Provides the same privileges as
dbAdmin
on all databases exceptlocal
andconfig
. The role also provides thelistDatabases
action on the cluster as a whole.See also the
clusterManager
andclusterMonitor
roles for access to theconfig
andlocal
databases.Starting in MongoDB 5.0,
dbAdminAnyDatabase
includes the applyOps privilege action.
Superuser Roles
Several roles provide either indirect or direct system-wide superuser access.
The following roles provide the ability to assign any user any privilege on any database, which means that users with one of these roles can assign themselves any privilege on any database:
dbOwner
role, when scoped to theadmin
databaseuserAdmin
role, when scoped to theadmin
databaseuserAdminAnyDatabase
role
The following role provides full privileges on all resources:
root
Provides access to the operations and all the resources of the following roles combined:
Also provides the
validate
privilege action onsystem.
collections.
Internal Role
__system
MongoDB assigns this role to user objects that represent cluster members, such as replica set members and
mongos
instances. The role entitles its holder to take any action against any object in the database.Do not assign this role to user objects representing applications or human administrators, other than in exceptional circumstances.
If you need access to all actions on all resources, for example to run
applyOps
commands, do not assign this role. Instead, create a user-defined role that grantsanyAction
onanyResource
and ensure that only the users who need access to these operations have this access.