MongoDB employs Role-Based Access Control (RBAC) to govern access to a
MongoDB system. A user is granted one or more roles that
determine the user’s access to database resources and operations. Outside
of role assignments, the user has no access to the system.
Administrators also can create new roles and privileges to cater to
operational needs. Administrators can assign privileges scoped as
granularly as the collection level.
When granted a role, a user receives all the privileges of that role. A
user can have several roles concurrently, in which case the user receives
the union of all the privileges of the respective roles.
A role consists of privileges that pair resources with allowed
operations. Each privilege is specified explicitly in the role or
inherited from another role or both.
Except for roles created in the admin database, a role can only
include privileges that apply to its database and can only inherit from
other roles in its database.
A role created in the admin database can include privileges that
apply to the admin database, other databases or to the
cluster resource, and can inherit from roles
in other databases as well as the admin database.
A user assigned a role receives all the privileges of that role. The user can
have multiple roles and can have different roles on different databases.
Roles always grant privileges and never limit access. For example, if a user
has both readandreadWriteAnyDatabase roles on a
database, the greater access prevails.
A privilege consists of a specified resource and the actions permitted on the
A privilege resource is either a
database, collection, set of collections, or the cluster. If the cluster, the
affiliated actions affect the state of the system rather than a specific
database or collection.
An action is a command or method the
user is allowed to perform on the resource. A resource can have multiple
allowed actions. For available actions see
For example, a privilege that includes the update action
allows a user to modify existing documents on the resource. To
additionally grant the user permission to create documents on the
resource, the administrator would add the insert action to
User administrators can create custom roles to ensure collection-level and
command-level granularity and to adhere to the policy of least
privilege. Administrators create and edit roles using the role
MongoDB scopes a user-defined role to the database in which it is created and
uniquely identifies the role by the pairing of its name and its database.
MongoDB stores the roles in the admin database’s system.roles collection. Do not access this
collection directly but instead use the role management commands to view and edit custom roles.
User administrators create the users that access the system’s databases.
MongoDB’s user management commands let
administrators create users and assign them roles.
MongoDB scopes a user to the database in which the user is created. MongoDB
stores all user definitions in the admin database, no matter which
database the user is scoped to. MongoDB stores users in the admin
database’s system.users collection. Do not access this collection directly
but instead use the user management commands.