MongoDB employs Role-Based Access Control (RBAC) to govern access to a MongoDB system. A user is granted one or more roles that determine the user’s access to database resources and operations. Outside of role assignments, the user has no access to the system.
MongoDB does not enable authorization by default. You can enable authorization using the --auth or the --keyFile options, or if using a configuration file, with the security.authorization or the security.keyFile settings.
Administrators also can create new roles and privileges to cater to operational needs. Administrators can assign privileges scoped as granularly as the collection level.
When granted a role, a user receives all the privileges of that role. A user can have several roles concurrently, in which case the user receives the union of all the privileges of the respective roles.
A role consists of privileges that pair resources with allowed operations. Each privilege is defined directly in the role or inherited from another role.
A role’s privileges apply to the database where the role is created. A role created on the admin database can include privileges that apply to all databases or to the cluster.
A user assigned a role receives all the privileges of that role. The user can have multiple roles and can have different roles on different databases.
A privilege consists of a specified resource and the actions permitted on the resource.
A privilege resource is either a database, collection, set of collections, or the cluster. If the cluster, the affiliated actions affect the state of the system rather than a specific database or collection.
For example, a privilege that includes the update action allows a user to modify existing documents on the resource. To additionally grant the user permission to create documents on the resource, the administrator would add the insert action to the privilege.
For privilege syntax, see admin.system.roles.privileges.
A role can include one or more existing roles in its definition, in which case the role inherits all the privileges of the included roles.
A role can inherit privileges from other roles in its database. A role created on the admin database can inherit privileges from roles in any database.
New in version 2.6.
User administrators can create custom roles to ensure collection-level and command-level granularity and to adhere to the policy of least privilege. Administrators create and edit roles using the role management commands.
MongoDB scopes a user-defined role to the database in which it is created and uniquely identifies the role by the pairing of its name and its database. MongoDB stores the roles in the admin database’s system.roles collection. Do not access this collection directly but instead use the role management commands to view and edit custom roles.
Role Assignment to Users¶
User administrators create the users that access the system’s databases. MongoDB’s user management commands let administrators create users and assign them roles.
MongoDB scopes a user to the database in which the user is created. MongoDB stores all user definitions in the admin database, no matter which database the user is scoped to. MongoDB stores users in the admin database’s system.users collection. Do not access this collection directly but instead use the user management commands.