OPTIONS

Create a Role

Overview

Roles grant users access to MongoDB resources. By default, MongoDB provides a number of built-in roles that administrators may use to control access to a MongoDB system. However, if these roles cannot describe the desired privilege set of a particular user type in a deployment, you can define a new, customized role.

A role’s privileges apply to the database where the role is created. The role can inherit privileges from other roles in its database. A role created on the admin database can include privileges that apply to all databases or to the cluster and can inherit privileges from roles in other databases.

The combination of the database name and the role name uniquely defines a role in MongoDB.

Prerequisites

You must have the createRole action on a database to create a role on that database.

You must have the grantRole action on the database that a privilege targets in order to grant that privilege to a role. If the privilege targets multiple databases or the cluster resource , you must have the grantRole action on the admin database.

You must have the grantRole action on a role’s database to grant the role to another role.

To view a role’s information, you must be explicitly granted the role or must have the viewRole action on the role’s database.

Procedure

1

Connect to MongoDB with the appropriate privileges.

Connect to the mongod or mongos with the privileges required in the Prerequisites section.

The following example operation connects to MongoDB as an authenticated user named manager:

mongo --port 27017 -u manager -p 12345678 --authenticationDatabase admin
2

Verify your privileges.

Use the usersInfo command with the showPrivileges option.

The following example operation checks privileges for a user connected as manager:

db.runCommand(
  {
    usersInfo:"manager",
    showPrivileges:true
  }
)

The resulting users document displays the privileges granted to manager.

3

Define the privileges to grant to the role.

Decide which resources to grant access to and which actions to grant on each resource.

When creating the role, you will enter the resource-action pairings as documents in the privileges array, as in the following example:

{ db: "products", collection: "electronics" }
4

Check whether an existing role provides the privileges.

If an existing role contains the exact set of privileges, the new role can inherit those privileges.

To view the privileges provided by existing roles, use the rolesInfo command, as in the following:

db.runCommand( { rolesInfo: 1, showPrivileges: 1 } )
5

Create the role.

To create the role, use the createRole command. Specify privileges in the privileges array and inherited roles in the roles array.

The following example creates the myClusterwideAdmin role in the admin database:

use admin
db.createRole(
  {
    role: "myClusterwideAdmin",
    privileges:
    [
      { resource: { cluster: true }, actions: [ "addShard" ] },
      { resource: { db: "config", collection: "" }, actions: [ "find", "update", "insert" ] },
      { resource: { db: "users", collection: "usersCollection" }, actions: [ "update" ] },
      { resource: { db: "", collection: "" }, actions: [ "find" ] }
    ],
    roles:
    [
      { role: "read", db: "admin" }
    ],
    writeConcern: { w: "majority" , wtimeout: 5000 }
  }
)

The operation defines myClusterwideAdmin role’s privileges in the privileges array. In the roles array, myClusterwideAdmin inherits privileges from the admin database’s read role.