Understanding MongoDB Role-Based Access Control
MongoDB employs a Role-Based Access Control (RBAC) system to govern acess to the database system. Authorization is managed by assigning privileges to roles, wich are subsequently assigned to users. A user can possess multiple roles across different databases.
Role Categories
Built-in roles are grouped into specific categories based on the scope of their access. The following table outlines these categories and the specific roles contained within them.
| Category | Built-in Roles |
|---|---|
| Database User Roles | read, readWrite |
| Database Administration Roles | dbAdmin, dbOwner, userAdmin |
| Cluster Administration Roles | clusterAdmin, clusterManager, clusterMonitor, hostManager |
| Backup and Restoration Roles | backup, restore |
| All-Database Roles | readAnyDatabase, readWriteAnyDatabase, userAdminAnyDatabase, dbAdminAnyDatabase |
| Superuser Roles | root |
| Internal Roles | __system |
Privilege Descriptions
The specific actions allowed by the most common roles are detailed below. Note that roles granting access to all databases must be defined in the admin database.
| Role/Privilege | Description |
|---|---|
read |
Grants read-only access to the specified database. |
readWrite |
Grants full read and write permissions to the specified database. |
dbAdmin |
Provides administrative privileges such as creating indexes, accessing statistics, and viewing the system.profile collection. |
userAdmin |
Allows the creation and deletion of users and roles within the specific database by writing to the system.users collection. |
clusterAdmin |
Granted only via the admin database; provides full administrative access for sharding, replication, and other cluster-level operations. |
readAnyDatabase |
Granted only via the admin database; provides read access to all databases excluding local and config. |
readWriteAnyDatabase |
Granted only via the admin database; provides read/write access to all databases excluding local and config. |
userAdminAnyDatabase |
Granted only via the admin database; extends user management privileges to all databases. |
dbAdminAnyDatabase |
Granted only via the admin database; extends administrative privileges to all databases. |
root |
Granted only via the admin database; provides superuser access combining all roles. |
User Management Operations
Managing user accounts typically involves switching to the admin database or the target database where the user is defined.
Creating a User
To create a user, utilize the db.createUser() method. The following example demonstrates creating a user witth specific roles and custom metadata.
use admin
db.createUser({
user: "app_admin",
pwd: "SecurePassword123!",
roles: [
{
role: "readWrite",
db: "production_data"
},
{
role: "dbAdmin",
db: "production_data"
}
],
customData: {
department: "Engineering",
email: "admin@example.com"
}
})
To create a user with unrestricted access (a superuser), assign the root role:
use admin
db.createUser({
user: "global_superuser",
pwd: "RootAccessPassword!",
roles: [ "root" ]
})
Retrieving User Information
You can inspect existing users within the current database context using the following methods:
use admin
// Show users for the current database
show users
// Query the system users collection directly
db.system.users.find()
// Retrieve information for a specific user
db.runCommand({ usersInfo: "app_admin" })
Modifying User Credentials
Passwords and user attributes can be updated using db.updateUser() or db.changeUserPassword().
use admin
// Change only the password
db.changeUserPassword("app_admin", "NewSecurePassword456!")
// Update password and custom data fields
db.runCommand({
updateUser: "app_admin",
pwd: "AnotherPassword789!",
customData: {
department: "DevOps",
status: "active"
}
})
Administrative Commands via db.runCommand
While helper methods like createUser are convenient, all user management operations can be executed through the database command interface db.runCommand.
Creating a User with runCommand
This method is functionally equivalent to db.createUser() but offers a standardized command structure for API interactions.
use admin
db.runCommand({
createUser: "service_user",
pwd: "ServiceAuthPass!",
roles: [
{ role: "read", db: "logs" }
]
})