- Security >
- Role-Based Access Control >
- Built-In Roles
Built-In Roles¶
On this page
MongoDB provides built-in roles that provide the different levels of
access commonly needed in a database system. Built-in database user
roles and database administration roles roles exist in each database. The
admin
database contains additional roles.
This page provides a brief description of the built-in roles. For the specific privileges granted by each role, see the Built-In Roles reference page.
Database User Roles¶
Every database includes the following roles:
Role | Short Description |
---|---|
read |
Provides the ability to read data on all non-system collections and on
the following system collections: For the specific privileges granted by the role, see |
readWrite |
Provides all the privileges of the For the specific privileges granted by the role, see
|
Database Administration Roles¶
Every database includes the following database administration roles:
Role | Short Description |
---|---|
dbAdmin |
Provides the ability to perform administrative tasks such as schema-related tasks, indexing, and gathering statistics. This role does not grant privileges for user and role management. For the specific privileges granted by the role, see
|
dbOwner |
The database owner can perform any administrative action on the database.
This role combines the privileges granted by the readWrite ,
dbAdmin and userAdmin roles. |
userAdmin |
Provides the ability to create and modify roles and users on the
current database. Since the For the specific privileges granted by the role, see
|
Cluster Administration Roles¶
The admin
database includes the following roles for administering the
whole system rather than just a single database. These roles include but are
not limited to replica set and sharded cluster administrative
functions.
Role | Short Description |
---|---|
clusterAdmin |
Provides the greatest cluster-management access. This role combines the
privileges granted by the clusterManager ,
clusterMonitor , and hostManager roles.
Additionally, the role provides the dropDatabase action. |
clusterManager |
Provides management and monitoring actions on the cluster. A
user with this role can access the For the specific privileges granted by the role, see
|
clusterMonitor |
Provides read-only access to monitoring tools, such as the MongoDB Cloud Manager and Ops Manager monitoring agent. For the specific privileges granted by the role, see
|
hostManager |
Provides the ability to monitor and manage servers. For the specific privileges granted by the role, see
|
Backup and Restoration Roles¶
The admin
database includes the following roles for backing up and
restoring data:
Role | Short Description |
---|---|
backup |
Provides minimal privileges needed for backing up data. This role
provides sufficient privileges to use the MongoDB Cloud Manager backup agent,
Ops Manager backup agent, or to use
For the specific privileges granted by the role, see
|
restore |
Changed in version 3.6: Provides Provides privileges needed to restore data from backups that do not
include For the specific privileges granted by the role, see
|
All-Database Roles¶
Changed in version 3.4.
The following roles are available on the admin
database and provide
privileges which apply to all databases except local
and
config
:
Role | Short Description |
---|---|
readAnyDatabase |
Provides the same read-only privileges as For the specific privileges granted by the role, see
Changed in version 3.4: Prior to 3.4, |
readWriteAnyDatabase |
Provides the same privileges as For the specific privileges granted by the role, see
Changed in version 3.4: Prior to 3.4, |
userAdminAnyDatabase |
Provides the same access to user administration operations as
Since the For the specific privileges granted by the role, see
Changed in version 3.4: Prior to 3.4, |
dbAdminAnyDatabase |
Provides the same privileges as For the specific privileges granted by the role, see
Changed in version 3.4: Prior to 3.4, |
Superuser Roles¶
The following role provides full privileges on all resources:
Role | Short Description |
---|---|
root |
Provides access to the operations and all the resources of the
For the specific privileges granted by the role, see
|