Built-In Roles¶

On this page

Database User Roles
Database Administration Roles
Cluster Administration Roles
Backup and Restoration Roles
All-Database Roles
Superuser Roles
Internal Role

MongoDB provides built-in roles that provide the different levels of access commonly needed in a database system. Built-in database user roles and database administration roles roles exist in each database. The admin database contains additional roles.

This page provides a brief description of the built-in roles. For the specific privileges granted by each role, see the Built-In Roles reference page.

Database User Roles¶

Every database includes the following roles:

Role Short Description

read

Provides the ability to read data on all non-system collections and on the following system collections: system.indexes, system.js, and system.namespaces collections.

For the specific privileges granted by the role, see read.

readWrite

Provides all the privileges of the read role plus ability to modify data on all non-system collections and the system.js collection.

For the specific privileges granted by the role, see readWrite.

Database Administration Roles¶

Every database includes the following database administration roles:

Role Short Description

dbAdmin

Provides the ability to perform administrative tasks such as schema-related tasks, indexing, and gathering statistics. This role does not grant privileges for user and role management.

For the specific privileges granted by the role, see dbAdmin.

dbOwner The database owner can perform any administrative action on the database. This role combines the privileges granted by the readWrite, dbAdmin and userAdmin roles.

userAdmin

Provides the ability to create and modify roles and users on the current database. Since the userAdmin role allows users to grant any privilege to any user, including themselves, the role also indirectly provides superuser access to either the database or, if scoped to the admin database, the cluster.

For the specific privileges granted by the role, see userAdmin.

Cluster Administration Roles¶

The admin database includes the following roles for administering the whole system rather than just a single database. These roles include but are not limited to replica set and sharded cluster administrative functions.

Role	Short Description
`clusterAdmin`	Provides the greatest cluster-management access. This role combines the privileges granted by the `clusterManager`, `clusterMonitor`, and `hostManager` roles. Additionally, the role provides the `dropDatabase` action.
`clusterManager`	Provides management and monitoring actions on the cluster. A user with this role can access the `config` and `local` databases, which are used in sharding and replication, respectively. For the specific privileges granted by the role, see `clusterManager`.
`clusterMonitor`	Provides read-only access to monitoring tools, such as the MongoDB Cloud Manager and Ops Manager monitoring agent. For the specific privileges granted by the role, see `clusterMonitor`.
`hostManager`	Provides the ability to monitor and manage servers. For the specific privileges granted by the role, see `hostManager`.

Backup and Restoration Roles¶

The admin database includes the following roles for backing up and restoring data:

Role Short Description

backup

Provides minimal privileges needed for backing up data. This role provides sufficient privileges to use the MongoDB Cloud Manager backup agent, Ops Manager backup agent, or to use mongodump to back up an entire mongod instance.

For the specific privileges granted by the role, see backup.

restore

Changed in version 3.6: Provides convertToCapped on non-system collections.

Provides privileges needed to restore data from backups that do not include system.profile collection data. This role is sufficient when restoring data with mongorestore without the --oplogReplay option.

For the specific privileges granted by the role, see restore.

All-Database Roles¶

Changed in version 3.4.

The following roles are available on the admin database and provide privileges which apply to all databases except local and config:

Role	Short Description
`readAnyDatabase`	Provides the same read-only privileges as `read` on all databases except `local` and `config`. The role also provides the `listDatabases` action on the cluster as a whole. For the specific privileges granted by the role, see `readAnyDatabase`. Changed in version 3.4: Prior to 3.4, `readAnyDatabase` includes `local` and `config` databases. To provide `read` privileges on the `local` database, create a user in the `admin` database with `read` role in the `local` database. See also `clusterManager` and `clusterMonitor` role for access to the `config` and `local` databases.
`readWriteAnyDatabase`	Provides the same privileges as `readWrite` on all databases except `local` and `config`. The role also provides the `listDatabases` action on the cluster as a whole. For the specific privileges granted by the role, see `readWriteAnyDatabase`. Changed in version 3.4: Prior to 3.4, `readWriteAnyDatabase` includes `local` and `config` databases. To provide `readWrite` privileges on the `local` database, create a user in the `admin` database with `readWrite` role in the `local` database. See also `clusterManager` and `clusterMonitor` role for access to the `config` and `local` databases.
`userAdminAnyDatabase`	Provides the same access to user administration operations as `userAdmin` on all databases except `local` and `config`. Since the `userAdminAnyDatabase` role allows users to grant any privilege to any user, including themselves, the role also indirectly provides superuser access. For the specific privileges granted by the role, see `userAdminAnyDatabase`. Changed in version 3.4: Prior to 3.4, `userAdminAnyDatabase` includes `local` and `config` databases.
`dbAdminAnyDatabase`	Provides the same privileges as `dbAdmin` on all databases except `local` and `config`. The role also provides the `listDatabases` action on the cluster as a whole. For the specific privileges granted by the role, see `dbAdminAnyDatabase`. Changed in version 3.4: Prior to 3.4, `dbAdminAnyDatabase` includes `local` and `config` databases. To provide `dbAdmin` privileges on the `local` database, create a user in the `admin` database with `dbAdmin` role in the `local` database. See also `clusterManager` and `clusterMonitor` role for access to the `config` and `local` databases.

Superuser Roles¶

The following role provides full privileges on all resources:

Role Short Description

root

Provides access to the operations and all the resources of the readWriteAnyDatabase, dbAdminAnyDatabase, userAdminAnyDatabase, clusterAdmin, restore, and backup combined.

For the specific privileges granted by the role, see root.

Internal Role¶

Role Short Description

__system

Provides privileges to take any action against any object in the database.

Do not assign this role to user objects representing applications or human administrators, other than in exceptional circumstances.

For more information, see __system.