• Security >
• Role-Based Access Control >
• Built-In Roles

Built-In Roles

MongoDB provides built-in roles that provide the different levels of access commonly needed in a database system. Built-in database user roles and database administration roles roles exist in each database. The admin database contains additional roles.

This page provides a brief description of the built-in roles. For the specific privileges granted by each role, see the Built-In Roles reference page.

Database User Roles

Every database includes the following roles:

Role	Short Description
read	Provides the ability to read data on all non-system collections and on the following system collections: system.indexes, system.js, and system.namespaces collections. For the specific privileges granted by the role, see read.
readWrite	Provides all the privileges of the read role and the ability to modify data on all non-system collections and the system.js collection. For the specific privileges granted by the role, see readWrite.

Database Administration Roles

Every database includes the following database administration roles:

Role	Short Description
dbAdmin	Provides the ability to perform administrative tasks such as schema-related tasks, indexing, gathering statistics. This role does not grant privileges for user and role management. For the specific privileges granted by the role, see dbAdmin.
dbOwner	Provides the ability to perform any administrative action on the database. This role combines the privileges granted by the readWrite, dbAdmin and userAdmin roles.
userAdmin	Provides the ability to create and modify roles and users on the current database. Since the userAdmin role allows users to grant any privilege to any user, including themselves, the role also indirectly provides superuser access to either the database or, if scoped to the admin database, the cluster. For the specific privileges granted by the role, see userAdmin.

Cluster Administration Roles

The admin database includes the following roles for administering the whole system rather than a specific database. These roles include but are not limited to replica set and sharded cluster administrative functions.

Role	Short Description
clusterAdmin	Provides the greatest cluster-management access. This role combines the privileges granted by the clusterManager, clusterMonitor, and hostManager roles. Additionally, the role provides the dropDatabase action.
clusterManager	Provides management and monitoring actions on the cluster. A user with this role can access the config and local databases, which are used in sharding and replication, respectively. For the specific privileges granted by the role, see clusterManager.
clusterMonitor	Provides read-only access to monitoring tools, such as the MongoDB Cloud Manager and Ops Manager monitoring agent. For the specific privileges granted by the role, see clusterMonitor.
hostManager	Provides the ability to monitor and manage servers. For the specific privileges granted by the role, see hostManager.

Backup and Restoration Roles

The admin database includes the following roles for backing up and restoring data:

Role	Short Description
backup	Provides privileges needed to back up data. This role provides sufficient privileges to use the MongoDB Cloud Manager backup agent, Ops Manager backup agent, or to use mongodump. For the specific privileges granted by the role, see backup.
restore	Provides privileges needed to restore data with mongorestore without the --oplogReplay option or without system.profile collection data. For the specific privileges granted by the role, see restore.

All-Database Roles

Changed in version 3.4.

These roles in the admin database apply to all but the local and config databases in a mongod instance:

Role	Short Description
readAnyDatabase	Provides the same read-only permissions as read, except it applies to all but the local and config databases in the cluster. The role also provides the listDatabases action on the cluster as a whole. For the specific privileges granted by the role, see readAnyDatabase. Changed in version 3.4: Prior to 3.4, readAnyDatabase includes local and config databases. To provide read privileges on the local database, create a user in the admin database with read role in the local database. See also clusterManager role for access to the config and local databases.
readWriteAnyDatabase	Provides the same read and write permissions as readWrite, except it applies to all but the local and config databases in the cluster. The role also provides the listDatabases action on the cluster as a whole. For the specific privileges granted by the role, see readWriteAnyDatabase. Changed in version 3.4: Prior to 3.4, readWriteAnyDatabase includes local and config databases. To provide readWrite privileges on the local database, create a user in the admin database with readWrite role in the local database. See also clusterManager role for access to the config and local databases.
userAdminAnyDatabase	Provides the same access to user administration operations as userAdmin, except it applies to all but the local and config databases in the cluster. Since the userAdminAnyDatabase role allows users to grant any privilege to any user, including themselves, the role also indirectly provides superuser access. For the specific privileges granted by the role, see userAdminAnyDatabase. Changed in version 3.4: Prior to 3.4, userAdminAnyDatabase includes local and config databases.
dbAdminAnyDatabase	Provides the same access to database administration operations as dbAdmin, except it applies to all but the local and config databases in the cluster. The role also provides the listDatabases action on the cluster as a whole. For the specific privileges granted by the role, see dbAdminAnyDatabase. Changed in version 3.4: Prior to 3.4, dbAdminAnyDatabase includes local and config databases. To provide dbAdmin privileges on the local database, create a user in the admin database with dbAdmin role in the local database. See also clusterManager role for access to the config and local databases.

Superuser Roles

The following role provides full privileges on all resources:

Role	Short Description
root	Provides access to the operations and all the resources of the readWriteAnyDatabase, dbAdminAnyDatabase, userAdminAnyDatabase, clusterAdmin, restore, and backup combined. For the specific privileges granted by the role, see root.

Internal Role

Role	Short Description
__system	Provides privileges to take any action against any object in the database. Do not assign this role to user objects representing applications or human administrators, other than in exceptional circumstances. For more information, see root.

See also

Built-In Roles

←   Role-Based Access Control User-Defined Roles  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.