Labs ICT
Pro Login

Authorization

Role-based access control.

Role-Based Access Control

MongoDB uses role-based access control (RBAC) to manage permissions. Instead of assigning permissions directly to users, you assign roles. Roles bundle multiple privileges together.

Think of roles like job titles. A "Manager" role might include permissions to read, write, and delete. An "Intern" role might only allow reading. You assign roles to users based on their responsibilities.

RBAC makes permission management scalable. When you need to change what a role can do, you update the role once, and all users with that role get the new permissions automatically.

Built-in Roles

MongoDB comes with several built-in roles that cover common use cases. The most basic are read and readWrite. These work at the database level.

For database management, there's dbAdmin (maintenance tasks), userAdmin (managing users), and dbOwner (all of the above). These are database-level administrative roles.

At the cluster level, there's clusterAdmin, clusterManager, and root. The root role has unrestricted access to everything. Use it sparingly.

db.createUser({
  user: "reader",
  pwd: "readPass",
  roles: ["read"]
})

db.createUser({
  user: "developer",
  pwd: "devPass",
  roles: ["readWrite"]
})

db.createUser({
  user: "admin",
  pwd: "adminPass",
  roles: ["dbAdmin"]
})

db.createUser({
  user: "superAdmin",
  pwd: "superPass",
  roles: ["root"]
})

Custom Roles

When built-in roles don't fit your needs, you can create custom roles. Custom roles let you define exactly what operations a role can perform on specific resources.

You create custom roles in the admin database. Each role has a name, a set of privileges, and an optional set of roles it inherits from.

Custom roles are powerful but require careful planning. Define what actions are allowed (find, insert, update) and on which collections. Be specific to maintain security.

use admin

db.createRole({
  role: "reportsReader",
  privileges: [
    {
      resource: { db: "analytics", collection: "dailyReports" },
      actions: ["find"]
    },
    {
      resource: { db: "analytics", collection: "monthlyReports" },
      actions: ["find"]
    }
  ],
  roles: []
})

db.createUser({
  user: "reportBot",
  pwd: "reportPass",
  roles: ["reportsReader"]
})

Granting and Revoking Privileges

You can modify a user's roles after creation using grantRolesToUser and revokeRolesFromUser. This lets you adjust permissions without recreating users.

Granting roles is straightforward. Revoking roles removes specific permissions. If a user has multiple roles, revoking one doesn't affect the others.

You can also modify custom roles using grantPrivilegesToRole and revokePrivilegesFromRole. This gives you fine-grained control over what each role can do.

use admin

db.grantRolesToUser("reader", ["readWrite"])

db.revokeRolesFromUser("reader", ["readWrite"])

db.grantPrivilegesToRole("reportsReader", [
  {
    resource: { db: "analytics", collection: "weeklyReports" },
    actions: ["find"]
  }
])

db.revokePrivilegesFromRole("reportsReader", [
  {
    resource: { db: "analytics", collection: "monthlyReports" },
    actions: ["find"]
  }
])
← Authentication
Backup and Restore →