Try Studio 3T for Free

Role Manager

Role Manager, along with the User Manager, simplifies MongoDB admin tasks like granting and modifying roles, listing users by role, and more. Try them both today.

Basics

Studio 3T’s Role Manager makes it easy to assign built-in roles and user-defined roles and list MongoDB users by role. But first, let’s look at a few basic concepts.

MongoDB privileges

A privilege is the foundation of a MongoDB role. It is made up of a resource and actions.

MongoDB resources

A resource is where the privileges are applied to, be it a cluster, a database, or specific collections within a database. You can choose one of three built-in resource options in Studio 3T:

  • Resource: Database/Collection – Choose Database/Collection to define the database and specific collection(s) the user should have access to.
  • Resource: Cluster – Use the Cluster resource for actions that affect the state of the system, e.g. shutdown, replSetReconfig, and addShard.
  • Resource: Any Resource (anyResource) – The internal resource anyResource gives access to every resource in the system and is intended for internal use. Use only in exceptional circumstances.

MongoDB (privilege) actions

Actions define what a user can do within a MongoDB resource.

You can find a list of privilege actions here. If you already know which actions to choose, skip to the next chapter.

Open Role Manager

Download the latest version of Studio 3T here.

To open Role Manager:

Right click or use the 'Roles' button to see current MongoDB roles

  • Button – Click on Roles in the global toolbar
  • Right-click – Right-click on any target database in the Connection Tree and choose Manage Roles

Create a new role

  1. Open Role Manager and click on Add.
  2. Enter a name for the new role and ensure that the target database is correct.
  3. To inherit privileges from existing roles, click on the Roles tab and add the relevant role. This will spare the manual task of adding resources and actions step by step.
  4. Click on the Privileges tab.
  5. Click on Add.
  6. Choose the appropriate resource and click OK.
  7. Choose the appropriate actions and click OK.
  8. Check that everything is correct and click Create Rule.

View the JSON code behind the user creation by clicking on Show Code.

View a role

  1. Open Role Manager and choose a role.
  2. Click on View to open the role profile and implement any changes.

Remove a role

  1. Open Role Manager and select a role.
  2. Click on the Remove button.
  3. Click Yes to delete the role.

Find users granted a specific role

In MongoDB, users are defined for specific databases. Each user is then assigned a number of roles that in turn define the user’s privileges.

While MongoDB’s API makes it trivial to list all roles that a particular user has been granted, there is unfortunately no easy way for the reverse case where you want to find all users that have been granted a particular role, i.e. the role’s grantees. Studio 3T makes it very easy to find those users.

List MongoDB roles

First off, connect to your MongoDB server as a user that has sufficient privileges to manage users and roles.

Then, simply select the database that contains the role for which you want to find all grantees.

Click the “Roles” icon in the toolbar.

MongoDB GUI for Role Management

Inspect selected MongoDB role

This will open the roles management tab for this database.

Here, you can see all the built-in and user-defined roles created for the database.

Now, simply select the role for which you want to see all the users that have been granted that role. In our case, that is the user-defined role “rwAdmin”.

Then click the “Edit” button.

MongoDB GUI Manage MongoDB Roles

List MongoDB users with the selected role

By default, In the “Granted To” tab, you can see all grantees from the same database that the role is defined in.

In our case, that is natalie, paul, peter, and richard.

If you want to see all users from all databases that have been granted role “rwAdmin”, click the “Refresh for all DBs” button.

Show MongoDB Users with a MongoDB Role

That’s it! You can now see all users from all databases that have been granted the role “rwAdmin” on our database “test”.

Modify MongoDB roles

In this view, you can now even conceptually add new users to this role. For this, click the “Add” button.

Grant MongoDB Role

In the new dialog, you can choose users from any database that you want to add to the role.

Of course, users in MongoDB are not really added to a role. Rather, under the hood, the selected users will be granted the role instead. Click “Add” to add the selected users.

Complement this reading with the article, MongoDB Users and Roles Explained, or a little refresh on how to grant roles to multiple users and how to authenticate users (because a secure MongoDB instance is a happy MongoDB instance 🙂 ).

Privilege actions

addShard
User can perform the addShard command. Apply this action to the cluster resource.
anyAction
Allows any action on a resource. **Do not** assign this action except for exceptional circumstances.
appendOplogNote
User can append notes to the oplog. Apply this action to the cluster resource.
applicationMessage
User can perform the logApplicationMessage command. Apply this action to the cluster resource.
authSchemaUpgrade
User can perform the authSchemaUpgrade command. Apply this action to the cluster resource.
changeCustomData
User can change the custom information of any user in the given database. Apply this action to database resources.
changeOwnCustomData
Users can change their own custom information. Apply this action to database resources.
changeOwnPassword
Users can change their own passwords. Apply this action to database resources.
changePassword
User can change the password of any user in the given database. Apply this action to database resources.
cleanupOrphaned
User can perform the cleanupOrphaned command. Apply this action to the cluster resource.
closeAllDatabases
User can perform the closeAllDatabases command. Apply this action to the cluster resource.
collMod
User can perform the collMod command. Apply this action to database or collection resources.
collStats
User can perform the collStats command. Apply this action to database or collection resources.
compact
User can perform the compact command. Apply this action to database or collection resources.
connPoolStats
User can perform the connPoolStats and shardConnPoolStats commands. Apply this action to the cluster resource.
connPoolSync
User can perform the connPoolSync command. Apply this action to the cluster resource.
convertToCapped
User can perform the convertToCapped command. Apply this action to database or collection resources.
cpuProfiler
User can enable and use the CPU profiler. Apply this action to the cluster resource.
createCollection
User can perform the db.createCollection() method. Apply this action to database or collection resources.
createIndex
Provides access to the db.collection.createIndex() method and the createIndexes command. Apply this action to database or collection resources.
createRole
User can create new roles in the given database. Apply this action to database resources.
createUser
User can create new users in the given database. Apply this action to database resources.
cursorInfo
User can perform the cursorInfo command. Apply this action to the cluster resource.
dbHash
User can perform the dbHash command. Apply this action to database or collection resources.
dbStats
User can perform the dbStats command. Apply this action to database resources.
diagLogging
User can perform the diagLogging command. Apply this action to the cluster resource.
dropCollection
User can perform the db.collection.drop() method. Apply this action to database or collection resources.
dropDatabase
User can perform the dropDatabase command. Apply this action to database resources.
dropIndex
User can perform the dropIndexes command. Apply this action to database or collection resources.
dropRole
User can delete any role from the given database. Apply this action to database resources.
dropUser
User can remove any user from the given database. Apply this action to database resources.
emptycapped
User can perform the emptycapped command. Apply this action to database or collection resources.
enableProfiler
User can perform the db.setProfilingLevel() method. Apply this action to database resources.
enableSharding
User can enable sharding on a database using the enableSharding command and can shard a collection using the shardCollection command. Apply this action to database or collection resources.
find
User can perform the db.collection.find() method. Apply this action to database or collection resources.
flushRouterConfig
User can perform the flushRouterConfig command. Apply this action to the cluster resource.
fsync
User can perform the fsync command. Apply this action to the cluster resource.
getCmdLineOpts
User can perform the getCmdLineOpts command. Apply this action to the cluster resource.
getLog
User can perform the getLog command. Apply this action to the cluster resource.
getParameter
User can perform the getParameter command. Apply this action to the cluster resource.
getShardMap
User can perform the getShardMap command. Apply this action to the cluster resource.
getShardVersion
User can perform the getShardVersion command. Apply this action to database resources.
grantRole
User can grant any role in the database to any user from any database in the system. Apply this action to database resources.
hostInfo
Provides information about the server the MongoDB instance runs on. Apply this action to the cluster resource.
indexStats
User can perform the indexStats command. Apply this action to database or collection resources.
inprog
User can use the db.currentOp() method to return pending and active operations. Apply this action to the cluster resource.
insert
internal
Allows internal actions. **Do not** assign this action except for exceptional circumstances.
invalidateUserCache
Provides access to the invalidateUserCache command. Apply this action to the cluster resource.
killCursors
User can kill cursors on the target collection.
killop
User can perform the db.killOp() method. Apply this action to the cluster resource.
listCollections
User can perform the listCollections command. Apply this action to database resources.
listDatabases
User can perform the listDatabases command. Apply this action to the cluster resource.
listIndexes
User can perform the ListIndexes command. Apply this action to database or collection resources.
listShards
User can perform the listShards command. Apply this action to the cluster resource.
logRotate
User can perform the logRotate command. Apply this action to the cluster resource.
netstat
User can perform the netstat command. Apply this action to the cluster resource.
planCacheRead
User can perform the planCacheListPlans and planCacheListQueryShapes commands and the PlanCache.getPlansByQuery() and PlanCache.listQueryShapes() methods. Apply this action to database or collection resources.
planCacheWrite
User can perform the planCacheClear command and the PlanCache.clear() and PlanCache.clearPlansByQuery() methods. Apply this action to database or collection resources.
reIndex
User can perform the reIndex command. Apply this action to database or collection resources.
remove
User can perform the db.collection.remove() method. Apply this action to database or collection resources.
removeShard
User can perform the removeShard command. Apply this action to the cluster resource.
repairDatabase
User can perform the repairDatabase command. Apply this action to database resources.
replSetConfigure
User can configure a replica set. Apply this action to the cluster resource.
replSetConfigure
User can configure a replica set. Apply this action to the cluster resource.
replSetGetStatus
User can perform the replSetGetStatus command. Apply this action to the cluster resource.
replSetHeartbeat
User can perform the replSetHeartbeat command. Apply this action to the cluster resource.
resync
User can perform the resync command. Apply this action to the cluster resource.
revokeRole
User can remove any role from any user from any database in the system. Apply this action to database resources.
serverStatus
User can perform the serverStatus command. Apply this action to the cluster resource.
setParameter
User can perform the setParameter command. Apply this action to the cluster resource.
shardingState
User can perform the shardingState command. Apply this action to the cluster resource.
shutdown
User can perform the shutdown command. Apply this action to the cluster resource.
splitChunk
User can perform the splitChunk command. Apply this action to database or collection resources.
splitVector
User can perform the splitVector command. Apply this action to database or collection resources.
storageDetails
User can perform the storageDetails command. Apply this action to database or collection resources.
top
User can perform the top command. Apply this action to the cluster resource.
touch
User can perform the touch command. Apply this action to the cluster resource.
unlock
User can perform the db.fsyncUnlock() method. Apply this action to the cluster resource.
update
User can perform the update command. Apply this action to database or collection resources.
validate
User can perform the validate command. Apply this action to database or collection resources.
viewRole
User can view information about any role in the given database. Apply this action to database resources.
viewUser
User can view the information of any user in the given database. Apply this action to database resources.
Updated on February 24, 2020

Was this article helpful?

Related Articles