Role Manager

Role Manager, along with the User Manager, simplifies MongoDB admin tasks like role creation and management. Try them both today.

Basics

Studio 3T’s Role Manager makes it easy to assign built-in roles and user-defined roles.

But first, let’s look at a few basic MongoDB role management concepts.

MongoDB privileges

A privilege is the foundation of a MongoDB role. It is made up of a resource and actions.

MongoDB resources

A MongoDB resource is where the privileges are applied to, be it a cluster, a database, or specific collections within a database.

You can choose one of three built-in resource options in Studio 3T’s Role Manager:

Resource: Database/Collection

Choose Database/Collection to define the database and specific collection(s) the user should have access to.

Resource: Cluster

Use the Cluster resource for actions that affect the state of the system, e.g. shutdown, replSetReconfig, and addShard.

Resource: Any Resource (anyResource)

The internal resource anyResource gives access to every resource in the system and is intended for internal use. Use only in exceptional circumstances.

MongoDB (privilege) actions

Actions define what a user can do within a MongoDB resource.

Below are the privilege actions found in the Role Manager. If you already know which actions to choose, feel free to skip to the next chapter.

addShard

User can perform the addShard command. Apply this action to the cluster resource.

anyAction

Allows any action on a resource. **Do not** assign this action except for exceptional circumstances.

appendOplogNote

User can append notes to the oplog. Apply this action to the cluster resource.

applicationMessage

User can perform the logApplicationMessage command. Apply this action to the cluster resource.

authSchemaUpgrade

User can perform the authSchemaUpgrade command. Apply this action to the cluster resource.

changeCustomData

User can change the custom information of any user in the given database. Apply this action to database resources.

changeOwnCustomData

Users can change their own custom information. Apply this action to database resources.

changeOwnPassword

Users can change their own passwords. Apply this action to database resources.

changePassword

User can change the password of any user in the given database. Apply this action to database resources.

cleanupOrphaned

User can perform the cleanupOrphaned command. Apply this action to the cluster resource.

closeAllDatabases

User can perform the closeAllDatabases command. Apply this action to the cluster resource.

collMod

User can perform the collMod command. Apply this action to database or collection resources.

collStats

User can perform the collStats command. Apply this action to database or collection resources.

compact

User can perform the compact command. Apply this action to database or collection resources.

connPoolStats

User can perform the connPoolStats and shardConnPoolStats commands. Apply this action to the cluster resource.

connPoolSync

User can perform the connPoolSync command. Apply this action to the cluster resource.

convertToCapped

User can perform the convertToCapped command. Apply this action to database or collection resources.

cpuProfiler

User can enable and use the CPU profiler. Apply this action to the cluster resource.

createCollection

User can perform the db.createCollection() method. Apply this action to database or collection resources.

createIndex

Provides access to the db.collection.createIndex() method and the createIndexes command. Apply this action to database or collection resources.

createRole

User can create new roles in the given database. Apply this action to database resources.

createUser

User can create new users in the given database. Apply this action to database resources.

cursorInfo

User can perform the cursorInfo command. Apply this action to the cluster resource.

dbHash

User can perform the dbHash command. Apply this action to database or collection resources.

dbStats

User can perform the dbStats command. Apply this action to database resources.

diagLogging

User can perform the diagLogging command. Apply this action to the cluster resource.

dropCollection

User can perform the db.collection.drop() method. Apply this action to database or collection resources.

dropDatabase

User can perform the dropDatabase command. Apply this action to database resources.

dropIndex

User can perform the dropIndexes command. Apply this action to database or collection resources.

dropRole

User can delete any role from the given database. Apply this action to database resources.

dropUser

User can remove any user from the given database. Apply this action to database resources.

emptycapped

User can perform the emptycapped command. Apply this action to database or collection resources.

enableProfiler

User can perform the db.setProfilingLevel() method. Apply this action to database resources.

enableSharding

User can enable sharding on a database using the enableSharding command and can shard a collection using the shardCollection command. Apply this action to database or collection resources.

find

User can perform the db.collection.find() method. Apply this action to database or collection resources.

flushRouterConfig

User can perform the flushRouterConfig command. Apply this action to the cluster resource.

fsync

User can perform the fsync command. Apply this action to the cluster resource.

getCmdLineOpts

User can perform the getCmdLineOpts command. Apply this action to the cluster resource.

getLog

User can perform the getLog command. Apply this action to the cluster resource.

getParameter

User can perform the getParameter command. Apply this action to the cluster resource.

getShardMap

User can perform the getShardMap command. Apply this action to the cluster resource.

getShardVersion

User can perform the getShardVersion command. Apply this action to database resources.

grantRole

User can grant any role in the database to any user from any database in the system. Apply this action to database resources.

hostInfo

Provides information about the server the MongoDB instance runs on. Apply this action to the cluster resource.

indexStats

User can perform the indexStats command. Apply this action to database or collection resources.

inprog

User can use the db.currentOp() method to return pending and active operations. Apply this action to the cluster resource.

insert

internal

Allows internal actions. **Do not** assign this action except for exceptional circumstances.

invalidateUserCache

Provides access to the invalidateUserCache command. Apply this action to the cluster resource.

killCursors

User can kill cursors on the target collection.

killop

User can perform the db.killOp() method. Apply this action to the cluster resource.

listCollections

User can perform the listCollections command. Apply this action to database resources.

listDatabases

User can perform the listDatabases command. Apply this action to the cluster resource.

listIndexes

User can perform the ListIndexes command. Apply this action to database or collection resources.

listShards

User can perform the listShards command. Apply this action to the cluster resource.

logRotate

User can perform the logRotate command. Apply this action to the cluster resource.

netstat

User can perform the netstat command. Apply this action to the cluster resource.

planCacheRead

User can perform the planCacheListPlans and planCacheListQueryShapes commands and the PlanCache.getPlansByQuery() and PlanCache.listQueryShapes() methods. Apply this action to database or collection resources.

planCacheWrite

User can perform the planCacheClear command and the PlanCache.clear() and PlanCache.clearPlansByQuery() methods. Apply this action to database or collection resources.

reIndex

User can perform the reIndex command. Apply this action to database or collection resources.

remove

User can perform the db.collection.remove() method. Apply this action to database or collection resources.

removeShard

User can perform the removeShard command. Apply this action to the cluster resource.

repairDatabase

User can perform the repairDatabase command. Apply this action to database resources.

replSetConfigure

User can configure a replica set. Apply this action to the cluster resource.

replSetConfigure

User can configure a replica set. Apply this action to the cluster resource.

replSetGetStatus

User can perform the replSetGetStatus command. Apply this action to the cluster resource.

replSetHeartbeat

User can perform the replSetHeartbeat command. Apply this action to the cluster resource.

resync

User can perform the resync command. Apply this action to the cluster resource.

revokeRole

User can remove any role from any user from any database in the system. Apply this action to database resources.

serverStatus

User can perform the serverStatus command. Apply this action to the cluster resource.

setParameter

User can perform the setParameter command. Apply this action to the cluster resource.

shardingState

User can perform the shardingState command. Apply this action to the cluster resource.

shutdown

User can perform the shutdown command. Apply this action to the cluster resource.

splitChunk

User can perform the splitChunk command. Apply this action to database or collection resources.

splitVector

User can perform the splitVector command. Apply this action to database or collection resources.

storageDetails

User can perform the storageDetails command. Apply this action to database or collection resources.

top

User can perform the top command. Apply this action to the cluster resource.

touch

User can perform the touch command. Apply this action to the cluster resource.

unlock

User can perform the db.fsyncUnlock() method. Apply this action to the cluster resource.

update

User can perform the update command. Apply this action to database or collection resources.

validate

User can perform the validate command. Apply this action to database or collection resources.

viewRole

User can view information about any role in the given database. Apply this action to database resources.

viewUser

User can view the information of any user in the given database. Apply this action to database resources.

Open Role Manager

To open Role Manager:

Button

Click on Roles in the global toolbar

Right-click

Right-click on any target database in the Connection Tree and choose Manage Roles

Create a new role

Click on Add.
Enter a name for the new role and ensure that the target database is correct.
To inherit privileges from existing roles, click on the Roles tab and add the relevant role. This will spare the manual task of adding resources and actions step by step. Otherwise, proceed to step 4.
Click on the Privileges tab.
Click on Add.
Choose the appropriate resource and click OK.
Choose the appropriate actions and click OK.
Check that everything is correct and click Create Rule.

View the JSON code behind the user creation by clicking on Show Code.

View a role

Click on View to open the role profile and implement any changes.

Remove a role

Click on the Remove button.

Find users granted a specific role

Follow the steps outlined here.

Looking for more tutorials on MongoDB user management? Check out these how-to guides:

Updated on May 24, 2019

Tagged: Intermediate MongoDB

Was this article helpful?

Yes No

About The Author

Kathryn Vargas

Kathryn wants to let the world know that Studio 3T is the best tool for MongoDB out there. When she's not gushing over Studio 3T's useful features, she spends her free time exploring Berlin's food scene, playing the drums, learning languages (current mission: German), and writing.