Studio 3T’s Role Manager makes it easy to assign built-in roles and user-defined roles and list MongoDB users by role. But first, let’s look at a few basic concepts.
A privilege is the foundation of a MongoDB role. It is made up of a resource and actions.
A resource is where the privileges are applied to, be it a cluster, a database, or specific collections within a database. You can choose one of three built-in resource options in Studio 3T:
- Resource: Database/Collection – Choose Database/Collection to define the database and specific collection(s) the user should have access to.
- Resource: Cluster – Use the Cluster resource for actions that affect the state of the system, e.g. shutdown, replSetReconfig, and addShard.
- Resource: Any Resource (anyResource) – The internal resource anyResource gives access to every resource in the system and is intended for internal use. Use only in exceptional circumstances.
MongoDB (privilege) actions
Actions define what a user can do within a MongoDB resource.
You can find a list of privilege actions here. If you already know which actions to choose, skip to the next chapter.
Open Role Manager
To open Role Manager:
- Button – Click on Roles in the global toolbar
- Right-click – Right-click on any target database in the Connection Tree and choose Manage Roles
Create a new role
- Open Role Manager and click on Add.
- Enter a name for the new role and ensure that the target database is correct.
- To inherit privileges from existing roles, click on the Roles tab and add the relevant role. This will spare the manual task of adding resources and actions step by step.
- Click on the Privileges tab.
- Click on Add.
- Choose the appropriate resource and click OK.
- Choose the appropriate actions and click OK.
- Check that everything is correct and click Create Rule.
View a role
- Open Role Manager and choose a role.
- Click on View to open the role profile and implement any changes.
Remove a role
- Open Role Manager and select a role.
- Click on the Remove button.
- Click Yes to delete the role.
Find users granted a specific role
In MongoDB, users are defined for specific databases. Each user is then assigned a number of roles that in turn define the user’s privileges.
While MongoDB’s API makes it trivial to list all roles that a particular user has been granted, there is unfortunately no easy way for the reverse case where you want to find all users that have been granted a particular role, i.e. the role’s grantees. Studio 3T makes it very easy to find those users.
List MongoDB roles
First off, connect to your MongoDB server as a user that has sufficient privileges to manage users and roles.
Then, simply select the database that contains the role for which you want to find all grantees.
Click the “Roles” icon in the toolbar.
Inspect selected MongoDB role
This will open the roles management tab for this database.
Here, you can see all the built-in and user-defined roles created for the database.
Now, simply select the role for which you want to see all the users that have been granted that role. In our case, that is the user-defined role “rwAdmin”.
Then click the “Edit” button.
List MongoDB users with the selected role
By default, In the “Granted To” tab, you can see all grantees from the same database that the role is defined in.
In our case, that is natalie, paul, peter, and richard.
If you want to see all users from all databases that have been granted role “rwAdmin”, click the “Refresh for all DBs” button.
That’s it! You can now see all users from all databases that have been granted the role “rwAdmin” on our database “test”.
Modify MongoDB roles
In this view, you can now even conceptually add new users to this role. For this, click the “Add” button.
In the new dialog, you can choose users from any database that you want to add to the role.
Of course, users in MongoDB are not really added to a role. Rather, under the hood, the selected users will be granted the role instead. Click “Add” to add the selected users.