- Reference >
- User Roles
User Roles¶
On this page
Overview¶
User roles allow you to grant a user the set of privileges needed to perform tasks but no more. These roles are separate from MongoDB roles for the agents.
If you use LDAP authentication for MMS, you must create LDAP groups for each available role described below then assign users to LDAP groups. There is no round trip synchronization between your LDAP server and MMS.
Read Only¶
The Read Only role has the lowest level of privileges. The user can generally see everything in a group, including all monitoring and backup data, all activity, and all users and user roles. The user, however, cannot modify or delete anything.
User Admin¶
The User Admin role grants access to do the following:
- Add an existing user to a group.
- Invite a new user to a group.
- Remove an existing group invitation.
- Remove a user’s request to join a group, which denies the user access to the group.
- Remove a user from a group.
- Modify a user’s roles within a group.
- Update the billing email address.
Monitoring Admin¶
The Monitoring Admin role grants all the privileges of the Read Only role and grants additional access to do the following:
- Manage alerts (create, modify, delete, enable/disable, acknowledge/unacknowledge).
- Manage hosts (add, edit, delete, enable deactivated).
- Manage dashboards (create, edit, delete).
- Manage group-wide settings.
- Download Monitoring Agent.
Backup Admin¶
The Backup Admin role grants all the privileges of the Read Only role and grants access to manage backups, including the following:
- Start, stop, and terminate backups.
- Request restores.
- View and edit excluded namespaces.
- View and edit host passwords.
- Modify backup settings.
- Generate SSH keys.
- Download the Backup Agent.
Group Roles¶
The following roles grant privileges within a group:
Global Roles¶
Global roles have all the same privileges as the equivalent Group roles, except that they have these privileges for all groups. They also have some additional privileges as noted below.
Global Read Only¶
The Global Read Only role grants read only access to all groups. The role additionally grants access to do the following:
- View backups and other statistics through the admin UI.
- Global user search.
Global User Admin¶
The Global User Admin role grants user admin access to all groups. The role additionally grants access to do the following:
- Add new groups.
- Manage UI messages.
- Send test emails, SMS messages, and voice calls.
- Edit user accounts.
- Manage LDAP group mappings.
Global Monitoring Admin¶
The Global Monitoring Admin role grants monitoring admin access to all groups. The role additionally grants access to do the following:
- View system statistics through the admin UI.
Global Backup Admin¶
The Global Backup Admin role grants backup admin access to all groups. The role additionally grants access to do the following:
- View system statistics through the admin UI.
- Manage blockstore, daemon, and oplog store configurations.
- Move jobs between daemons.
- Approve backups in awaiting provisioning state.
Global Owner¶
The Global Owner role for an MMS account has the privileges of all the other roles combined.