- Administration >
- Manage MongoDB Users and Roles >
- Manage Custom Roles
Manage Custom Roles¶
On this page
Overview¶
Roles grant users access to MongoDB resources. By default, MongoDB provides a number of built-in roles, but if these roles cannot describe a desired privilege set, you can create custom roles.
When you create a role, you specify the database to which it applies. Ops Manager
stores your custom roles on all MongoDB instances in your Ops Manager group but
uniquely identifies a role by the combination of the database name and
role name. If a database with that name exists on multiple deployments
within your Ops Manager group, the role applies to each of those databases. If you
create a role on the admin
database, the role applies to all admin
databases in the deployment.
Roles consist of privileges that grant access to specific actions on
specific resources. On most databases, a resource is the database or a
collection, but on the admin
database a resource can be all databases,
all collections with a given name across databases, or all deployments.
A role can inherit privileges from other roles in its database. A role on
the admin
database can inherit privileges from roles in other
databases.
MongoDB roles are separate from Ops Manager roles.
Prerequisite¶
MongoDB access control must be enabled to apply roles. You can create roles before enabling accessing control or after, but they don’t go into effect until you enable access control.
Considerations¶
Use only the Ops Manager interface to manage users and roles. Do not do so through direct connection to a MongoDB instance.
Procedures¶
Create a Custom MongoDB Role¶
Select the Deployment tab and then select Authorization & Roles.¶
Select the ADD ROLE button.¶
In the Identifier fields, enter the database on which to define the role and enter a name for the role.¶
A role applies to the database on which it is defined and can grant access down to the collection level. The role’s database and name uniquely identify the role.
Select the role’s privileges.¶
You can add privileges in two ways:
Give a role the privileges of another role.¶
To give a role all the privileges of one or more existing roles, select the roles in the Inherits From field. The field provides a drop-down list that includes both MongoDB built-in roles and any custom roles you have already created.
Add a privilege directly.¶
To add specific privileges to the role, click ADD PRIVILEGES FOR A RESOURCE.
In the Resource field, specify the resource to which to
apply the role. To specify the whole database, leave the field
blank. To specify a collection, enter the collection name. If the
resource is on the admin
database, you can click
ADMIN and apply the role outside the admin
database.
In the Available Privileges section, select the actions to apply. For a description of each action, see Privilege Actions in the MongoDB manual.
Click ADD PRIVILEGES.¶
Click ADD ROLE.¶
Click Review & Deploy.¶
Review your changes, and click Confirm & Deploy.¶
Edit a Custom Role¶
You can change a custom role’s privileges. You cannot change its name or database.
Select the Deployment tab and then select Authorization & Roles.¶
Click the role’s gear icon and select Edit.¶
Remove privileges.¶
To remove an inherited role, click the x next to the role.
To remove a privilege, click the trash icon next to the privilege.
Add privileges.¶
You can add privileges to the role in two ways:
Give a role the privileges of another role.¶
To give a role all the privileges of one or more existing roles, select the roles in the Inherits From field. The field provides a drop-down list that includes both MongoDB built-in roles and any custom roles you have already created.
Add a privilege directly.¶
To add specific privileges to the role, click ADD PRIVILEGES FOR A RESOURCE.
In the Resource field, specify the resource to which to
apply the role. To specify the whole database, leave the field
blank. To specify a collection, enter the collection name. If the
resource is on the admin
database, you can click
ADMIN and apply the role outside the admin
database.
In the Available Privileges section, select the actions to apply. For a description of each action, see Privilege Actions in the MongoDB manual.
Click ADD PRIVILEGES.¶
Click SAVE CHANGES.¶
Click Review & Deploy.¶
Review your changes, and click Confirm & Deploy.¶
View Privileges for a Role¶
To view a role’s privileges, select the Deployment tab, then the Roles page, and then select view privileges next to the role.
Each privilege pairs a resource with a set of Privilege Actions. All roles are assigned a database. Each
built-in role is assigned to either
admin
database or every database.