Navigation
This version of the documentation is archived and no longer supported. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.

Ops Manager Roles

On this page

Overview

Ops Manager roles allow you to grant users different levels of access to Ops Manager. You can grant a user the privileges needed to perform a specific set of tasks and no more.

If you use LDAP authentication for Ops Manager, you must create LDAP groups for each available role described below then assign users to LDAP groups. There is no round trip synchronization between your LDAP server and Ops Manager.

To assign user roles, see Assign Roles to Ops Manager Users. You cannot assign your own roles.

Group Roles

The following roles grant privileges within a group.

Read Only

The Read Only role has the lowest level of privileges. The user can generally see everything in a group, including all activity, operational data, users, and user roles. The user, however, cannot modify or delete anything.

User Admin

The User Admin role grants access to do the following:

  • Add an existing user to a group.
  • Invite a new user to a group.
  • Remove an existing group invitation.
  • Remove a user’s request to join a group, which denies the user access to the group.
  • Remove a user from a group.
  • Modify a user’s roles within a group.
  • Update the billing email address.

Monitoring Admin

The Monitoring Admin role grants all the privileges of the Read Only role and grants additional access to do the following:

  • Manage alerts (create, modify, delete, enable/disable, acknowledge/unacknowledge).
  • Manage hosts (add, edit, delete, enable deactivated).
  • Manage group-wide settings.
  • Download Monitoring Agent.

Backup Admin

The Backup Admin role grants all the privileges of the Read Only role and grants access to manage backups, including the following:

  • Start, stop, and terminate backups.
  • Request restores.
  • View and edit the namespaces filter.
  • View and edit host passwords.
  • Modify backup settings.
  • Generate SSH keys.
  • Download the Backup Agent.

Automation Admin

The Automation Admin role grants all the privileges of the Read Only role and grants access to the following management actions:

  • View deployments.
  • Provision machines.
  • Edit configuration files.
  • Modify settings.
  • Download the Automation Agent.

Owner

The Owner role has the privileges of all the other roles combined. The following additional privileges available only to Owner:

  • Set up the Backup service.
  • Update billing information.

Global Roles

Global roles have all the same privileges as the equivalent Group roles, except that they have these privileges for all groups. They also have some additional privileges as noted below.

Global Read Only

The Global Read Only role grants read only access to all groups. The role additionally grants access to do the following:

  • View backups and other statistics through the admin UI.
  • Global user search.

Global User Admin

The Global User Admin role grants user admin access to all groups. The role additionally grants access to do the following:

  • Add new groups.
  • Manage UI messages.
  • Send test emails, SMS messages, and voice calls.
  • Edit user accounts.
  • Manage LDAP group mappings.

Global Monitoring Admin

The Global Monitoring Admin role grants monitoring admin access to all groups. The role additionally grants access to do the following:

  • View system statistics through the admin UI.

Global Backup Admin

The Global Backup Admin role grants backup admin access to all groups. The role additionally grants access to do the following:

  • View system statistics through the admin UI.
  • Manage blockstore, daemon, and oplog store configurations.
  • Move jobs between daemons.
  • Approve backups in awaiting provisioning state.

Global Automation Admin

The Global Automation Admin role grants automation admin access to all groups. The role additionally grants access to view system statistics through the admin UI.

Global Owner

The Global Owner role for an Ops Manager account has the privileges of all the other roles combined.