- Groups and Users >
- Manage MongoDB Users and Roles >
- Manage Custom Roles
Manage Custom Roles¶
On this page
Overview¶
Roles grant users access to MongoDB resources. By default, MongoDB provides a number of built-in roles, but if these roles cannot describe a desired privilege set, you can create custom roles.
When you create a role, you specify the database to which it applies. Ops Manager
stores your custom roles on all MongoDB instances in your Ops Manager group but
uniquely identifies a role by the combination of the database name and
role name. If a database with that name exists on multiple deployments
within your Ops Manager group, the role applies to each of those databases. If you
create a role on the admin
database, the role applies to all admin
databases in the deployment.
Roles consist of privileges that grant access to specific actions on
specific resources. On most databases, a resource is the database or a
collection, but on the admin
database a resource can be all databases,
all collections with a given name across databases, or all deployments.
A role can inherit privileges from other roles in its database. A role on
the admin
database can inherit privileges from roles in other
databases.
MongoDB roles are separate from Ops Manager roles.
Considerations¶
Managed Users and Roles¶
Any users or roles you choose to manage in an Ops Manager group have their
Synced value set to Yes
and are synced to all deployments in
the group.
Any users or roles you do not choose to manage in an Ops Manager group have their
Synced value set to No
and exist only in their respective
MongoDB deployments.
Note
If you toggle Synced to OFF
after import, any users or
roles you create are deleted.
Consistent Users and Roles¶
Ops Manager has two modes of user and role management that depend upon the value of Enforce Consistent Set:
- Enforce Consistent Set is
YES
In this mode, all deployments that the Ops Manager group manages have the same set of MongoDB users and roles; specifically, all users and roles that the Ops Manager group manages.
Only the MongoDB users and roles that the Ops Manager group manages, that is Synced value set to
Yes
, can exist in the group’s managed deployments. Any users and roles that the Ops Manager group does not manage group are deleted from these deployments.- Enforce Consistent Set is
NO
In this mode, deployments that the Ops Manager group manages can have different sets of MongoDB users and roles, including MongoDB users and roles not managed through the Ops Manager group. To manage these users and roles, you must connect directly to the MongoDB deployment.
Users and roles that the Ops Manager group manages, where Synced value set to
Yes
, are created in all deployments the Ops Manager group manages. Users and roles that the Ops Manager group does not manage, where Synced value set toNo
, exist only in the specific deployment.Note
Enforce Consistent Set set to
NO
is the default setting.
To learn how importing MongoDB deployments can affect managing users and roles, see Automation and Updated Security Settings Upon Import.
Prerequisite¶
MongoDB access control must be enabled to apply roles. You can create roles before enabling accessing control or after, but they don’t go into effect until you enable access control.
Create a Custom MongoDB Role¶
Click Deployment, then the Security tab, then Roles.¶
Click Add New Role.¶
In the Identifier field, enter the database on which to define the role and enter a name for the role.¶
A role applies to the database on which it is defined and can grant access down to the collection level. The combination of the role name and its database uniquely identify that role. Complete the Identifier fields to meet the authentication and authorization methods you use:
If you use neither LDAP authentication nor authorization, type the database name in the database Identifier field and the name you want for the role in the name Identifier field.
If you use LDAP authentication, but not LDAP authorization, type
$external
in the database Identifier field and the name you want for the role in the name Identifier field.If you use any authentication method with LDAP Authorization, type
admin
in the database Identifier field and the LDAP Group DN in the name Identifier field.Example
In your LDAP server, you created an LDAP Group with a Distinguished Name of
CN=DBA,CN=Users,DC=example,DC=com
. If you want to create a DBA role in Ops Manager linked to this LDAP Group, typeadmin
in the database Identifier field andCN=DBA,CN=Users,DC=example,DC=com
in the name Identifier field.
Select the privileges to grant the new role.¶
You can grant privileges in two ways:
Give a role the privileges of another role.¶
To grant a new role all the privileges of one or more existing roles, select the roles in the Inherits From field. The field provides a drop-down list that includes both MongoDB built-in roles and any custom roles you have already created.
Add a privilege directly.¶
To grant specific privileges to the role, click ADD PRIVILEGES FOR A RESOURCE.
In the Resource field, specify the resource to which to
apply the role. Select the database from the drop-down menu.
To specify the whole database, leave the field
blank. To specify a collection, enter the collection name. If the
resource is on the admin
database, you can click
ADMIN and apply the role outside the admin
database.
In the Available Privileges section, select the actions to apply. For a description of each action, see Privilege Actions in the MongoDB manual.
Click Add Privileges.¶
Click Add Role.¶
Click Review & Deploy to review your changes.¶
Review and approve your changes.¶
Ops Manager displays your proposed changes.
- If you are satisfied, click Confirm & Deploy.
- Otherwise, click Cancel and you can make additional changes.
Edit a Custom Role¶
You can change a custom role’s privileges. You cannot change its name or database.
Click Deployment, then the Security tab, then Roles.¶
Click the role’s gear icon and select Edit.¶
Add or Remove privileges for that role.¶
You can grant privileges in two ways:
Give a role the privileges of another role.¶
To grant a new role all the privileges of one or more existing roles, select the roles in the Inherits From field. The field provides a drop-down list that includes both MongoDB built-in roles and any custom roles you have already created.
Add a privilege directly.¶
To grant specific privileges to the role, click ADD PRIVILEGES FOR A RESOURCE.
In the Resource field, specify the resource to which to
apply the role. Select the database from the drop-down menu.
To specify the whole database, leave the field
blank. To specify a collection, enter the collection name. If the
resource is on the admin
database, you can click
ADMIN and apply the role outside the admin
database.
In the Available Privileges section, select the actions to apply. For a description of each action, see Privilege Actions in the MongoDB manual.
To remove an inherited role, click the x next to the role. To remove a privilege, click the trash icon next to the privilege.
Click Save Changes.¶
Click Review & Deploy to review your changes.¶
Review and approve your changes.¶
Ops Manager displays your proposed changes.
- If you are satisfied, click Confirm & Deploy.
- Otherwise, click Cancel and you can make additional changes.
View Privileges for a Role¶
To view a role’s privileges, click Deployment, then the Security tab, then Roles, then view privileges next to the role.
Each privilege pairs a resource with a set of Privilege Actions. All roles are assigned a database. Each
built-in role is assigned to either
admin
database or every database.
Remove a Custom Role¶
Click Deployment, then the Security tab, then Roles.¶
Click Delete next to the role.¶
To confirm, click Delete Role.¶
Click Review & Deploy to review your changes.¶
Review and approve your changes.¶
Ops Manager displays your proposed changes.
- If you are satisfied, click Confirm & Deploy.
- Otherwise, click Cancel and you can make additional changes.