Navigation
This version of the documentation is archived and no longer supported. It will be removed on EOL_DATE. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.
This version of the manual is no longer supported.
It will be removed on EOL_DATE.
Ops Manager Roles
Overview
Ops Manager roles allow you to grant users different levels of access to Ops Manager. You
can grant a user the privileges needed to perform a specific set of tasks
and no more.
If you use LDAP authentication for Ops Manager, you must create LDAP groups for each
available role described below then assign users to LDAP groups. There is no
round trip synchronization between your LDAP server and Ops Manager.
To assign user roles, see Edit Project Role for a User/Team. You cannot
assign your own roles.
Organization Roles
Organization Role |
Description |
-
Organization Owner
|
Grants root access to the organization, including:
Project Owner access to all projects in
the organization, even if added to a project with a
non-Owner role.
- Privileges to administer organization settings.
- Privileges to add/remove/edit users to the organization.
- Privileges to delete the organization.
- All the privileges granted by the other organization roles
combined.
|
-
Organization Project Creator
|
Grants the following access:
- Privileges to create projects in the organization.
- Privileges granted by the
Organization Member
role.
|
-
Organization Read Only
|
Provides read-only access to everything in the organization,
including all projects in the organization.
For an Organization Member , within a project, the
user has the privileges as determined by the user’s
project role. If a user’s project role is
Project User Admin or Project Owner , then the user can
add a new user to the project, which results in adding the
newly-added user to the organization as well (if the newly added
user is not already in the organization).
|
-
Organization Member
|
Provides read-only access to the organization (settings, users,
and billing) and the projects to which they belong.
For an Organization Member , within a project, the
user has the privileges as determined by the user’s
project role. If a user’s project role is
Project User Admin or Project Owner , then the user can
add a new user to the project, which results in adding the
newly-added user to the organization as well (if the newly added
user is not already in the organization).
|
Project Roles
The following roles grant privileges within a project.
Project Role |
Description |
-
Project Read Only
|
Grants read-only access to the most aspects of the project,
including: all activity, operational data, users, and user
roles. The user, however, cannot modify or delete anything. |
-
Project User Admin
|
Provides privileges to the following actions:
- Add an existing Ops Manager user to a project. If the added user
does not currently belong to the organization, the user will
be added to the organization as well.
- Invite a new user to a project. The invited user will be added
to the organization as well.
- Remove an existing project invitation.
- Remove a user’s request to join a project, which can deny the
user access to the project depending on the user’s role in the
organization.
- Remove a user from a project.
- Modify a user’s role within a project.
|
-
Project Data Access Admin
|
Grants access to Data Explorer;
specifically, the privileges to perform the following through
Data Explorer:
- View, create, and drop databases, collections, and indexes.
- View, modify, and delete documents.
As well as granting privileges of Project Read Only ,
this role also grants privileges to kill operation in the
Real Time Performance Panel
and to view the sample query field values in the
Performance Advisor.
|
-
Project Data Access Read/Write
|
Grants access to Data Explorer;
specifically, the privileges to perform the following through
Data Explorer:
- View and create databases and collections.
- View, modify, and delete documents.
- View indexes.
This role also grants privileges to view the sample query field
values in the Performance Advisor.
|
-
Project Data Access Read Only
|
Grants access to Data Explorer;
specifically, the privileges to view databases, collections, and
indexes through the Data Explorer.
This role also grants privileges to view the sample query field
values in the Performance Advisor.
|
-
Project Monitoring Admin
|
Grants the following access:
- Use any privilege granted to the
Read Only role.
- Administer alerts (create, modify, delete, enable/disable,
acknowledge/unacknowledge).
- Manage hosts (add, edit, delete).
- Download Monitoring Agent.
|
-
Project Backup Admin
|
Grants the following access:
- Privileges granted by the
Read Only role.
- Privileges to manage backups, including the following:
- Start, stop, and terminate backups.
- Request restores.
- View and edit the namespaces filter.
- View and edit host passwords.
- Modify backup settings.
- Generate SSH keys.
- Download the Backup Agent.
|
-
Project Automation Admin
|
Grants the following access:
- Privileges granted by the
Read Only role.
- Privileges to perform the following:
- View deployments.
- Provision machines.
- Edit configuration files.
- Download the Automation Agent.
|
-
Project Owner
|
Grants the following access:
- The privileges granted by all the other project roles.
- Set up the Backup service.
|
Global Roles
Global roles have all the same privileges as the equivalent
Organization and Project roles, except that they have these
privileges for all projects and organizations. They also have some
additional privileges as noted below.
The following roles grant privileges for all projects and organizations.
Global Role |
Description |
-
Global Read Only
|
Grants Project Read Only access to all projects and
Organization Read Only for all organizations. The
role additionally grants access to do the following:
- View backups and other statistics through the
admin UI.
- Global user search.
|
-
Global User Administrator
|
Grants Project User Admin access to all projects and all
organizations. The role additionally grants access to do the
following:
- Manage UI messages.
- Send test emails, SMS messages, and voice calls.
- Edit user accounts.
- Manage LDAP group mappings for organization and project roles.
|
-
Global Monitoring Administrator
|
Grants Project Monitoring Admin access
to all projects. The role additionally grants access to do
the following:
- View system statistics through the admin UI.
|
-
Global Backup Administrator
|
Grants Project Backup Admin access to all
projects. The role additionally grants access to do the
following:
- View system statistics through the admin UI.
- Manage blockstore, daemon, and oplog store configurations.
- Move jobs between daemons.
- Approve backups in awaiting provisioning state.
|
-
Global Automation Administrator
|
Grants Project Automation Admin access
to all projects. The role additionally grants access to view
system statistics through the admin UI. |
-
Global Owner
|
Grants privileges that includes all roles combined. |