Master MongoDB Permission Management: Roles, Users, and Best Practices
This guide thoroughly explains MongoDB's permission system, covering key concepts, role creation, inheritance, privilege assignment, user management, and essential precautions to avoid common security pitfalls and simplify administration.
Background
Earlier MongoDB versions gave developers root privileges, leading to mistakes like missing background:true on index creation, accidental deletions, and storage bloat. Starting with MongoDB 2.6 and fully in 3.0, a finer‑grained permission system was introduced.
Permission Concepts
Key terms: user – authentication account; role – collection of privileges; resource – database, collection, or global cluster; actions – operations such as find, insert, remove, update; privilege – a pair of resource and actions; authenticationDatabase – the database where the role or user is defined.
Roles
MongoDB provides built‑in roles and allows custom roles. Custom roles are often needed for precise control.
Creating a Role
use admin;
db.createRole({
role: "testrole",
privileges: [
{
resource: { db: "lidan", collection: "" },
actions: [ "find", "insert", "remove", "update" ]
}
],
roles: []
});The role is stored in system.roles collection. View it with:
db.system.roles.find();Viewing a Role
use admin;
db.getRole("testrole", { showPrivileges: true });Role Inheritance
db.grantRolesToRole("testrole", ["otherrole1","otherrole2"]);
db.revokeRolesFromRole("testrole", ["otherrole2"]);Granting Privileges
db.grantPrivilegesToRole("testrole", [
{
resource: { db:"lidan_1", collection:"" },
actions: [ "createCollection", "dropCollection", "convertToCapped" ]
}
]);Revoking Privileges
db.revokePrivilegesFromRole("testrole", [
{
resource: { db:"lidan_1", collection:"" },
actions: [ "createCollection", "dropCollection", "convertToCapped" ]
}
]);Deleting a Role
db.dropRole("testrole");Users
Users can be created with built‑in or custom roles. Example:
use admin;
db.createUser({
user: "mongo",
pwd: "123",
roles: [{ role: "root", db: "admin" }]
});
db.createUser({
user: "mongo",
pwd: "123",
roles: ["testrole"]
});Login example:
mongo -u mongo -p 123 --host 127.0.0.1 --port 9999 --authenticationDatabase=adminViewing a User
use admin;
db.getUser("mongo");Granting/Revoing Roles to Users
db.grantRolesToUser("mongo", [{ role:"testrole", db:"admin" }]);
db.revokeRolesFromUser("mongo", [{ role:"testrole", db:"admin" }]);Deleting a User
db.dropUser("mongo");Precautions
Dropping databases or collections does not automatically remove associated roles and users; clean them manually.
For fine‑grained control while simplifying management, create a single development account using the admin authentication database.
Reference links: MongoDB built‑in roles, privilege actions list, role management methods, user management methods.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
360 Zhihui Cloud Developer
360 Zhihui Cloud is an enterprise open service platform that aims to "aggregate data value and empower an intelligent future," leveraging 360's extensive product and technology resources to deliver platform services to customers.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.