- Security >
- Security Tutorials >
- User and Role Management Tutorials >
- Create a Role
Create a Role¶
On this page
Overview¶
Roles grant users access to MongoDB resources. By default, MongoDB provides a number of built-in roles that administrators may use to control access to a MongoDB system. However, if these roles cannot describe the desired set of privileges, you can create a new, customized role in a particular database.
Except for roles created in the admin
database, a role can only
include privileges that apply to its database and can only inherit from
other roles in its database.
A role created in the admin
database can include privileges that
apply to the admin
database, other databases or to the
cluster resource, and can inherit from roles
in other databases as well as the admin
database.
MongoDB uses the combination of the database name and the role name to uniquely define a role.
Prerequisites¶
To create a role in a database, the user must have:
- the
createRole
action on that database resource. - the
grantRole
action on that database to specify privileges for the new role as well as to specify roles to inherit from.
Built-in roles userAdmin
and
userAdminAnyDatabase
provide createRole
and
grantRole
actions on their respective resources.
Procedures¶
To create a new role, use the db.createRole()
method,
specifying the privileges in the privileges
array and the inherited
roles in the roles
array.
Create a Role to Manage Current Operations¶
The following example creates a role named manageOpRole
which
provides only the privileges to run both db.currentOp()
and
db.killOp()
. [1]
Connect to MongoDB with the appropriate privileges.¶
Connect to mongod
or mongos
with the privileges
specified in the Prerequisites section.
The following procedure uses the siteUserAdmin
created in
Create a User Administrator.
The siteUserAdmin
has privileges to create roles in the admin
as well as other databases.
Create a new role to manage current operations.¶
manageOpRole
has privileges that act on multiple databases as well
as the cluster resource. As such, you must
create the role in the admin
database.
The new role grants permissions to kill any operations.
Warning
Terminate running operations with extreme caution. Only use
db.killOp()
to terminate operations initiated by clients
and do not terminate internal database operations.
[1] | The built-in role clusterMonitor also provides the
privilege to run db.currentOp() along with other
privileges, and the built-in role hostManager provides
the privilege to run db.killOp() along with other
privileges. |
Create a Role to Run mongostat
¶
The following example creates a role named mongostatRole
that
provides only the privileges to run mongostat
.
[2]
Connect to MongoDB with the appropriate privileges.¶
Connect to mongod
or mongos
with the privileges
specified in the Prerequisites section.
The following procedure uses the siteUserAdmin
created in
Create a User Administrator.
The siteUserAdmin
has privileges to create roles in the admin
as well as other databases.
Create a new role to manage current operations.¶
mongostatRole
has privileges that act on the cluster
resource. As such, you must create the role in
the admin
database.
[2] | The built-in role
clusterMonitor also provides the privilege to run
mongostat along with other
privileges. |