Privilege actions define the operations a user can perform on a resource. A MongoDB privilege comprises a resource and the permitted actions. This page lists available actions grouped by common purpose.
MongoDB provides built-in roles with pre-defined pairings of resources and permitted actions. For lists of the actions granted, see:
To define custom roles, see:
Query and Write Actions
findUser can perform the following commands, and their equivalent helper methods:
aggregatefor all pipeline operations except$collStats,$out, and$indexStats.killCursors, provided that the cursor is associated with a currently authenticated user.mapReducewith the{out: inline}option.
Required for the query portion of the
mapReducecommand anddb.collection.mapReduce()helper method when outputting to a collection.Required for the query portion of the
findAndModifycommand anddb.collection.findAndModify()helper method.Required on the source collection for the
cloneCollectionAsCappedandrenameCollectioncommands and thedb.collection.renameCollection()helper method.If the user does not have the
listDatabasesprivilege action, users can run thelistDatabasescommand to return a list of databases for which the user has privileges (including databases for which the user has privileges on specific collections) if the command is run withauthorizedDatabasesoption unspecified or set totrue.Apply this action to database or collection resources.
insertUser can perform the following commands and their equivalent methods:
Required for the output portion of the
mapReducecommand anddb.collection.mapReduce()helper method when outputting to a collection.Required for the
aggregatecommand anddb.collection.aggregate()helper method when using the$outor$mergepipeline operator.Required for the
updateandfindAndModifycommands and equivalent helper methods when used with theupsertoption.Required on the destination collection for the following commands and their helper methods:
Apply this action to database or collection resources.
removeUser can perform the
deletecommand and equivalent helper method.Required for the write portion of the
findAndModifycommand anddb.collection.findAndModify()method.Required for the
mapReducecommand anddb.collection.mapReduce()helper method when you specify thereplaceaction when outputting to a collection.Required for the
aggregatecommand anddb.collection.aggregate()helper method when using the$outpipeline operator.Apply this action to database or collection resources.
updateUser can perform the
updatecommand and equivalent helper methods.Required for the
mapReducecommand anddb.collection.mapReduce()helper method when outputting to a collection without specifying thereplaceaction.Required for the
findAndModifycommand anddb.collection.findAndModify()helper method.Apply this action to database or collection resources.
bypassDocumentValidationUsers can bypass schema validation on commands and methods that support the
bypassDocumentValidationoption. The following commands and their equivalent methods support bypassing schema validation:Apply this action to database or collection resources.
useUUIDUser can execute the following commands using a UUID as if it were a namespace:
For example, this privilege authorizes a user to run the following command which executes a
findcommand on a collection with the given UUID. In order to be successful, this operation also requires that the user is authorized to execute thefindcommand on the collection namespace corresponding to the given UUID.db.runCommand({find: UUID("123e4567-e89b-12d3-a456-426655440000")}) For more information on collection UUIDs, see Collections.
Apply this action to the
clusterresource.
Database Management Actions
changeCustomDataUser can change the custom information of any user in the given database. Apply this action to database resources.
changeOwnCustomDataUsers can change their own custom information. Apply this action to database resources. See also Change Your Password and Custom Data on Self-Managed Deployments.
changeOwnPasswordUsers can change their own passwords. Apply this action to database resources. See also Change Your Password and Custom Data on Self-Managed Deployments.
changePasswordUser can change the password of any user in the given database. Apply this action to database resources.
createCollectionUser can perform the
db.createCollection()method. Apply this action to database or collection resources.
createIndexProvides access to the
db.collection.createIndex()method and thecreateIndexescommand. Apply this action to database or collection resources.
dropCollectionUser can perform the
db.collection.drop()method. Apply this action to database or collection resources.
enableProfilerUser can perform the
db.setProfilingLevel()method. Apply this action to database resources.
grantRoleUser can grant any role in the database to any user from any database in the system. Apply this action to database resources.
killCursorsUsers can always terminate their own cursors, regardless of whether the users have the privilege to
killCursors.
killAnyCursorUser can kill any cursor, even cursors created by other users. Apply this action to collection resources.
planCacheIndexFilterUser can run the
planCacheClearFilters,planCacheListFilters, andplanCacheSetFiltercommands. Apply theplanCacheIndexFilteraction to collection resources.
querySettingsUser can run the
setQuerySettingsandremoveQuerySettingscommands, and add a$querySettingsstage to an aggregation pipeline.New in version 8.0.
revokeRoleUser can remove any role from any user from any database in the system. Apply this action to database resources.
setAuthenticationRestrictionUser can specify the authenticationRestrictions field in the
userdocument when running the following commands:User can specify the
authenticationRestrictionsfield in theroledocument when running the following commands:Note
The following built-in roles grant this privilege:
The
userAdminrole provides this privilege on the database that the role is assigned.The
userAdminAnyDatabaserole provides this privilege on all databases.
Transitively, the
restoreandrootroles also provide this privilege.Apply this action to database resources.
setFeatureCompatibilityVersionUser can run the
setFeatureCompatibilityVersioncommand. Apply this action to theclusterresource.
unlockUser can perform the
db.fsyncUnlock()method. Apply this action to theclusterresource.
Deployment Management Actions
authSchemaUpgradeUser can perform the
authSchemaUpgradecommand. Apply this action to theclusterresource.
cleanupOrphanedUser can perform the
cleanupOrphanedcommand. Apply this action to theclusterresource.
inprogUser can use the
db.currentOp()method to return information on pending and active operations. Apply this action to theclusterresource.Even without the
inprogprivilege, onmongodinstances, users can view their own operations by runningdb.currentOp( { "$ownOps": true } ).
invalidateUserCacheProvides access to the
invalidateUserCachecommand. Apply this action to theclusterresource.
killopUser can perform the
db.killOp()method. Apply this action to theclusterresource.Even without the
killopprivilege, onmongodinstances, users can kill their own operations.
planCacheReadUser can run the following operations:
$planCacheStatsaggregation stage.
Apply this action to database or collection resources.
planCacheWriteUser can perform the
planCacheClearcommand and thePlanCache.clear()andPlanCache.clearPlansByQuery()methods. Apply this action to database or collection resources.
Change Stream Actions
changeStreamUser with
changeStreamandfindon the specific collection, all non-systemcollections in a specific database, or all non-systemcollections across all databases can open change stream cursor for that resource.
Replication Actions
replSetGetConfigUser can view a replica set's configuration. Provides access to the
replSetGetConfigcommand andrs.conf()helper method.Apply this action to the
clusterresource.
replSetGetStatusUser can perform the
replSetGetStatuscommand. Apply this action to theclusterresource.
replSetHeartbeatUser can perform the deprecated
replSetHeartbeatcommand. Apply this action to theclusterresource.
replSetStateChangeUser can change the state of a replica set through the
replSetFreeze,replSetMaintenance,replSetStepDown, andreplSetSyncFromcommands. Apply this action to theclusterresource.
Sharding Actions
addShardUser can perform the
addShardcommand. Apply this action to theclusterresource.
analyzeShardKeyUser can perform the
analyzeShardKeycommand. Apply this action to the database and collection resources.Included in the
clusterManagerandenableShardingbuilt-in roles.
checkMetadataConsistencyUser can perform the
checkMetadataConsistencycommand. Apply this action tocluster, database or collection resources.New in version 7.0.
clearJumboFlagRequired to clear a chunk's jumbo flag using the
clearJumboFlagcommand. Apply this action to database or collection resources.Included in the
clusterManagerbuilt-in role.
enableShardingNote
Applicable Resources
The action can apply to either:
Database or collection resource to enable sharding for a database or shard a collection.
Cluster resource to perform various shard zone operations.
ResourcesDescriptionGrants users privileges to perform the following operations:
Enable sharding on a database using the
enableShardingcommand, andShard a collection using the
shardCollectioncommand.
refineCollectionShardKeyProvides privileges to refine the shard key for a sharded collection and run the
refineCollectionShardKeycommand. Apply this action to database or collection resources.Included in the
clusterManagerbuilt-in role.
moveCollectionUser can perform the
moveCollectioncommand. Apply this action to theclusterresource.New in version 8.0.
reshardCollectionUser can perform the
reshardCollectioncommand. Apply this action to database or collection resources.New in version 5.0.
unshardCollectionUser can perform the
unshardCollectioncommand. Apply this action to theclusterresource.New in version 8.0.
flushRouterConfigUser can perform the
flushRouterConfigcommand. Apply this action to theclusterresource.
getShardMapUser can perform the
getShardMapcommand. Apply this action to theclusterresource.
listShardsUser can perform the
listShardscommand. Apply this action to theclusterresource.
moveChunkUser can perform the
moveChunkandmoveRangecommands. In addition, user can perform themovePrimarycommand provided that the privilege is applied to an appropriate database resource. Apply this action to database or collection resources.
removeShardUser can perform the
removeShardcommand. Apply this action to theclusterresource.
shardedDataDistributionUser can perform the
$shardedDataDistributionaggregation pipeline stage.New in version 6.0.3.
shardingStateUser can perform the
shardingStatecommand. Apply this action to theclusterresource.
transitionFromDedicatedConfigServerUser with this action on the
clusterresource can run thetransitionFromDedicatedConfigServercommand.New in version 8.0.
transitionToDedicatedConfigServerUser with this action on the
clusterresource can run thetransitionToDedicatedConfigServercommand.New in version 8.0.
Server Administration Actions
applicationMessageUser can perform the
logApplicationMessagecommand. Apply this action to theclusterresource.
bypassWriteBlockingModeUser can perform writes even when writes are blocked by the
setUserWriteBlockModecommand. Apply this action to theclusterresource.
bypassDefaultMaxTimeMSAll queries run by the user ignore the value of the
defaultMaxTimeMSparameter.New in version 8.0.
closeAllDatabasesUser can perform the deprecated
closeAllDatabasescommand. Apply this action to theclusterresource.
collModUser can perform the
collModcommand. Apply this action to database or collection resources.
compactUser can perform the
compactcommand andautoCompactcommands. Apply this action to database or collection resources.
compactStructuredEncryptionDataUser can perform the
compactStructuredEncryptionDatacommand. Apply this action to database or collection resources.
connPoolSyncUser can perform the internal
connPoolSynccommand. Apply this action to theclusterresource.
convertToCappedUser can perform the
convertToCappedcommand. Apply this action to database or collection resources.
dropConnectionsUser can perform the
dropConnectionscommand. Apply this action to theclusterresource.
dropDatabaseUser can perform the
dropDatabasecommand. Apply this action to database resources.
dropIndexUser can perform the
dropIndexescommand. Apply this action to database or collection resources.
forceUUIDUser can create a collection with a user-defined collection UUID using the
applyOpscommand.Apply this action to the
clusterresource.
fsyncUser can perform the
fsynccommand. Apply this action to theclusterresource.
getDefaultRWConcernUser can issue the administrative
getDefaultRWConcerncommand. Apply this action to theclusterresource.
getParameterUser can perform the
getParametercommand. Apply this action to theclusterresource.
hostInfoProvides information about the server the MongoDB instance runs on. Apply this action to the
clusterresource.
oidResetRequired to reset the 5 byte random string that is used in the ObjectID.
logRotateUser can perform the
logRotatecommand. Apply this action to theclusterresource.
reIndexUser can perform the
reIndexcommand. Apply this action to database or collection resources.
renameCollectionSameDBAllows the user to rename collections on the current database using the
renameCollectioncommand. Apply this action to database resources.Additionally, the user must either have
findon the source collection or not havefindon the destination collection.If a collection with the new name already exists, the user must also have the
dropCollectionaction on the destination collection.
rotateCertificatesUser can perform the
rotateCertificatescommand command. Apply this action to theclusterresource.
setDefaultRWConcernUser can issue the administrative
setDefaultRWConcerncommand. Apply this action to theclusterresource.
setParameterUser can perform the
setParametercommand. Apply this action to theclusterresource.
setUserWriteBlockModeUser can perform the
setUserWriteBlockModecommand. Apply this action to theclusterresource.
shutdownUser can perform the
shutdowncommand. Apply this action to theclusterresource.
Session Actions
impersonateUser can perform the
killAllSessionsByPatterncommand withusersandrolespattern. Apply this action to theclusterresource.To run
killAllSessionsByPatterncommand, users must also havekillAnySessionprivileges on the cluster resource.
listSessionsUser can perform the
$listSessionsoperation or$listLocalSessionsoperation for all users or specified user(s). Apply this action to theclusterresource.
killAnySessionUser can perform the
killAllSessionsand thekillAllSessionsByPatterncommand. Apply this action to theclusterresource.Tip
MongoDB Search Index Actions
The following actions enable users to run MongoDB Search Database Commands. These actions are only relevant for deployments hosted on MongoDB Atlas.
createSearchIndexesUser can run the
createSearchIndexesdatabase command. Apply this action to the database, collection, or view resource.
dropSearchIndexUser can run the
dropSearchIndexdatabase command. Apply this action to the database, collection, or view resource.
listSearchIndexesUser can run the
$listSearchIndexesaggregation stage. Apply this action to the database, collection, or view resource.
updateSearchIndexUser can run the
updateSearchIndexdatabase command. Apply this action to the database, collection, or view resource.
Diagnostic Actions
collStatsUser can perform the
collStatscommand. Apply this action to database or collection resources.
connPoolStatsUser can perform the
connPoolStatscommand. Apply this action to theclusterresource.
dbHashUser can perform the
dbHashcommand. Apply this action to database or collection resources.
dbStatsUser can perform the
dbStatscommand. Apply this action to database resources.
getCmdLineOptsUser can perform the
getCmdLineOptscommand. Apply this action to theclusterresource.
getLogUser can perform the
getLogcommand. Apply this action to theclusterresource.
indexStatsUser can run the
$indexStatsaggregation pipeline stage. Apply this action to database or collection resources.To use the
$indexStatsstage, users must authenticate with at least theclusterMonitorrole.
listClusterCatalogUser can run the
$listClusterCatalogaggregation pipeline stage on theadmindatabase. To run$listClusterCatalogon theadmindatabase, users must authenticate with theclusterMonitorrole.
listDatabasesUser can perform the
listDatabasescommand. Apply this action to theclusterresource.If the user does not have the
listDatabasesprivilege action, users can run thelistDatabasescommand to return a list of databases for which the user has privileges (including databases for which the user has privileges on specific collections) if the command is run withauthorizedDatabasesoption unspecified or set totrue.
listCollectionsUser can perform the
listCollectionscommand. Apply this action to database resources.Note
Users without the required privilege can run the
listCollectionscommand with bothauthorizedCollectionsandnameOnlyoptions set totrue. In this case, the command returns just the name and type of the collection(s) to which the user has privileges.
listIndexesUser can perform the
listIndexescommand. Apply this action to database or collection resources.
queryStatsReadUser can run the
$queryStatsaggregation stage without thetransformIdentifiersoption.
queryStatsReadTransformedUser can run the
$queryStatsaggregation stage with or without thetransformIdentifiersoption.
serverStatusUser can perform the
serverStatuscommand. Apply this action to theclusterresource.
validateUser can perform the
validateandvalidateDBMetadatacommands. Apply this action to database or collection resources.
topUser can perform the
topcommand. Apply this action to theclusterresource.
Internal Actions
anyActionAllows any action on a resource. Do not assign this action unless it is absolutely necessary.
applyOpsUser can perform the
applyOpscommand. Apply this action to aclusterresource.