Built-In Roles

read

The read role provides permissions to read data on all non-system collections and some system collections (system.indexes, system.js, and system.namespaces).

changeStream, collStats, dbHash, dbStats, find, killCursors, listIndexes, listCollections

readWrite

The readWrite role provides all the permissions of the read role plus ability to modify data on all non-system collections and the system.js collection.

collStats, convertToCapped, createCollection, dbHash, dbStats, dropCollection, createIndex, dropIndex, find, insert, killCursors, listIndexes, listCollections, remove, renameCollectionSameDB, update

readAnyDatabase

The readAnyDatabase role provides the read-only permissions on all databases except local and config. The role also provides the listDatabases action on the cluster as a whole.

In MongoDB 3.4 and earlier, this role provides the read permission for the config and local databases. In the current version, to provide read permissions on the config and local databases, create a user in the admin database with read role in the config and local databases.

readWriteAnyDatabase

The readWriteAnyDatabase role has the read and write permissions for all databases except config and local. The role also provides the listDatabases action on the cluster as a whole.

In MongoDB 3.4 and earlier, this role has the read and write permissions for the config and local databases. In the current version, if you want to read or write data from or to the config and local databases, create a user in the admin database with the readWrite role in the config and local databases.

dbAdmin

The dbAdmin role provides the ability to perform administrative tasks such as schema-related tasks, indexing, and gathering statistics. This role does not grant permissions for user and role management.

• For system collections (system.indexes, system.namespaces, and system.profile), the actions include collStats, dbHash, dbStats, find, killCursors, listIndexes, listCollections, dropCollection, and createCollection (applicable only to system.profile).
• For non-system collections, the actions include bypassDocumentValidation, collMod, collStats, compact, convertToCapped, createCollection, createIndex, dbStats, dropCollection, dropDatabase, dropIndex, enableProfiler, reIndex, renameCollectionSameDB, repairDatabase, storageDetails, and validate.

dbAdminAnyDatabase

The dbAdminAnyDatabase role provides the same database management permissions as dbAdmin on all databases except local and config. The role also provides the listDatabases action on the cluster as a whole.

In MongoDB 3.4 and earlier, this role has the management permissions for the config and local databases. In the current version, if you want to manage the two databases, create a user in the admin database with the dbAdmin role in the config and local databases.

clusterAdmin

The clusterAdmin role has the greatest cluster-management access.

This role combines the permissions granted by the clusterManager, clusterMonitor, and hostManager roles, and provides the dropDatabase action.

userAdmin

The userAdmin role contains the permissions to create and modify roles and users in the current database. This role allows users to grant any permission to any other user (including themselves). This role also indirectly provides the superuser (root) access to either the database or, if scoped to the admin database, the cluster.

changeCustomData, changePassword, createRole, createUser, dropRole, dropUser, grantRole, revokeRole, setAuthenticationRestriction, viewRole, viewUser

userAdminAnyDatabase

The userAdminAnyDatabase role has the permissions similar to the userAdmin role. It manages all databases except the config and local databases.

• This role contains the following cluster commands: the authSchemaUpgrade, invalidateUserCache, and listDatabases
• For system collections (admin.system.users and admin.system.roles), the actions include collStats, dbHash, dbStats, find, killCursors, planCacheRead, createIndex, and dropIndex.