Role-based access control
Role-Based Access Control (RBAC) is an approach to restricting the access of users to perform certain tasks, view data, or execute specific commands. In MongoDB, RBAC is an essential aspect to ensure security within the database.
Each role in MongoDB consists of a set of privileges that determine the user’s abilities within the system. MongoDB has several built-in roles, and you also have the option to create custom roles as needed. By assigning the appropriate roles to users, you can limit their access to various parts of the database and protect sensitive information.
Built-in Roles
MongoDB provides several built-in roles that have predefined sets of privileges:
- Read: Allows read operations on the specified database.
- ReadWrite: Allows read and write operations on the specified database.
- dbAdmin: Allows administrative tasks, such as managing indexes and user-defined roles, for the specified database.
- userAdmin: Allows managing user access for the specified database.
- ClusterAdmin: Allows administrative tasks for the entire cluster, such as configuring replica sets and sharding.
- ReadAnyDatabase: Allows read operations on all databases except for the
local
andconfig
databases. - ReadWriteAnyDatabase: Allows read and write operations on all databases except for the
local
andconfig
databases. - userAdminAnyDatabase: Allows managing user access for all databases except for the
local
andconfig
databases. - dbAdminAnyDatabase: Allows administrative tasks for all databases except for the
local
andconfig
databases.
Custom Roles
In addition to the built-in roles, you can create custom roles to cater to specific requirements of your application. Custom roles can have any combination of built-in roles’ privileges and user-defined actions.
To create a custom role, you can use the db.createRole()
method. Here’s an example:
db.createRole({
role: 'customRole',
privileges: [
{
resource: { db: 'exampleDB', collection: '' },
actions: ['find', 'insert', 'update', 'remove'],
},
],
roles: [],
});
In the example above, we created a custom role customRole
with privileges that allow users with this role to perform find
, insert
, update
, and remove
operations on all collections within the exampleDB
database.
Assigning Roles to Users
To ensure that users have the appropriate level of access and permissions, you assign specific roles to them. When creating a new user, you can assign roles using the db.createUser()
method. Here’s an example:
db.createUser({
user: 'exampleUser',
pwd: 'examplePassword',
roles: [
{ role: 'read', db: 'exampleDB' },
{ role: 'customRole', db: 'exampleDB' },
],
});
In this example, we created a new user exampleUser
and assigned the built-in read
role and a custom customRole
role.
By effectively using role-based access control, you can strengthen the security of your MongoDB database and protect sensitive data from unauthorized access.