Role-Based Access Control: Built-In and Custom Roles
Learners will assign built-in roles like readWrite and dbAdmin, and create custom roles with least-privilege action sets for service accounts.
What Is Role-Based Access Control?
Role-Based Access Control (RBAC) is MongoDB's authorization model. Instead of granting individual permissions directly to users, you assign roles — named collections of privileges — to users. This makes permission management scalable: update a role and every user holding that role inherits the change automatically. MongoDB ships with a rich set of built-in roles covering the most common access patterns.
Built-In Database Roles
MongoDB provides several database-level roles that apply to a specific database. The most commonly used are: read (read all collections), readWrite (read + insert/update/delete), dbAdmin (schema management, index creation), and userAdmin (create/modify users in that database). These roles are database-scoped — a user with readWrite on myApp cannot access otherApp.
// Create a user with readWrite on one database only
use myApp
db.createUser({
user: 'appUser',
pwd: 'SecurePass!',
roles: [
{ role: 'readWrite', db: 'myApp' }
]
})
// Create a user with dbAdmin (can manage indexes but not data)
db.createUser({
user: 'dbaUser',
pwd: 'DbaPass!',
roles: [
{ role: 'dbAdmin', db: 'myApp' }
]
})All lessons in this course
- Authentication Mechanisms: SCRAM and x.509
- Role-Based Access Control: Built-In and Custom Roles
- Encryption at Rest and TLS in Transit
- Client-Side Field Level Encryption