Manage Custom Roles
On this page
- OAuth 2.0 authentication for programmatic access to Cloud Manager is available as a Preview feature.
- The feature and the corresponding documentation might change at any time during the Preview period. To use OAuth 2.0 authentication, create a service account to use in your requests to the Cloud Manager Public API.
Roles grant users access to MongoDB resources. By default, MongoDB provides some built-in roles, but if these roles cannot describe a desired privilege set, you can create custom roles.
When you create a role, you specify the database to which it applies.
Cloud Manager stores your custom roles on all MongoDB instances in your Cloud Manager
project but uniquely identifies a role by the combination of the
database name and role name. If a database with that name exists on
multiple deployments within your Cloud Manager project, the role applies to
each of those databases. If you create a role on the admin
database, the role applies to all admin databases in the
deployment.
Roles consist of privileges that grant access to specific actions on
specific resources. On most databases, a resource is the database or a
collection, but on the admin database a resource can be all
databases, all collections with a given name across databases, or all
deployments.
A role can inherit privileges from other roles in its database. A role
on the admin database can inherit privileges from roles in other
databases.
MongoDB roles are separate from Cloud Manager roles.
Considerations
Managed Users and Roles
Any users or roles you choose to manage in an Cloud Manager project have their
Synced value set to Yes and are synced to all
deployments in the project.
Any users or roles you do not choose to manage in an Cloud Manager project have
their Synced value set to No and exist only in their
respective MongoDB deployments.
Note
If you toggle Synced to OFF after import, any users
or roles you create are deleted.
Consistent Users and Roles
If you enforce a consistent set of users and roles in your project, Cloud Manager synchronizes these users and roles across all deployments in that project. Toggle Enforce Consistent Set to choose whether or not to manage one set of users and roles:
Enforce Consistent Set is YES
In a managed project, Cloud Manager grants all of the users and roles access to all deployments. All deployments that the Cloud Manager project manages have the same set of MongoDB users and roles.
Cloud Manager limits the access to users and roles where you set
Synced to Yes. Cloud Manager deletes all users and roles that Cloud Manager project doesn't manage from the deployments in your project.
Enforce Consistent Set is NO
In a managed project, Cloud Manager allows each deployment to use its own set of MongoDB users and roles. Cloud Manager doesn't need to manage these MongoDB users and roles. To manage these users and roles, you must connect direct to the MongoDB deployment.
Cloud Manager grants managed MongoDB users and roles where you set
Synced to Yes access to all managed deployments.
Cloud Manager limits access of unmanaged MongoDB users and roles, where you set
Synced to No, to those users' and roles' specific
deployments.
Note
Enforce Consistent Set defaults to NO.
To learn how importing MongoDB deployments can affect managing users and roles, see Automation and Updated Security Settings Upon Import.
Role Names
You can't name a custom role MongodbAutomationAgentUserRole
for deployments managed by Automation, as this
is an internal role name used by the MongoDB Agent's
mms-automation user.
Prerequisite
MongoDB access control must be enabled to apply roles. You can create roles before enabling accessing control or after, but they don't go into effect until you enable access control.
Create a Custom MongoDB Role
In MongoDB Cloud Manager, go to the Deployment page for your project.
If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If the Deployment page is not already displayed, click Deployment in the sidebar.
The Deployment page displays.
Go to the Security page.
Click the Security tab for your deployment.
The Security page displays.
In the Identifier field, enter the database on which to define the role and enter a name for the role.
A role applies to the database on which it is defined and can grant access down to the collection level. The combination of the role name and its database uniquely identify that role. Complete the Identifier fields to meet the authentication and authorization methods you use:
If you use neither LDAP authentication nor authorization, type the database name in the database Identifier field and the name you want for the role in the name Identifier field.
If you use LDAP authentication, but not LDAP authorization, type
$externalin the database Identifier field and the name you want for the role in the name Identifier field.If you use any authentication method with LDAP Authorization, type
adminin the database Identifier field and the LDAP Group DN in the name Identifier field.Example
In your LDAP server, you created an LDAP Group with a Distinguished Name of
CN=DBA,CN=Users,DC=example,DC=com. If you want to create a DBA role in Cloud Manager linked to this LDAP Group, typeadminin the database Identifier field andCN=DBA,CN=Users,DC=example,DC=comin the name Identifier field.
Edit a Custom Role
You can change a custom role's privileges. You cannot change its name or database.
In MongoDB Cloud Manager, go to the Deployment page for your project.
If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If the Deployment page is not already displayed, click Deployment in the sidebar.
The Deployment page displays.
Go to the Security page.
Click the Security tab for your deployment.
The Security page displays.
View Privileges for a Role
To view a role's privileges:
In MongoDB Cloud Manager, go to the Deployment page for your project.
If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If the Deployment page is not already displayed, click Deployment in the sidebar.
The Deployment page displays.
Go to the Security page.
Click the Security tab for your deployment.
The Security page displays.
Each privilege pairs a resource with a set of
Privilege Actions. All roles
are assigned a database. Each
built-in role is assigned to
either admin database or every database.
Remove a Custom Role
In MongoDB Cloud Manager, go to the Deployment page for your project.
If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.
If it's not already displayed, select your desired project from the Projects menu in the navigation bar.
If the Deployment page is not already displayed, click Deployment in the sidebar.
The Deployment page displays.
Go to the Security page.
Click the Security tab for your deployment.
The Security page displays.