Privilege Actions for Self-Managed Deployments
On this page
Privilege actions define the operations a user can perform on a resource. A MongoDB privilege comprises a resource and the permitted actions. This page lists available actions grouped by common purpose.
MongoDB provides built-in roles with pre-defined pairings of resources and permitted actions. For lists of the actions granted, see Built-In Roles in Self-Managed Deployments. To define custom roles, see Create a User-Defined Role.
Query and Write Actions
find
User can perform the following commands, and their equivalent helper methods:
aggregate
for all pipeline operations except$collStats
,$out
, and$indexStats
.geoSearch
(Removed in MongoDB 5.0)getLastError
(Removed in MongoDB 5.1)killCursors
, provided that the cursor is associated with a currently authenticated user.mapReduce
with the{out: inline}
option.resetError
(Removed in MongoDB 5.0)
Required for the query portion of the
mapReduce
command anddb.collection.mapReduce()
helper method when outputting to a collection.Required for the query portion of the
findAndModify
command anddb.collection.findAndModify()
helper method.Required on the source collection for the
cloneCollectionAsCapped
andrenameCollection
commands and thedb.collection.renameCollection()
helper method.If the user does not have the
listDatabases
privilege action, users can run thelistDatabases
command to return a list of databases for which the user has privileges (including databases for which the user has privileges on specific collections) if the command is run withauthorizedDatabases
option unspecified or set totrue
.Apply this action to database or collection resources.
insert
User can perform the following commands and their equivalent methods:
Required for the output portion of the
mapReduce
command anddb.collection.mapReduce()
helper method when outputting to a collection.Required for the
aggregate
command anddb.collection.aggregate()
helper method when using the$out
or$merge
pipeline operator.Required for the
update
andfindAndModify
commands and equivalent helper methods when used with theupsert
option.Required on the destination collection for the following commands and their helper methods:
Apply this action to database or collection resources.
remove
User can perform the
delete
command and equivalent helper method.Required for the write portion of the
findAndModify
command anddb.collection.findAndModify()
method.Required for the
mapReduce
command anddb.collection.mapReduce()
helper method when you specify thereplace
action when outputting to a collection.Required for the
aggregate
command anddb.collection.aggregate()
helper method when using the$out
pipeline operator.Apply this action to database or collection resources.
update
User can perform the
update
command and equivalent helper methods.Required for the
mapReduce
command anddb.collection.mapReduce()
helper method when outputting to a collection without specifying thereplace
action.Required for the
findAndModify
command anddb.collection.findAndModify()
helper method.Apply this action to database or collection resources.
bypassDocumentValidation
Users can bypass document validation on commands and methods that support the
bypassDocumentValidation
option. The following commands and their equivalent methods support bypassing document validation:Apply this action to database or collection resources.
useUUID
User can execute the following commands using a UUID as if it were a namespace:
For example, this privilege authorizes a user to run the following command which executes a
find
command on a collection with the given UUID. In order to be successful, this operation also requires that the user is authorized to execute thefind
command on the collection namespace corresponding to the given UUID.db.runCommand({find: UUID("123e4567-e89b-12d3-a456-426655440000")}) For more information on collection UUIDs, see Collections.
Apply this action to the
cluster
resource.
Database Management Actions
changeCustomData
User can change the custom information of any user in the given database. Apply this action to database resources.
changeOwnCustomData
Users can change their own custom information. Apply this action to database resources. See also Change Your Password and Custom Data on Self-Managed Deployments.
changeOwnPassword
Users can change their own passwords. Apply this action to database resources. See also Change Your Password and Custom Data on Self-Managed Deployments.
changePassword
User can change the password of any user in the given database. Apply this action to database resources.
createCollection
User can perform the
db.createCollection()
method. Apply this action to database or collection resources.
createIndex
Provides access to the
db.collection.createIndex()
method and thecreateIndexes
command. Apply this action to database or collection resources.
dropCollection
User can perform the
db.collection.drop()
method. Apply this action to database or collection resources.
enableProfiler
User can perform the
db.setProfilingLevel()
method. Apply this action to database resources.
grantRole
User can grant any role in the database to any user from any database in the system. Apply this action to database resources.
killCursors
Users can always terminate their own cursors, regardless of whether the users have the privilege to
killCursors
.
killAnyCursor
User can kill any cursor, even cursors created by other users. Apply this action to collection resources.
planCacheIndexFilter
User can run the
planCacheClearFilters
,planCacheListFilters
, andplanCacheSetFilter
commands. Apply theplanCacheIndexFilter
action to collection resources.
revokeRole
User can remove any role from any user from any database in the system. Apply this action to database resources.
setAuthenticationRestriction
User can specify the authenticationRestrictions field in the
user
document when running the following commands:User can specify the
authenticationRestrictions
field in therole
document when running the following commands:Note
The following built-in roles grant this privilege:
The
userAdmin
role provides this privilege on the database that the role is assigned.The
userAdminAnyDatabase
role provides this privilege on all databases.
Transitively, the
restore
androot
roles also provide this privilege.Apply this action to database resources.
setFeatureCompatibilityVersion
User can run the
setFeatureCompatibilityVersion
command. Apply this action to thecluster
resource.
unlock
User can perform the
db.fsyncUnlock()
method. Apply this action to thecluster
resource.
Deployment Management Actions
authSchemaUpgrade
User can perform the
authSchemaUpgrade
command. Apply this action to thecluster
resource.
cleanupOrphaned
User can perform the
cleanupOrphaned
command. Apply this action to thecluster
resource.
inprog
User can use the
db.currentOp()
method to return information on pending and active operations. Apply this action to thecluster
resource.Even without the
inprog
privilege, onmongod
instances, users can view their own operations by runningdb.currentOp( { "$ownOps": true } )
.
invalidateUserCache
Provides access to the
invalidateUserCache
command. Apply this action to thecluster
resource.
killop
User can perform the
db.killOp()
method. Apply this action to thecluster
resource.Even without the
killop
privilege, onmongod
instances, users can kill their own operations.
planCacheRead
User can run the following operations:
$planCacheStats
aggregation stage.
Apply this action to database or collection resources.
planCacheWrite
User can perform the
planCacheClear
command and thePlanCache.clear()
andPlanCache.clearPlansByQuery()
methods. Apply this action to database or collection resources.
Change Stream Actions
changeStream
User with
changeStream
andfind
on the specific collection, all non-system
collections in a specific database, or all non-system
collections across all databases can open change stream cursor for that resource.
Replication Actions
replSetGetConfig
User can view a replica set's configuration. Provides access to the
replSetGetConfig
command andrs.conf()
helper method.Apply this action to the
cluster
resource.
replSetGetStatus
User can perform the
replSetGetStatus
command. Apply this action to thecluster
resource.
replSetHeartbeat
User can perform the deprecated
replSetHeartbeat
command. Apply this action to thecluster
resource.
replSetStateChange
User can change the state of a replica set through the
replSetFreeze
,replSetMaintenance
,replSetStepDown
, andreplSetSyncFrom
commands. Apply this action to thecluster
resource.
Sharding Actions
addShard
User can perform the
addShard
command. Apply this action to thecluster
resource.
checkMetadataConsistency
User can perform the
checkMetadataConsistency
command. Apply this action tocluster
, database or collection resources.New in version 7.0.
clearJumboFlag
Required to clear a chunk's jumbo flag using the
clearJumboFlag
command. Apply this action to database or collection resources.Included in the
clusterManager
built-in role.
enableSharding
Note
Applicable Resources
The action can apply to either:
Database or collection resource to enable sharding for a database or shard a collection.
Cluster resource to perform various shard zone operations.
ResourcesDescriptionGrants users privileges to perform the following operations:
Enable sharding on a database using the
enableSharding
command, andShard a collection using the
shardCollection
command.
refineCollectionShardKey
Provides privileges to refine the shard key for a sharded collection and run the
refineCollectionShardKey
command. Apply this action to database or collection resources.Included in the
clusterManager
built-in role.
reshardCollection
User can perform the
reshardCollection
command. Apply this action to database or collection resources.New in version 5.0.
flushRouterConfig
User can perform the
flushRouterConfig
command. Apply this action to thecluster
resource.
getShardMap
User can perform the
getShardMap
command. Apply this action to thecluster
resource.
listShards
User can perform the
listShards
command. Apply this action to thecluster
resource.
moveChunk
User can perform the
moveChunk
andmoveRange
commands. In addition, user can perform themovePrimary
command provided that the privilege is applied to an appropriate database resource. Apply this action to database or collection resources.
removeShard
User can perform the
removeShard
command. Apply this action to thecluster
resource.
shardedDataDistribution
User can perform the
$shardedDataDistribution
aggregation pipeline stage.New in version 6.0.3.
shardingState
User can perform the
shardingState
command. Apply this action to thecluster
resource.
splitVector
User can perform the
splitVector
command. Apply this action to database or collection resources.
Server Administration Actions
applicationMessage
User can perform the
logApplicationMessage
command. Apply this action to thecluster
resource.
bypassWriteBlockingMode
User can perform writes even when writes are blocked by the
setUserWriteBlockMode
command. Apply this action to thecluster
resource.
closeAllDatabases
User can perform the deprecated
closeAllDatabases
command. Apply this action to thecluster
resource.
collMod
User can perform the
collMod
command. Apply this action to database or collection resources.
compact
User can perform the
compact
command. Apply this action to database or collection resources.
compactStructuredEncryptionData
User can perform the
compactStructuredEncryptionData
command. Apply this action to database or collection resources.
connPoolSync
User can perform the internal
connPoolSync
command. Apply this action to thecluster
resource.
convertToCapped
User can perform the
convertToCapped
command. Apply this action to database or collection resources.
dropConnections
User can perform the
dropConnections
command. Apply this action to thecluster
resource.
dropDatabase
User can perform the
dropDatabase
command. Apply this action to database resources.
dropIndex
User can perform the
dropIndexes
command. Apply this action to database or collection resources.
forceUUID
User can create a collection with a user-defined collection UUID using the
applyOps
command.Apply this action to the
cluster
resource.
fsync
User can perform the
fsync
command. Apply this action to thecluster
resource.
getDefaultRWConcern
User can issue the administrative
getDefaultRWConcern
command. Apply this action to thecluster
resource.
getParameter
User can perform the
getParameter
command. Apply this action to thecluster
resource.
hostInfo
Provides information about the server the MongoDB instance runs on. Apply this action to the
cluster
resource.
oidReset
Required to reset the 5 byte random string that is used in the ObjectID.
logRotate
User can perform the
logRotate
command. Apply this action to thecluster
resource.
reIndex
User can perform the
reIndex
command. Apply this action to database or collection resources.
renameCollectionSameDB
Allows the user to rename collections on the current database using the
renameCollection
command. Apply this action to database resources.Additionally, the user must either have
find
on the source collection or not havefind
on the destination collection.If a collection with the new name already exists, the user must also have the
dropCollection
action on the destination collection.
rotateCertificates
User can perform the
rotateCertificates
command command. Apply this action to thecluster
resource.
setDefaultRWConcern
User can issue the administrative
setDefaultRWConcern
command. Apply this action to thecluster
resource.
setParameter
User can perform the
setParameter
command. Apply this action to thecluster
resource.
setUserWriteBlockMode
User can perform the
setUserWriteBlockMode
command. Apply this action to thecluster
resource.
shutdown
User can perform the
shutdown
command. Apply this action to thecluster
resource.
Session Actions
impersonate
User can perform the
killAllSessionsByPattern
command withusers
androles
pattern. Apply this action to thecluster
resource.To run
killAllSessionsByPattern
command, users must also havekillAnySession
privileges on the cluster resource.
listSessions
User can perform the
$listSessions
operation or$listLocalSessions
operation for all users or specified user(s). Apply this action to thecluster
resource.
killAnySession
User can perform the
killAllSessions
and thekillAllSessionsByPattern
command. Apply this action to thecluster
resource.
Atlas Search Index Actions
The following actions enable users to run Atlas Search Database Commands. These actions are only relevant for deployments hosted on MongoDB Atlas.
createSearchIndexes
User can run the
createSearchIndexes
database command. Apply this action to the database or collection resource.
dropSearchIndex
User can run the
dropSearchIndex
database command. Apply this action to the database or collection resource.
listSearchIndexes
User can run the
$listSearchIndexes
aggregation stage. Apply this action to the database or collection resource.
updateSearchIndex
User can run the
updateSearchIndex
database command. Apply this action to the database or collection resource.
Diagnostic Actions
collStats
User can perform the
collStats
command. Apply this action to database or collection resources.
connPoolStats
User can perform the
connPoolStats
command. Apply this action to thecluster
resource.
dbHash
User can perform the
dbHash
command. Apply this action to database or collection resources.
dbStats
User can perform the
dbStats
command. Apply this action to database resources.
getCmdLineOpts
User can perform the
getCmdLineOpts
command. Apply this action to thecluster
resource.
getLog
User can perform the
getLog
command. Apply this action to thecluster
resource.
indexStats
User can run the
$indexStats
aggregation pipeline stage. Apply this action to database or collection resources.To use the
$indexStats
stage, users must authenticate with at least theclusterMonitor
role.
listDatabases
User can perform the
listDatabases
command. Apply this action to thecluster
resource.If the user does not have the
listDatabases
privilege action, users can run thelistDatabases
command to return a list of databases for which the user has privileges (including databases for which the user has privileges on specific collections) if the command is run withauthorizedDatabases
option unspecified or set totrue
.
listCollections
User can perform the
listCollections
command. Apply this action to database resources.Note
Users without the required privilege can run the
listCollections
command with bothauthorizedCollections
andnameOnly
options set totrue
. In this case, the command returns just the name and type of the collection(s) to which the user has privileges.
listIndexes
User can perform the
listIndexes
command. Apply this action to database or collection resources.
queryStatsRead
User can run the
$queryStats
aggregation stage without thetransformIdentifiers
option.
queryStatsReadTransformed
User can run the
$queryStats
aggregation stage with or without thetransformIdentifiers
option.
serverStatus
User can perform the
serverStatus
command. Apply this action to thecluster
resource.
validate
User can perform the
validate
andvalidateDBMetadata
commands. Apply this action to database or collection resources.
top
User can perform the
top
command. Apply this action to thecluster
resource.
Internal Actions
anyAction
Allows any action on a resource. Do not assign this action unless it is absolutely necessary.
applyOps
User can perform the
applyOps
command. Apply this action to acluster
resource.