Ops Manager Roles
Ops Manager roles allow you to grant users different levels of access to
Ops Manager. You can grant a user the privileges needed to perform a specific
set of tasks and no more.
If you use LDAP authentication for Ops Manager, you must:
- Create LDAP groups for each available role that follows.
- Assign users to these LDAP groups.
Neither the LDAP server nor Ops Manager synchronizes the groups and
roles without user intervention.
To assign user roles, see Edit a User’s or Team’s Role in a Project. You can’t
assign your own roles.
Organization Roles
| Organization Role |
Privileges |
|---|
-
Organization Owner
|
An Ops Manager user with this organization role can:
- Grants root access to the organization.
- Grants
Project Owner access to all projects in
the organization, even if added to a project with a
non-Owner role.
- Use any privilege granted to any organization role.
- Administer organization settings.
- Add, edit, or delete users to the organization.
- Delete the organization.
|
-
Organization Project Creator
|
An Ops Manager user with this organization role can:
- Create projects in the organization.
- Use any privilege granted to the
Organization Member role.
|
-
Organization Read Only
|
An Ops Manager user with this organization role can grant read-only
access to everything in the organization, including all projects
in the organization. |
-
Organization Member
|
An Ops Manager user with this organization role can grant read-only
access to the organization (settings, users, and billing) and
the projects to which they belong.
Within a project, an Organization Member’s project
role sets their project privileges.
A Project User Admin or
Owner can add a new Ops Manager user to a
project. This also adds this new Ops Manager user to that project’s
organization.
|
Project Roles
The following roles grant privileges within a project.
| Project Role |
Privileges |
|---|
-
Project Read Only
|
An Ops Manager user with this project role can view most project
components, including all:
- Activity
- Operational data
- Ops Manager Users
- Ops Manager User roles.
This user can’t modify or delete anything.
|
-
Project User Admin
|
An Ops Manager user with this project role can:
- Add an existing Ops Manager user to a project. If the added user
does not currently belong to the organization, the user will
be added to the organization as well.
- Invite a new Ops Manager user to a project. After the Ops Manager user
accepts the invite, Ops Manager also adds this user to the
organization.
- Remove an existing project invitation.
- Deny a user’s request to join a project. This can deny
the user access to the project depending on the user’s role in
the organization.
- Remove a user from a project.
- Modify a user’s role within a project.
|
-
Project Data Access Admin
|
An Ops Manager user with this project role can:
|
-
Project Data Access Read/Write
|
An Ops Manager user with this project role can:
|
-
Project Data Access Read Only
|
An Ops Manager user with this project role can:
|
-
Project Monitoring Admin
|
An Ops Manager user with this project role can:
- Use any privilege granted to the
Project Read Only
role.
- Administer alerts (create, modify, delete, enable/disable,
acknowledge/unacknowledge).
- Manage hosts (add, edit, delete).
- Download Monitoring.
|
-
Project Backup Admin
|
An Ops Manager user with this project role can:
- Use any privilege granted to the
Project Read Only
role.
- Manage backups,
including:
- Starting, stopping, and terminating backups.
- Requesting restores.
- Viewing and editing the namespaces filter.
- Viewing and editing host passwords.
- Modifying backup settings.
- Generating SSH keys.
- Downloading the MongoDB Agent.
|
-
Project Automation Admin
|
An Ops Manager user with this project role can:
- Use any privilege granted to the
Project Read Only
role.
- View deployments.
- Provision machines.
- Edit configuration files.
- Download the MongoDB Agent.
|
-
Project Owner
|
An Ops Manager user with this project role can:
- Use any privilege granted to any of the other project roles.
- Configure the Backup
service.
|
Global Roles
Global roles have all the same privileges as the equivalent
Organization and Project roles, except that they have these
privileges for all projects and organizations. They also have some
additional privileges as noted in the following table.
The following roles grant privileges for all projects and organizations.
| Global Role |
Description |
|---|
-
Global Read Only
|
Grants Project Read Only access to all projects
and Organization Read Only for all organizations.
The role additionally grants access to do the following:
- View backups and other
statistics through the admin console.
- Global user search.
|
-
Global User Admin
|
Grants Project User Admin access to all projects
and all organizations. The role additionally grants access to
do the following:
- Manage console messages.
- Send test emails, SMS messages, and voice calls.
- Edit user accounts.
- Manage LDAP group mappings for organization and project
roles.
|
-
Global Monitoring Admin
|
Grants Project Monitoring Admin access
to all projects. The role additionally grants access to do
the following:
- View system statistics through the admin
console.
|
-
Global Backup Admin
|
Grants Project Backup Admin access to all
projects. The role additionally grants access to do the
following:
- View system statistics through the admin
console.
- Manage blockstore, daemon, and oplog store configurations.
- Move jobs between daemons.
- Approve backups in awaiting provisioning state.
|
-
Global Automation Admin
|
Grants Project Automation Admin access
to all projects. The role additionally grants access to view
system statistics through the admin console. |
-
Global Owner
|
Grants privileges from all roles combined except those
required to access Data Explorer:
|