Privilege Actions

Privilege Actions

New in version 2.6.

Privilege actions define the operations a user can perform on a resource. A MongoDB privilege comprises aresource and the permitted actions. This page listsavailable actions grouped by common purpose.

MongoDB provides built-in roles with pre-defined pairings of resources andpermitted actions. For lists of the actions granted, seeBuilt-In Roles. To define custom roles, seeCreate a User-Defined Role.

Query and Write Actions

find
User can perform the following commands, and their equivalent helper methods:
- aggregate for all pipeline operationsexcept$collStats, $out, and$indexStats.
- checkShardingIndex
- count
- dataSize
- distinct
- filemd5
- find
- geoSearch
- getLastError
- getMore
- getPrevError
- killCursors, provided that the cursor is associatedwith a currently authenticated user.
- listCollections
- listIndexes
- mapReduce with the {out: inline} option.
- repairCursor
- resetErrorRequired for the query portion of the mapReduce command anddb.collection.mapReduce helper method when outputtingto a collection.

Required for the query portion of the findAndModify commandand db.collection.findAndModify helper method.

Required on the source collection for the cloneCollectionAsCappedand renameCollection commands and thedb.collection.renameCollection() helper method.

For MongoDB 4.0.6+:
If the user does not have the listDatabasesprivilege action, users can run the listDatabasescommand to return a list of databases for which the user hasprivileges (including databases for which the user has privilegeson specific collections) if the command is run withauthorizedDatabases option unspecified or set to true.
For MongoDB 4.0.5:
If the user does not have the listDatabasesprivilege action, users can run the listDatabasescommand to return a list of databases for which the user has thefind action privilege if the command is run withauthorizedDatabases option unspecified or set to true.
For MongoDB 4.0.0-4.0.4:
If the user does not have the listDatabasesprivilege action, users can run the listDatabasescommand to return a list of databases for which the user has thefind action privilege.Apply this action to database or collection resources.

insert
User can perform the following commands and their equivalent methods:
- insert
- createRequired for the output portion of the mapReducecommand and db.collection.mapReduce() helper method whenoutputting to a collection.

Required for the aggregate command anddb.collection.aggregate() helper method when using the$out pipeline operator.

Required for the update and findAndModifycommands and equivalent helper methods when used with the upsertoption.

Required on the destination collection for the followingcommands and their helper methods:

cloneCollection
cloneCollectionAsCapped
renameCollectionApply this action to database or collection resources.

remove
User can perform the delete command and equivalenthelper method.

Required for the write portion of the findAndModifycommand and db.collection.findAndModify() method.

Required for the mapReduce command anddb.collection.mapReduce() helper method when you specifythe replace action when outputting to a collection.

Required for the aggregate command anddb.collection.aggregate() helper method when using the$out pipeline operator.

Apply this action to database or collection resources.

update
User can perform the update command and equivalenthelper methods.

Required for themapReduce command and db.collection.mapReduce()helper method when outputting to a collectionwithout specifying the replace action.

Required for the findAndModify command anddb.collection.findAndModify() helper method.

Apply this action to database or collection resources.

bypassDocumentValidation

New in version 3.2.

Users can bypass document validation on commands and methods that supportthe bypassDocumentValidation option. The following commands andtheir equivalent methods support bypassing document validation:

aggregate
applyOps
cloneCollection on the destination collection
findAndModify
insert
mapReduce
updateApply this action to database or collection resources.

useUUID

New in version 3.6.

User can execute the following commands using aUUID as if it were anamespace:

find
listIndexesFor example, this privilege authorizes a user to run thefollowing command which executes a find command on acollection with the given UUID. In order to be successful, thisoperation also requires that the user is authorized to execute thefind command on the collection namespace corresponding to the givenUUID.

db.runCommand({find: UUID("123e4567-e89b-12d3-a456-426655440000")})

For more information on collection UUIDs, seeCollections.

Apply this action to the cluster resource.

Database Management Actions

changeCustomData
User can change the custom information of any user in the givendatabase. Apply this action to database resources.

changeOwnCustomData
Users can change their own custom information. Apply this action todatabase resources. See alsoChange Your Password and Custom Data.

changeOwnPassword
Users can change their own passwords. Apply this action to databaseresources. See alsoChange Your Password and Custom Data.

changePassword
User can change the password of any user in the given database. Applythis action to database resources.

createCollection
User can perform the db.createCollection() method. Apply thisaction to database or collection resources.

createIndex
Provides access to the db.collection.createIndex() methodand the createIndexes command.Apply this action to database or collection resources.

createRole
User can create new roles in the given database. Apply this action todatabase resources.

createUser
User can create new users in the given database. Apply this action todatabase resources.

dropCollection
User can perform the db.collection.drop() method. Apply thisaction to database or collection resources.

dropRole
User can delete any role from the given database. Apply this action todatabase resources.

dropUser
User can remove any user from the given database. Apply this action todatabase resources.

enableProfiler
User can perform the db.setProfilingLevel() method. Applythis action to database resources.

grantRole
User can grant any role in the database to any user from any databasein the system. Apply this action to database resources.

killCursors
Starting in MongoDB 4.2, users can always kill their own cursors,regardless of whether the users have the privilege tokillCursors. As such, the killCursorsprivilege has no effect in MongoDB 4.2+.

In MongoDB 3.6.3 through MongoDB 4.0.x, users requirekillCursors privilege to kill their own curors whenaccess control is enabled. Cursors are associated with the users atthe time of cursor creation. Apply this action to collectionresources.

killAnyCursor

New in version 3.6.3.

User can kill any cursor, even cursors created by other users.Apply this action to collection resources.

revokeRole
User can remove any role from any user from any database in the system.Apply this action to database resources.

setAuthenticationRestriction

New in version 3.6.

User can specify theauthenticationRestrictionsfield in the user document when running the following commands:

createUser
updateUserUser can specify the authenticationRestrictions field in therole document when running the following commands:
createRole
updateRole

Note

The following built-in roles grant this privilege:

The userAdmin role provides this privilegeon the database that the role is assigned.
The userAdminAnyDatabase role provides thisprivilege on all databases.Transitively, the restore and root rolesalso provide this privilege.

Apply this action to database resources.

unlock
User can perform the db.fsyncUnlock() method. Apply thisaction to the cluster resource.

viewRole
User can view information about any role in the given database. Applythis action to database resources.

viewUser
User can view the information of any user in the given database. Applythis action to database resources.

Deployment Management Actions

authSchemaUpgrade
User can perform the authSchemaUpgrade command. Apply thisaction to the cluster resource.

cleanupOrphaned
User can perform the cleanupOrphaned command. Apply thisaction to the cluster resource.

cpuProfiler
User can enable and use the CPU profiler. Apply this action to thecluster resource.

inprog
User can use the db.currentOp() method to returninformation on pending and active operations. Apply this action tothe cluster resource.

Changed in version 3.2.9: Even without the inprog privilege, onmongod instances, users can view their own operationsby running db.currentOp( { "$ownOps": true } ).

invalidateUserCache
Provides access to the invalidateUserCache command. Applythis action to the cluster resource.

killop
User can perform the db.killOp() method. Apply this action tothe cluster resource.

Changed in version 3.2.9: Even without the killop privilege, onmongod instances, users can killtheir own operations.

planCacheRead
User can run the following operations:
- $planCacheStats aggregation stage.
- planCacheListPlans command andPlanCache.getPlansByQuery() method.
- planCacheListQueryShapes command and thePlanCache.listQueryShapes() method.Apply this action to database or collection resources.

planCacheWrite
User can perform the planCacheClear command and thePlanCache.clear() and PlanCache.clearPlansByQuery()methods. Apply this action to database or collection resources.

storageDetails
User can perform the storageDetails command. Apply thisaction to database or collection resources.

Change Stream Actions

changeStream
User with changeStream and find on thespecific collection, all non-system collections in aspecifc database, or all non-system collections across all databases canopen change stream cursor for that resource.

Replication Actions

appendOplogNote
User can append notes to the oplog. Apply this action to thecluster resource.

replSetConfigure
User can configure a replica set. Apply this action to the clusterresource.

replSetGetConfig
User can view a replica set’s configuration. Provides access to thereplSetGetConfig command and rs.conf() helpermethod.

Apply this action to the cluster resource.

replSetGetStatus
User can perform the replSetGetStatus command. Apply thisaction to the cluster resource.

replSetHeartbeat
User can perform the replSetHeartbeat command. Apply thisaction to the cluster resource.

replSetStateChange
User can change the state of a replica set through thereplSetFreeze, replSetMaintenance,replSetStepDown, and replSetSyncFromcommands. Apply this action to the cluster resource.

resync
User can perform the resync command. Apply this action tothe cluster resource.

Sharding Actions

addShard
User can perform the addShard command. Apply this actionto the cluster resource.

enableSharding
User can enable sharding on a database using theenableSharding command and can shard a collection usingthe shardCollection command. Apply this action todatabase or collection resources.

flushRouterConfig
User can perform the flushRouterConfig command. Apply thisaction to the cluster resource.

getShardMap
User can perform the getShardMap command. Apply this actionto the cluster resource.

getShardVersion
User can perform the getShardVersion command. Apply thisaction to database resources.

listShards
User can perform the listShards command. Apply this actionto the cluster resource.

moveChunk
User can perform the moveChunk command. In addition, usercan perform the movePrimary command provided that the privilegeis applied to an appropriate database resource. Apply this action to databaseor collection resources.

removeShard
User can perform the removeShard command. Apply thisaction to the cluster resource.

shardingState
User can perform the shardingState command. Apply thisaction to the cluster resource.

splitChunk
User can perform the splitChunk command and themergeChunks command. Apply this action to database orcollection resources.

splitVector
User can perform the splitVector command. Apply this action todatabase or collection resources.

Server Administration Actions

applicationMessage
User can perform the logApplicationMessage command. Applythis action to the cluster resource.

closeAllDatabases
User can perform the closeAllDatabases command. Apply thisaction to the cluster resource.

collMod
User can perform the collMod command. Apply this action todatabase or collection resources.

compact
User can perform the compact command. Apply this action todatabase or collection resources.

connPoolSync
User can perform the connPoolSync command. Apply thisaction to the cluster resource.

convertToCapped
User can perform the convertToCapped command. Apply thisaction to database or collection resources.

dropConnections
User can perform the dropConnections command. Apply thisaction to the cluster resource.

dropDatabase
User can perform the dropDatabase command. Apply this actionto database resources.

dropIndex
User can perform the dropIndexes command. Apply this actionto database or collection resources.

forceUUID

New in version 3.6.

User can create a collection with a user-definedcollection UUID using theapplyOps command.

Apply this action to the cluster resource.

fsync
User can perform the fsync command. Apply this action tothe cluster resource.

getParameter
User can perform the getParameter command. Apply thisaction to the cluster resource.

hostInfo
Provides information about the server the MongoDB instance runs on. Applythis action to the cluster resource.

logRotate
User can perform the logRotate command. Apply this actionto the cluster resource.

reIndex
User can perform the reIndex command. Apply this action todatabase or collection resources.

renameCollectionSameDB
Allows the user to rename collections on the current database using therenameCollection command. Apply this action to databaseresources.

Additionally, the user must either havefind on thesource collection or not havefind on the destinationcollection.

If a collection with the new name already exists, the user must alsohave the dropCollection action on the destinationcollection.

setParameter
User can perform the setParameter command. Apply thisaction to the cluster resource.

shutdown
User can perform the shutdown command. Apply this actionto the cluster resource.

touch
User can perform the touch command. Apply this action tothe cluster resource.

Session Actions

impersonate

New in version 3.6.

User can perform the killAllSessionsByPattern commandwith users and roles pattern. Apply this action to thecluster resource.

To run killAllSessionsByPattern command, users mustalso have killAnySession privileges on the clusterresource.

listSessions

New in version 3.6.

User can perform the $listSessions operation or$listLocalSessions operation for all users or specifieduser(s). Apply this action to the cluster resource.

killAnySession

New in version 3.6.

User can perform the killAllSessions and thekillAllSessionsByPattern command. Apply this action tothe cluster resource.

Free Monitoring Actions

checkFreeMonitoringStatus
User with this action on the cluster resource can check thestatus of Free Monitoring.

New in version 4.0.

setFreeMonitoring
User with this action on the cluster resource can enable ordisable Free Monitoring.

New in version 4.0.

Diagnostic Actions

collStats
User can perform the collStats command. Apply this actionto database or collection resources.

connPoolStats
User can perform the connPoolStats and shardConnPoolStatscommands. Apply this action to the cluster resource.

cursorInfo
User can perform the cursorInfo command. Apply this actionto the cluster resource.

dbHash
User can perform the dbHash command. Apply this action todatabase or collection resources.

dbStats
User can perform the dbStats command. Apply this action todatabase resources.

getCmdLineOpts
User can perform the getCmdLineOpts command. Apply thisaction to the cluster resource.

getLog
User can perform the getLog command. Apply this action tothe cluster resource.

indexStats
User can perform the indexStats command. Apply this actionto database or collection resources.

Changed in version 3.0: MongoDB 3.0 removes the indexStats command.

listDatabases
User can perform the listDatabases command. Apply thisaction to the cluster resource.
- For MongoDB 4.0.6+:
- If the user does not have the listDatabasesprivilege action, users can run the listDatabasescommand to return a list of databases for which the user hasprivileges (including databases for which the user has privilegeson specific collections) if the command is run withauthorizedDatabases option unspecified or set to true.
- For MongoDB 4.0.5:
- If the user does not have the listDatabasesprivilege action, users can run the listDatabasescommand to return a list of databases for which the user has thefind action privilege if the command is run withauthorizedDatabases option unspecified or set to true.
- For MongoDB 4.0.0-4.0.4:
- If the user does not have the listDatabasesprivilege action, users can run the listDatabasescommand to return a list of databases for which the user has thefind action privilege.

listCollections
User can perform the listCollections command. Apply thisaction to database resources.

Note

Starting in version 4.0, user without the required privilege canrun the listCollections command with bothauthorizedCollections and nameOnly options set totrue. In this case, the command returns just the name andtype of the collection(s) to which the user has privileges.

listIndexes
User can perform the listIndexes command. Apply thisaction to database or collection resources.

netstat
User can perform the netstat command. Apply this action tothe cluster resource.

serverStatus
User can perform the serverStatus command. Apply this actionto the cluster resource.

validate
User can perform the validate command. Apply this actionto database or collection resources.

top
User can perform the top command. Apply this action to thecluster resource.

Internal Actions

anyAction
Allows any action on a resource. Do not assign this action unlessit is absolutely necessary.

internal
Allows internal actions. Do not assign this action unlessit is absolutely necessary.