Use Data Management Service (DMS) to manage MongoDB database accounts and assign permissions for various roles, such as common operation role, administrator action role, instance-level role, cluster administrator role, and backup and recovery roles.
Prerequisites
-
The database type is MongoDB.
A system role of Administrator, Database Administrator (DBA), or Regular User (Instance Owner)
-
You must have the database account and database password for the target database.
-
If you create a user in the admin database, ensure that an existing user has the permission to create users, such as dbAdminAnyDatabase, userAdmin, or userAdminAnyDatabase. To learn how to edit a user, see Edit or delete a user.
Create a database account
Log in to DMS 5.0.
-
Log on to the target database. For more information, see Log on to a database.
ImportantFor a MongoDB replica set instance, you must log on to the primary node.
-
In the list of database instances on the left, right-click the target instance and select Account Management.
-
Click Create a database account in the upper-left corner of the page and configure the following parameters.
-
Configure the user information.
In the dialog box that appears, select the Current Database Permissions or Other Database Permissions tab to assign roles to the account. Common operation roles include read (permission to query data in the current database) and readWrite (permission to insert, delete, update, and query data in the current database). Administrator action roles include dbAdmin (allows database object management but does not grant read or write permissions) and userAdmin. After you complete the configuration, click OK.
Parameter
Description
Destination Database
Select the database for the user account.
Note-
If you select a database other than the admin database, you create a regular user.
-
If you select the admin database, you create a privileged user.
Username
Enter a name for the user.
-
Chinese characters are not supported.
-
You can use letters, digits, and special characters.
-
Supported special characters include:
!#$%^&*()_+-=
Password
Enter a password for the user.
The password must be 8 to 32 characters long and contain characters from each of the following three categories:
-
English letters (uppercase and lowercase)
-
Digits
-
Special characters (
!#$%^&*()_+-=)
Confirm Password
Enter the password again.
-
-
Configure the permissions for the user.
Note-
If you select the admin database as the destination database:
On the Current Database Permissions tab, you can assign roles such as common operation role, administrator action role, instance-level role, cluster administrator role, backup and recovery roles, and super role. For details on role permissions, see MongoDB role permissions.
You can also select the Other Database Permissions tab to add a database name and set the corresponding role permissions.
-
If you select a database other than the admin database as the destination database:
On the Current Database Permissions tab, you can only assign the common operation role and administrator action role for the current database. For details on role permissions, see MongoDB role permissions.
The Other Database Permissions tab is not available.
-
-
-
Click Confirm.
NoteDatabase instances managed in Security Collaboration mode are subject to security rules. If an operation fails, follow the on-screen instructions or contact your DBA or administrator for assistance.
Edit or delete a user
Log in to DMS 5.0.
-
In the instance list on the left, right-click the target instance and select Account Management.
-
On the Account Management page, find the database account that you want to manage.
-
In the Actions column, click Edit or Delete.
MongoDB role permissions
For a detailed description of role permissions, see the MongoDB official documentation.
|
Role type |
Role |
Description |
|
common operation role |
read |
Allows querying data in the current database. |
|
readWrite |
Allows inserting, deleting, updating, and querying data in the current database. |
|
|
administrator action role |
dbAdmin |
Provides permission for database object management operations, but not for reading from or writing to the database. |
|
userAdmin |
Provides permission to create users in the current database. |
|
|
dbOwner |
Grants all permissions on the current database. |
|
|
instance-level role |
readAnyDatabase |
Provides permission to query data in all databases within the instance. |
|
readWriteAnyDatabase |
Provides permission to insert, delete, update, and query data in all databases within the instance. |
|
|
userAdminAnyDatabase |
Provides permission to create users for all databases within the instance. |
|
|
dbAdminAnyDatabase |
Grants the dbAdmin role on all databases within the instance. |
|
|
cluster administrator role |
hostManager |
Grants permissions to monitor and manage servers. |
|
clusterMonitor |
Provides permission to monitor clusters and replica sets. |
|
|
clusterManager |
Provides permission to manage and monitor clusters and replica sets. |
|
|
clusterAdmin |
Provides full administrative permissions on the cluster. |
|
|
backup and recovery roles |
backup |
Grants permissions required for backup operations. |
|
restore |
Grants permissions to restore data from a backup. |
|
|
super role |
Root |
Grants superuser access to all resources. |