MongoDB database account permissions

更新时间:
复制 MD 格式

Use Data Management Service (DMS) to manage MongoDB database accounts and assign permissions for various roles, such as common operation role, administrator action role, instance-level role, cluster administrator role, and backup and recovery roles.

Prerequisites

Create a database account

  1. Log in to DMS 5.0.

  2. Log on to the target database. For more information, see Log on to a database.

    Important

    For a MongoDB replica set instance, you must log on to the primary node.

  3. In the list of database instances on the left, right-click the target instance and select Account Management.

  4. Click Create a database account in the upper-left corner of the page and configure the following parameters.

    1. Configure the user information.

      In the dialog box that appears, select the Current Database Permissions or Other Database Permissions tab to assign roles to the account. Common operation roles include read (permission to query data in the current database) and readWrite (permission to insert, delete, update, and query data in the current database). Administrator action roles include dbAdmin (allows database object management but does not grant read or write permissions) and userAdmin. After you complete the configuration, click OK.

      Parameter

      Description

      Destination Database

      Select the database for the user account.

      Note
      • If you select a database other than the admin database, you create a regular user.

      • If you select the admin database, you create a privileged user.

      Username

      Enter a name for the user.

      • Chinese characters are not supported.

      • You can use letters, digits, and special characters.

      • Supported special characters include: !#$%^&*()_+-=

      Password

      Enter a password for the user.

      The password must be 8 to 32 characters long and contain characters from each of the following three categories:

      • English letters (uppercase and lowercase)

      • Digits

      • Special characters (!#$%^&*()_+-=)

      Confirm Password

      Enter the password again.

    2. Configure the permissions for the user.

      Note
      • If you select the admin database as the destination database:

        On the Current Database Permissions tab, you can assign roles such as common operation role, administrator action role, instance-level role, cluster administrator role, backup and recovery roles, and super role. For details on role permissions, see MongoDB role permissions.

        You can also select the Other Database Permissions tab to add a database name and set the corresponding role permissions.

      • If you select a database other than the admin database as the destination database:

        On the Current Database Permissions tab, you can only assign the common operation role and administrator action role for the current database. For details on role permissions, see MongoDB role permissions.

        The Other Database Permissions tab is not available.

  5. Click Confirm.

    Note

    Database instances managed in Security Collaboration mode are subject to security rules. If an operation fails, follow the on-screen instructions or contact your DBA or administrator for assistance.

Edit or delete a user

  1. Log in to DMS 5.0.

  2. In the instance list on the left, right-click the target instance and select Account Management.

  3. On the Account Management page, find the database account that you want to manage.

  4. In the Actions column, click Edit or Delete.

MongoDB role permissions

For a detailed description of role permissions, see the MongoDB official documentation.

Role type

Role

Description

common operation role

read

Allows querying data in the current database.

readWrite

Allows inserting, deleting, updating, and querying data in the current database.

administrator action role

dbAdmin

Provides permission for database object management operations, but not for reading from or writing to the database.

userAdmin

Provides permission to create users in the current database.

dbOwner

Grants all permissions on the current database.

instance-level role

readAnyDatabase

Provides permission to query data in all databases within the instance.

readWriteAnyDatabase

Provides permission to insert, delete, update, and query data in all databases within the instance.

userAdminAnyDatabase

Provides permission to create users for all databases within the instance.

dbAdminAnyDatabase

Grants the dbAdmin role on all databases within the instance.

cluster administrator role

hostManager

Grants permissions to monitor and manage servers.

clusterMonitor

Provides permission to monitor clusters and replica sets.

clusterManager

Provides permission to manage and monitor clusters and replica sets.

clusterAdmin

Provides full administrative permissions on the cluster.

backup and recovery roles

backup

Grants permissions required for backup operations.

restore

Grants permissions to restore data from a backup.

super role

Root

Grants superuser access to all resources.