= 1024) leftSidebarOpen = false; if(window.innerWidth >= 1280) rightSidebarOpen = false"<br>:class="{ 'dark': $store.theme.dark, 'left-sidebar-closed': !leftSidebarDesktop, 'right-sidebar-closed': !rightSidebarDesktop, 'overflow-hidden': leftSidebarOpen || rightSidebarOpen, 'sidebars-closed': !leftSidebarDesktop && !rightSidebarDesktop }">
MongoDB RBAC Explained: Users, Roles, and Permissions
Skip to content
Navigation
if (window.innerWidth
Preferences
Layout
Save Sidebar view
Remember if sidebars are open or closed across pages.
Save Sidebar layout preference
Enable Bookmarks
Save your favourite articles locally in this browser.
Enable Local Bookmarks
let scroll = window.scrollY;<br>let docHeight = document.documentElement.scrollHeight - window.innerHeight;<br>this.progress = docHeight > 0 ? Math.max(0, Math.min(1, scroll / docHeight)) : 0;<br>this.ticking = false;<br>});<br>}"<br>@scroll.window.passive="update()"<br>@resize.window.passive="update()"<br>x-init="update()"<br>class="fixed top-0 left-0 w-full h-[3px] z-[100] pointer-events-none">
Visual guide to MongoDB access control with users, roles, and permissions in VisuaLeaf.
There are two major aspects when connecting to MongoDB.<br>One of them is identifying yourself.<br>The other one is defining what you are permitted to do.<br>Both aspects are different from each other.<br>A user could identify itself correctly by using its username and password, yet the user wouldn’t be able to perform any actions with databases, update any document within, add new users, or manage any roles.<br>All these permissions are provided through RBAC.<br>Role-Based Access Control, or RBAC, refers to the allocation of specific roles to users in MongoDB. Roles determine what actions can be performed on particular databases or collections.<br>For this example, I used the VisuaLeaf RBAC Dashboard to create and review users, roles, and permissions visually. The same setup can also be done from the Mongo shell, but using VisuaLeaf makes it easier to see who has access to what.
In my case, I decided to use the streaming_platform_db database, whose collections include:<br>users<br>movies<br>reviews<br>payments<br>subscriptions<br>It is an appropriate choice as not all users would require the same access rights.<br>For instance, the app requires writing operations.<br>The data analyst may require reading operations.<br>The support agent requires viewing users, payments, and subscriptions.<br>Administrative rights should be reserved for admin tasks.<br>A quick overview of MongoDB users, roles, databases, and active sessions in VisuaLeaf.Authentication vs. Authorization<br>Authentication provides an answer to the following question:<br>Is this really the person they claim to be?<br>Authorization provides the answer to the following question:<br>What can this person do?<br>In other words, even if support_agent succeeds in logging into MongoDB, it should prevent them from executing update, insert, and delete queries if their role is read.<br>That is how it should be.<br>The login was successful. The operation wasn’t.<br>This proves that the role works.<br>Sample Environment Configuration<br>I have configured some users in VisuaLeaf with various roles as follows:<br>data_analyst@streaming_platform_db read@streaming_platform_db<br>streamflix_app@admin readWrite@streaming_platform_db<br>support_agent@admin supportViewer@admin, read@streaming_platform_db<br>admin@admin root@admin<br>A simple configuration, yet it includes most possible scenarios.<br>The admin user is used for administrative purposes.<br>The streamflix_app user is used for applications.<br>The data_analyst user is used for generating and reviewing reports.<br>The support_agent user is used for support activities that require data verification without making any changes.<br>MongoDB users and their assigned roles in VisuaLeaf.Role Definition in MongoDB<br>The MongoDB role is defined through privileges.<br>The privilege means:<br>This operation is permitted on this database/resource.<br>The operation can be find, insert, update, or remove.<br>The resource can be a database or an exact collection.<br>Thus, the role is more than just its name; it is a combination of rules.<br>For instance,<br>read@streaming_platform_db<br>means that the user has the permission to read information from streaming_platform_db.<br>It doesn’t imply the user is granted access to read all the databases present on the server.<br>That’s because of the latter part - the database.<br>Built-In Roles You Will Use Often<br>MongoDB has numerous built-in default roles, but you don't have to start with all of them.<br>Most beginners will probably use the following ones first:
Role<br>What it means<br>Good for
read<br>Can view data<br>Analysts, support users
readWrite<br>Can view and change data<br>Application users
dbAdmin<br>Can manage database tasks like indexes<br>Database maintenance
userAdmin<br>Can manage users and roles for a database<br>Access management
root<br>Full admin access<br>Trusted admin account
Here comes the common temptation to use the root role in every case, which will help avoid access issues.<br>It will work just fine at the early...