跳至内容

Role-Based Access Control (RBAC) in MongoDB

Discover role-based access control (RBAC) in MongoDB in managing users and roles, creating custom roles, and enforcing least-privilege policies for deployments.
2026年7月6日  · 5分钟

As more people get online in this digital age, there’s an increased need for defining permissions and roles to ensure security and manage access to applications and systems. Role-based access control is an authorization model used to control access to resources based on users' predefined roles. 

With MongoDB's RBAC model, actions are represented in the form of roles, which are assigned to the right users. For example, instead of assigning several individual permissions, you can assign a single role (e.g., dbAdmin), which automatically includes the defined set of permissions (e.g., read on collections in the database). This model makes it easy to manage user access in a scalable way.

Enabling RBAC in MongoDB

With the core RBAC model, access is denied by default, which means users cannot access resources without having a role. Users can be assigned multiple roles, and each role can have a specific set of privileges or permissions to access certain capabilities.

RBAC Core Concepts

Here are some of the key concepts you need to know about RBAC:

Users

In the RBAC model, a user is an entity that is granted one or more roles that determine the user's access to database resources and operations. A user won’t have access to a system if there are no role assignments. To get access to a system, users must authenticate and must be assigned at least one role.

Roles

MongoDB provides built-in roles and privileges for self-managed deployments as well as MongoDB Atlas. Some common built-in roles are read, readWrite, and dbAdmin/atlasAdmin roles. Database admin roles have higher privileges compared to any other database user roles, including the privilege to manage the privileges of other roles.

If these built-in roles cannot provide the desired set of privileges, MongoDB provides methods to create and modify user-defined roles.

A role is a set of privileges assigned to the user.

For example, a “read” role could have read-only privileges, an “admin” role could have read and write privileges, while the “owner” role can have read, write, and delete privileges to a particular item (a database, a document, etc).  A role grants privileges to perform the specified actions on resources. Each privilege is either specified explicitly in the role or inherited from another role, or both.

User-Defined Roles / Custom Roles

MongoDB provides a number of built-in roles that administrators can use to control access to a MongoDB system. However, if the existing roles cannot describe the specific privileges you want, you can define and assign new roles to users in a database - that’s a custom role. With the exception of roles created in the admin database, a role can only include privileges that apply to its database and can only inherit from other roles in its database.

To create a new role, use the db.createRole() method, specifying the privileges in the privileges array and the inherited roles in the roles array.

MongoDB uses the combination of the database name and the role name to uniquely define a role, and MongoDB stores all role information in the admin.system.roles collection in the admin database.

Example: This example creates a custom role (sales_attendant) that can only insert documents into the sales collection within the sales_db database.

use sales
db.createRole(
   {
     role: "sales_attendant",
     privileges: [
       {
         resource: { db: "sales_db", collection: "sales" },
         actions: [ "insert" ]
       }
     ],
     roles: []
   }
)

Built-in roles 

Built-in roles are pre-created roles assigned to users that allow them to perform operations such as read and write on collections in a database. Examples of built-in roles are read, write, readWrite, dbAdmin, and readAnyDatabase.

  • read and readWrite (database-level access): These roles grant access to perform read-only or read/write operations, respectively, on all non-system collections within a specified database.
  • dbAdmin: This role grants administrative rights necessary for managing a specific database, such as creating, dropping, and modifying indexes and collections. This is suitable for development teams or database maintenance scripts.
  • clusterAdmin (operational access): This role is a high-privilege role mostly reserved for operations (DevOps/Ops) personnel. It grants permissions necessary for managing the entire MongoDB deployment, which includes creating periodic backups, configuring replica sets, and sharding.

Privileges (permissions)

Privileges are a set of actions (e.g., find, insert) that are allowed on a capability. For

example, if the capability is to “inform the customer about their current balance,” then the user privileges (let’s say the bank teller) could be read-only. If the capability is to increase the transactional limit of a bank account, the privileges could be read and write.

Inherited Privileges

A role can include one or more existing roles (including all the privileges). For example, a dbAdmin role may include read, write, and update roles(which can be individual roles) that come with its privileges.

Resources

A resource is a database, collection, set of collections, or the cluster. 

Implementing the Principle of Least Privilege

In modern database security, the Principle of Least Privilege (PoLP) is crucial. This principle states that every user should be assigned the minimum permissions necessary to perform their required tasks.

Here is an example of the best practice: Instead of using a global readWrite user, create application-specific users. For example, if your inventory service only interacts with the app_data database, the application user should only be granted readWrite access to that single database. This compartmentalization prevents a compromised service from gaining unauthorized access to other databases (like billing or users).

Code example

Creating a least-privilege user. This example creates a user (branch_manager) with read/write access limited strictly to the bank_data database.

use admin
db.createUser(
   {
     user: "branch_manager",
     pwd: passwordPrompt(),
     roles: [ 
       { role: "readWrite", db: "bank_data" }
     ]
   }
)

Best Practices

  • Create and assign well-defined roles and policies in advance.
  • Follow the principle of least privilege to ensure tight security.
  • Use built-in roles when possible; audit assigned roles periodically to spot anomalies.

FAQs

What is RBAC in MongoDB?

Role-based access control is a security control used to manage user access.

What is the difference between a built-in role and a custom role?

A built-in role is a pre-created role assigned to users that allow them to perform operations such as read and write on collections in a database and a custom role is a user-defined role that describes the specific privileges you want.

Why is the Principle of Least Privilege important?

It is important because it ensures that users are assigned the minimum permissions necessary to perform their required tasks.

If you want a store manager to be able to only read and write data from a specific database, which type of role would you assign?

readWrite

What command is used to create a custom role?

db.createRole()


Afi Gbadago's photo
Author
Afi Gbadago
LinkedIn

Afi advocates for developers at MongoDB with a focus on Django and Python, helping engineers build with modern data technologies through tutorials, talks, and community engagement. A recognized Microsoft MVP for Python and the Web, she serves on the Django Software Foundation board and is Programme Chair for DjangoCon US 2025. Afi is also a Regional Executor for Black Python Devs and an active open-source contributor and international speaker.

主题

Top DataCamp Courses

Courses

Python 中的 MongoDB 入门

3小时
24K
学习使用 MongoDB 灵活处理和分析结构化数据。
查看详情Right Arrow
开始课程
查看更多Right Arrow
有关的

blogs

What Is MongoDB? Key Concepts, Use Cases, and Best Practices

This guide explains MongoDB, how it works, why developers love it, and how to start using this flexible NoSQL database.
Karen Zhang's photo

Karen Zhang

15分钟

Tutorials

MongoDB Security 101: Core Features Every Developer Should Know

Master authentication, role-based access control (RBAC), PoLP, TLS/SSL encryption, and CSFLE to build secure, performant NoSQL applications.
Karen Zhang's photo

Karen Zhang

Tutorials

MongoDB Data Modeling Guide for Blogging Apps

Learn some data modeling possibilities that include nested documents when designing a content management system (CMS) or blog app.
Nic Raboy's photo

Nic Raboy

Tutorials

Getting Started with MongoDB Query API

Master the MongoDB Query API with this comprehensive guide to CRUD operations, advanced filters, data aggregation, and performance-boosting indexing.
Karen Zhang's photo

Karen Zhang

Tutorials

Preventing SQL/NoSQL Injection Attacks in MongoDB

Secure MongoDB from NoSQL injection by validating input, securing queries, and using defense-in-depth. Learn attack patterns and prevention in this guide.
Samuel Molling's photo

Samuel Molling

Tutorials

The Complete Guide to AWS Identity and Access Management (IAM)

Learn how to use AWS Identity and Access Management (IAM) to secure your AWS environment, manage access with users, groups, and roles, and implement best practices for robust security.
Joleen Bothma's photo

Joleen Bothma

查看更多查看更多