• Security >
• Security Reference >
• Privilege Actions

Privilege Actions

New in version 2.6.

Privilege actions define the operations a user can perform on a resource. A MongoDB privilege comprises a resource and the permitted actions. This page lists available actions grouped by common purpose.

MongoDB provides built-in roles with pre-defined pairings of resources and permitted actions. For lists of the actions granted, see Built-In Roles. To define custom roles, see Create a User-Defined Role.

Query and Write Actions

find

User can perform the following commands, and their equivalent helper methods:

• aggregate for all pipeline operations except $collStats, $out, and $indexStats.
• checkShardingIndex
• count
• dataSize
• distinct
• filemd5
• find
• geoNear
• geoSearch
• getLastError
• getMore
• getPrevError
• group
• killCursors
• listCollections
• listIndexes
• mapReduce with the {out: inline} option.
• parallelCollectionScan
• repairCursor
• resetError

Required for the query portion of the mapReduce command and db.collection.mapReduce helper method when outputting to a collection.

Required for the query portion of the findAndModify command and db.collection.findAndModify helper method.

Required on the source collection for the cloneCollectionAsCapped and renameCollection commands and the db.collection.renameCollection() helper method.

Apply this action to database or collection resources.

insert

User can perform the following commands and their equivalent methods:

• insert
• create

Required for the output portion of the mapReduce command and db.collection.mapReduce() helper method when outputting to a collection.

Required for the aggregate command and db.collection.aggregate() helper method when using the $out pipeline operator.

Required for the update and findAndModify commands and equivalent helper methods when used with the upsert option.

Required on the destination collection for the following commands and their helper methods:

• clone
• cloneCollection
• cloneCollectionAsCapped
• copydb
• renameCollection

Apply this action to database or collection resources.

remove

User can perform the delete command and equivalent helper method.

Required for the write portion of the findAndModify command and db.collection.findAndModify() method.

Required for the mapReduce command and db.collection.mapReduce() helper method when you specify the replace action when outputting to a collection.

Required for the aggregate command and db.collection.aggregate() helper method when using the $out pipeline operator.

Apply this action to database or collection resources.

update

User can perform the update command and equivalent helper methods.

Required for the mapReduce command and db.collection.mapReduce() helper method when outputting to a collection without specifying the replace action.

Required for the findAndModify command and db.collection.findAndModify() helper method.

Apply this action to database or collection resources.

bypassDocumentValidation

New in version 3.2.

Users can bypass document validation on commands and methods that support the bypassDocumentValidation option:

Command	Method
aggregate	db.collection.aggregate()
applyOps
cloneCollection on the destination collection
clone on the destination
copydb on the destination
findAndModify	db.collection.findAndModify()
insert
mapReduce	db.collection.mapReduce()
update

Apply this action to database or collection resources.

Database Management Actions

changeCustomData

User can change the custom information of any user in the given database. Apply this action to database resources.

changeOwnCustomData

Users can change their own custom information. Apply this action to database resources. See also Change Your Password and Custom Data.

changeOwnPassword

Users can change their own passwords. Apply this action to database resources. See also Change Your Password and Custom Data.

changePassword

User can change the password of any user in the given database. Apply this action to database resources.

createCollection

User can perform the db.createCollection() method. Apply this action to database or collection resources.

createIndex

Provides access to the db.collection.createIndex() method and the createIndexes command. Apply this action to database or collection resources.

createRole

User can create new roles in the given database. Apply this action to database resources.

createUser

User can create new users in the given database. Apply this action to database resources.

dropCollection

User can perform the db.collection.drop() method. Apply this action to database or collection resources.

dropRole

User can delete any role from the given database. Apply this action to database resources.

dropUser

User can remove any user from the given database. Apply this action to database resources.

enableProfiler

User can perform the db.setProfilingLevel() method. Apply this action to database resources.

grantRole

User can grant any role in the database to any user from any database in the system. Apply this action to database resources.

killCursors

User can kill cursors on the target collection.

revokeRole

User can remove any role from any user from any database in the system. Apply this action to database resources.

unlock

User can perform the db.fsyncUnlock() method. Apply this action to the cluster resource.

viewRole

User can view information about any role in the given database. Apply this action to database resources.

viewUser

User can view the information of any user in the given database. Apply this action to database resources.

Deployment Management Actions

authSchemaUpgrade

User can perform the authSchemaUpgrade command. Apply this action to the cluster resource.

cleanupOrphaned

User can perform the cleanupOrphaned command. Apply this action to the cluster resource.

cpuProfiler

User can enable and use the CPU profiler. Apply this action to the cluster resource.

inprog

User can use the db.currentOp() method to return information on pending and active operations. Apply this action to the cluster resource.

Changed in version 3.2.9: Even without the inprog privilege, on mongod instances, users can view their own operations by running db.currentOp( { "$ownOps": true } ).

invalidateUserCache

Provides access to the invalidateUserCache command. Apply this action to the cluster resource.

killop

User can perform the db.killOp() method. Apply this action to the cluster resource.

Changed in version 3.2.9: Even without the killop privilege, on mongod instances, users can kill their own operations.

planCacheRead

User can perform the planCacheListPlans and planCacheListQueryShapes commands and the PlanCache.getPlansByQuery() and PlanCache.listQueryShapes() methods. Apply this action to database or collection resources.

planCacheWrite

User can perform the planCacheClear command and the PlanCache.clear() and PlanCache.clearPlansByQuery() methods. Apply this action to database or collection resources.

storageDetails

User can perform the storageDetails command. Apply this action to database or collection resources.

Replication Actions

appendOplogNote

User can append notes to the oplog. Apply this action to the cluster resource.

replSetConfigure

User can configure a replica set. Apply this action to the cluster resource.

replSetGetConfig

User can view a replica set’s configuration. Provides access to the replSetGetConfig command and rs.conf() helper method.

Apply this action to the cluster resource.

replSetGetStatus

User can perform the replSetGetStatus command. Apply this action to the cluster resource.

replSetHeartbeat

User can perform the replSetHeartbeat command. Apply this action to the cluster resource.

replSetStateChange

User can change the state of a replica set through the replSetFreeze, replSetMaintenance, replSetStepDown, and replSetSyncFrom commands. Apply this action to the cluster resource.

resync

User can perform the resync command. Apply this action to the cluster resource.

Sharding Actions

addShard

User can perform the addShard command. Apply this action to the cluster resource.

enableSharding

User can enable sharding on a database using the enableSharding command and can shard a collection using the shardCollection command. Apply this action to database or collection resources.

flushRouterConfig

User can perform the flushRouterConfig command. Apply this action to the cluster resource.

getShardMap

User can perform the getShardMap command. Apply this action to the cluster resource.

getShardVersion

User can perform the getShardVersion command. Apply this action to database resources.

listShards

User can perform the listShards command. Apply this action to the cluster resource.

moveChunk

User can perform the moveChunk command. In addition, user can perform the movePrimary command provided that the privilege is applied to an appropriate database resource. Apply this action to database or collection resources.

removeShard

User can perform the removeShard command. Apply this action to the cluster resource.

shardingState

User can perform the shardingState command. Apply this action to the cluster resource.

splitChunk

User can perform the splitChunk command and the mergeChunks command. Apply this action to database or collection resources.

splitVector

User can perform the splitVector command. Apply this action to database or collection resources.

Server Administration Actions

applicationMessage

User can perform the logApplicationMessage command. Apply this action to the cluster resource.

closeAllDatabases

User can perform the closeAllDatabases command. Apply this action to the cluster resource.

collMod

User can perform the collMod command. Apply this action to database or collection resources.

compact

User can perform the compact command. Apply this action to database or collection resources.

connPoolSync

User can perform the connPoolSync command. Apply this action to the cluster resource.

convertToCapped

User can perform the convertToCapped command. Apply this action to database or collection resources.

dropDatabase

User can perform the dropDatabase command. Apply this action to database resources.

dropIndex

User can perform the dropIndexes command. Apply this action to database or collection resources.

fsync

User can perform the fsync command. Apply this action to the cluster resource.

getParameter

User can perform the getParameter command. Apply this action to the cluster resource.

hostInfo

Provides information about the server the MongoDB instance runs on. Apply this action to the cluster resource.

logRotate

User can perform the logRotate command. Apply this action to the cluster resource.

reIndex

User can perform the reIndex command. Apply this action to database or collection resources.

renameCollectionSameDB

Allows the user to rename collections on the current database using the renameCollection command. Apply this action to database resources.

Additionally, the user must either have find on the source collection or not have find on the destination collection.

If a collection with the new name already exists, the user must also have the dropCollection action on the destination collection.

repairDatabase

User can perform the repairDatabase command. Apply this action to database resources.

setParameter

User can perform the setParameter command. Apply this action to the cluster resource.

shutdown

User can perform the shutdown command. Apply this action to the cluster resource.

touch

User can perform the touch command. Apply this action to the cluster resource.

Diagnostic Actions

collStats

User can perform the collStats command. Apply this action to database or collection resources.

connPoolStats

User can perform the connPoolStats and shardConnPoolStats commands. Apply this action to the cluster resource.

cursorInfo

User can perform the cursorInfo command. Apply this action to the cluster resource.

dbHash

User can perform the dbHash command. Apply this action to database or collection resources.

dbStats

User can perform the dbStats command. Apply this action to database resources.

diagLogging

User can perform the diagLogging command. Apply this action to the cluster resource.

getCmdLineOpts

User can perform the getCmdLineOpts command. Apply this action to the cluster resource.

getLog

User can perform the getLog command. Apply this action to the cluster resource.

indexStats

User can perform the indexStats command. Apply this action to database or collection resources.

Changed in version 3.0: MongoDB 3.0 removes the indexStats command.

listDatabases

User can perform the listDatabases command. Apply this action to the cluster resource.

listCollections

User can perform the listCollections command. Apply this action to database resources.

listIndexes

User can perform the listIndexes command. Apply this action to database or collection resources.

netstat

User can perform the netstat command. Apply this action to the cluster resource.

serverStatus

User can perform the serverStatus command. Apply this action to the cluster resource.

validate

User can perform the validate command. Apply this action to database or collection resources.

top

User can perform the top command. Apply this action to the cluster resource.

Internal Actions

anyAction

Allows any action on a resource. Do not assign this action unless it is absolutely necessary.

internal

Allows internal actions. Do not assign this action unless it is absolutely necessary.

←   Resource Document System Event Audit Messages  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.