All Products
Search

This Product

    Data Management:Manage user permissions on MongoDB databases

    Document Center

    Data Management:Manage user permissions on MongoDB databases

    Last Updated:Jul 18, 2023

    Data Management (DMS) allows you to manage users for MongoDB databases and grant the users the permissions of different roles. The roles include Common operation role, Administrator action role, Instance-level role, Cluster administrator role, Backup and Recovery roles, and Super role.

    Prerequisites

    • A MongoDB database is used.

    • You are a DMS administrator, a database administrator (DBA), or a regular user such as the owner of an instance. For more information, see System roles.

    • The database account and database password of the MongoDB database are obtained.

    • You are granted the permissions to create users such as the dbAdminAnyDatabase, userAdmin, or userAdminAnyDatabase permission if you want to create a user for the admin database. For more information about how to modify a user, see the Modify or delete a user section of this topic.

    Create a user

    1. Log on to the DMS console V5.0.

    2. Log on to the MongoDB database. For more information, see Log on to a database instance.

      Important

      If your database instance is a MongoDB replica set instance, log on to the primary node of the instance.

    3. In the left-side navigation pane of the DMS console, right-click the instance that you want to manage and select Account Management.
      Note If you log on to the DMS console in simple mode, click Database instance in the left-side navigation pane. In the instance list that appears, right-click the instance that you want to manage and select Account Management.

    4. On the Account Management page, select the database that you want to manage from the drop-down list.

    5. Click Create User in the upper-left corner.

    6. In the Create User dialog box, perform the following steps.

      创建用户界面

      1. Configure user information.

        Parameter

        Description

        Target Database

        The database for which you want to create a user.

        Note

        • If you do not set the Target Database parameter to admin, the user to be created is a regular user.

        • If you set the Target Database parameter to admin, the user to be created is a privileged user.

        User name

        The name of the user.

        • The name cannot contain Chinese characters.

        • The name can contain letters, digits, and special characters.

        • The name can contain the following special characters: ! # $ % ^ & * ( ) _ + - =

        Password

        The password that the user can use to log on to the database.

        To ensure data security, we recommend that you set a password that is 8 to 32 characters in length and consists of at least three types of the following characters:

        • Uppercase letters

        • Lowercase letters

        • Digits

        • Special characters: ! # $ % ^ & * ( ) _ + - =

        Confirm Password

        Enter the password again to confirm the password.

      2. Grant permissions to the user.

        Note

        • If you set the Target Database parameter to admin:

          On the Current library permissions tab, you can grant the permissions of different roles to the user. The roles include Common operation role, Administrator action role, Instance-level role, Cluster administrator role, Backup and Recovery roles, and Super role. For more information, see the Permissions of different roles section of this topic.

          On the Other library permissions tab, you can grant permissions on other databases in the instance to the user.

        • If you do not set the Target Database parameter to admin:

          On the Current library permissions tab, you can grant the permissions of only Common operation role and Administrator action role to the user. For more information, see the Permissions of different roles section of this topic.

          You cannot grant permissions on other databases to the user on the Other library permissions tab.

    7. Click Confirm.

      Note

      SQL statements can be generated based on the parameters that you configure. If the database instance is managed in Security Collaboration mode, the SQL statements may fail to be executed due to security rules. In this case, you can perform operations as prompted or contact a database administrator (DBA) or DMS administrator.

    Modify or delete a user

    1. Log on to the DMS console V5.0.
    2. In the left-side navigation pane of the DMS console, right-click the instance that you want to manage and select Account Management.
      Note If you log on to the DMS console in simple mode, click Database instance in the left-side navigation pane. In the instance list that appears, right-click the instance that you want to manage and select Account Management.

    3. On the Account Management page, select the database that you want to manage from the drop-down list.

    4. On the Account Management page, find the user that you want to manage and click Edit in the Operation column to modify the information about the user, or click Delete in the Operation column to delete the user.

    Permissions of different roles

    The following table describes the permissions of different roles. For more information, visit the MongoDB official website.

    Role

    Permission

    Description

    Common operation role

    read

    Allows a user to query data in the database.

    readWrite

    Allows a user to insert, delete, update, or query data in the database.

    Administrator action role

    dbAdmin

    Allows a user to manage data in the database, but not to read data from or write data to the database.

    userAdmin

    Allows a user to create users for the database.

    dbOwner

    Allows a user to perform all operations on the database.

    Instance-level role

    readAnyDatabase

    Allows a user to query data in all databases of the instance.

    readWriteAnyDatabase

    Allows a user to insert, delete, update, or query data in all databases of the instance.

    userAdminAnyDatabase

    Allows a user to create users for all databases of the instance.

    dbAdminAnyDatabase

    Allows a user to manage data in all databases of the instance, but not to read data from or write data to the databases.

    Cluster administrator role

    hostManager

    Allows a user to manage data in the database, but not to read data from or write data to the database.

    clusterMonitor

    Allows a user to query clusters and replica sets.

    clusterManager

    Allows a user to manage and monitor clusters and replica sets.

    clusterAdmin

    Allows a user to perform all operations on clusters.

    Backup and Recovery roles

    backup

    Allows a user to query data in all databases of the instance.

    restore

    Allows a user to insert, delete, update, or query data in all databases of the instance.

    Super role

    Root

    Allows a user to perform all operations on all resources in an instance.