All Products
Search
Document Center

ApsaraDB for MongoDB:Manage the permissions of MongoDB database users

Last Updated:Jul 12, 2023

In Data Management (DMS), you can manage users for MongoDB databases and grant the users the permissions of different roles. The roles are Common operation role, Administrator action role, Instance-level role, Cluster administrator role, Backup and Recovery roles, and Super role.

Prerequisites

  • A MongoDB database is used.
  • You are a DMS administrator, a database administrator (DBA), or a regular user such as the owner of an instance. For more information, see System roles.

  • The database account and database password of the destination MongoDB database are obtained.
    Important The database account used to log on to a MongoDB database must be granted the permission to create users.

Create a user

  1. Log on to the DMS console V5.0.
  2. Log on to a MongoDB database. For more information, see Log on to a database instance.
    Important For a MongoDB replica set instance, you need to log on to the primary node of the instance.
  3. In the left-side navigation pane of the DMS console, right-click the instance that you want to manage and select Account Management.
    Note If you log on to the DMS console in simple mode, click Database instance in the left-side navigation pane. In the instance list that appears, right-click the instance that you want to manage and select Account Management.
  4. On the Account Management page, select the database for which you want to create a user from the drop-down list.
    Select database from the drop-down list
  5. Click Create User in the upper-left corner.
  6. In the Create User dialog box, perform the following steps:
    Create User dialog box
    1. Specify the user information. Configure the parameters that are described in the following table.
      ParameterDescription
      Target DatabaseThe database for which you want to create a user.
      Note
      • If you select a database other than the admin database, the user to be created is a regular user.
      • If you select the admin database, the user to be created is a privileged user.
      User nameThe name of the user.
      • The name cannot contain Chinese characters.
      • The name can contain letters, digits, and special characters.
      • The name can contain the following special characters:

        !#$%^&*()_+-=

      PasswordThe password that the user can use to log on to the database.

      The password must be 8 to 32 characters in length and must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters. This helps ensure data security.

      The name can contain the following special characters:

      !#$%^&*()_+-=

      Confirm PasswordEnter the password again to confirm the password.
    2. Grant permissions to the user.
      Note
      • If you select the admin database:

        On the Current database permissions tab, you can grant permissions of different roles to the user. The roles are Common operation role, Administrator action role, Instance-level role, Cluster administrator role, Backup and Recovery roles, and Super role. For more information, see Permissions of different roles.

        On the Other database permissions tab, you can grant permissions on other databases in the instance to the user.

      • If you select a database other than the admin database:

        On the Current database permissions tab, you can grant permissions of Common operation role and Administrator action role to the user. For more information, see Permissions of different roles.

        You cannot grant permissions on other databases to the user on the Other database permissions tab.

  7. Click Confirm.
    Note If the database instance is managed in Security Collaboration mode, SQL statements can be generated based on the parameters that you set. However, the SQL statements may fail to be executed due to security rules. In this case, you can perform operations by following the on-screen instructions or contact a database administrator (DBA) or DMS administrator.

Edit or delete a user

  1. Log on to the DMS console V5.0.
  2. In the left-side navigation pane of the DMS console, right-click the instance that you want to manage and select Account Management.
    Note If you log on to the DMS console in simple mode, click Database instance in the left-side navigation pane. In the instance list that appears, right-click the instance that you want to manage and select Account Management.
  3. On the Account Management page, select the database for which you want to manage a user.
  4. On the Account Management page, find the user that you want to manage and click Edit in the Operation column to modify the information about the user, or click Delete in the Operation column to delete the user.

Permissions of different roles

The following table describes the permissions of different roles. For more information, visit the MongoDB official website.

RolePermissionDescription
Common operation rolereadAllows a user to query data in the database.
readWriteAllows a user to insert, delete, update, or query data in the database.

Administrator action role

dbAdminAllows a user to manage data in the database, but not to read data from or write data to the database.
userAdminAllows a user to create users for the database.
dbOwnerAllows a user to perform all operations on the database.
Instance-level rolereadAnyDatabaseAllows a user to query data in all databases of the instance.
readWriteAnyDatabaseAllows a user to insert, delete, update, or query data in all databases of the instance.
userAdminAnyDatabaseAllows a user to create users for all databases of the instance.
dbAdminAnyDatabaseAllows a user to manage data in all databases of the instance, but not to read data from or write data to the databases.
Cluster administrator rolehostManagerAllows a user to manage data in the database, but not to read data from or write data to the database.
clusterMonitorAllows a user to query clusters and replica sets.
clusterManagerAllows a user to manage and monitor clusters and replica sets.
clusterAdminAllows a user to perform all operations on clusters.
Backup and Recovery rolesbackupAllows a user to query data in all databases of the instance.
restoreAllows a user to insert, delete, update, or query data in all databases of the instance.
Super roleRootAllows a user to perform all operations on all resources in an instance.