What are the permissions of the root account? - ApsaraDB for MongoDB

When you create an ApsaraDB for MongoDB instance, the system automatically creates a root account in the admin database. The permissions granted to this root account depend on the MongoDB version your instance runs.

Instance version	Role assigned to root account
MongoDB 4.2 and earlier	Built-in `root` role
MongoDB 4.4 or later	`alibabaCloudAdmin` role (Alibaba Cloud custom role)

To check what the root account can do, run:

db.getSiblingDB("admin").runCommand({usersInfo: "root"});

Note

For details on the usersInfo command, see usersInfo.

To inspect a specific role's permissions, use the rolesInfo command. For the built-in root role, see root.

Important

For data security, avoid using the root account for day-to-day database operations. Instead, create a dedicated database account with only the permissions your workload requires. See Create an account for an ApsaraDB for MongoDB instance.

Permissions of the alibabaCloudAdmin role

The alibabaCloudAdmin role is a custom role for ApsaraDB for MongoDB. It differs from the standard root role — understanding these differences helps you avoid unexpected permission errors.

Included built-in roles

The alibabaCloudAdmin role combines the following MongoDB built-in roles:

Built-in role	Capabilities
`readWriteAnyDatabase`	Read and write collections in any database
`userAdminAnyDatabase`	Manage accounts in any database
`dbAdminAnyDatabase`	Query statistics and manage indexes in any database
`clusterMonitor`	Read-only access to monitoring tools
`backup`	Perform backup operations
`enableSharding`	Enable sharding on a database
`restore`	Restore data from backups

Admin database restriction

The alibabaCloudAdmin role has read-only access to the admin database. It cannot write to the admin database, and it cannot create accounts with write permissions on the admin database.

Important

In some scenarios, severe performance jitter may occur when you write data to the admin database. As a result, you cannot create users or roles with readWrite, dbAdmin, or dbOwner permissions scoped to the admin database.

Differences from standard MongoDB behavior

ApsaraDB for MongoDB's xxxAnyDatabase permissions (such as readWriteAnyDatabase) do not cover the config, local, and admin databases. In standard MongoDB, these roles include all databases. Keep this in mind when granting permissions for operations that touch these system databases.

Sharded cluster O&M commands

For sharded cluster instances, the root account with alibabaCloudAdmin can run the following O&M commands directly:

flushRouterConfig, cleanupOrphaned, runCommandOnShard, splitVector, clearJumboFlag, moveChunk, splitChunk

FAQ

Why can't I create a user or role with `clusterAdmin`, `clusterManager`, or `hostManager` privileges?

The alibabaCloudAdmin role does not include these cluster-level privileges, so you cannot grant them to custom users or roles — a custom account's permissions cannot exceed the root account's own permission scope.

Why can't I create a user or role with `readWrite`, `dbAdmin`, or `dbOwner` on the admin database?

The alibabaCloudAdmin role has only read permissions on the admin database, so it cannot create accounts with write access there. Create users or roles with these permissions on a non-admin database instead.

How do I create an account with read/write access to all custom collections?

Create the account in the admin database and assign the readWriteAnyDatabase role:

db.getSiblingDB("admin").createUser({
  user: "myName",
  pwd: "myPassword",
  roles: ["readWriteAnyDatabase"]
})

I need to run sharded cluster O&M commands, but I can't create a `clusterManager` role. What do I do?

The root account already supports the O&M commands listed in the Sharded cluster O&M commands section — use it directly for those operations.

To run a specific command with a custom account, create a custom role that grants only the actions you need. The following example creates a user that can run splitVector:

db.runCommand({
  createRole: 'myRole',
  privileges: [{
    resource: { db: "", collection: "" },
    actions: ['splitVector']
  }],
  roles: ['readAnyDatabase']
})

db.getSiblingDB("admin").createUser({
  user: "myUser",
  pwd: "myPassword",
  roles: ["myRole"]
})

Why does my new account get a permissions error when using change streams in the admin database?

The xxxAnyDatabase roles in ApsaraDB for MongoDB do not cover the admin database (unlike standard MongoDB). Grant the account readAnyDatabase on other databases, then explicitly grant read on the admin database:

db.adminCommand({
  grantRolesToUser: "myUser",
  roles: [{ role: "read", db: "admin" }]
})

Why does a role created with the flink-sql-connector-mongodb-cdc example show no permissions?

The listDatabases action must be assigned to a cluster resource, not a database or collection resource. Use the following command to create the role correctly:

db.createRole({
  role: "flinkrole",
  privileges: [
    {
      resource: { db: "", collection: "" },
      actions: [
        "splitVector",
        "listCollections",
        "collStats",
        "find",
        "changeStream"
      ]
    },
    {
      resource: { cluster: true },
      actions: ["listDatabases"]
    }
  ],
  roles: [
    { role: "read", db: "config" }
  ]
});

If you still get errors after creating the role and user, submit a ticket to contact Alibaba Cloud technical support.