DB Admin Roles
In general, these roles allow database administration privileges. Users who get these roles cannot manage users or roles. These roles focus on schema-related details,indexing, and gathering statistics.
dbAdmin
On the system.profile resource, this role has available actions:
- changeStream
- collStats
- convertToCapped
- createCollection
- dbHash
- dbStats
- dropCollection
- find
- killCursors
- listCollections
- listIndexes
- planCacheRead
On "normal" database resources, this role does not have full access to read contents. This role has available actions:
- bypassDocumentValidation
- collMod
- collStats
- compact
- convertToCapped
- createCollection
- createIndex
- dbStats
- dropCollection
- dropDatabase
- dropIndex
- enableProfiler
- listCollections
- listIndexes
- planCacheIndexFilter
- planCacheRead
- planCacheWrite
- reIndex
- renameCollectionSameDB
- storageDetails
- validate
userAdmin
This role is focused on administering users on the DB. This role can grant any privilege to any user of the db. When this userAdmin is specific to the admin database, the user with this role can even provide superuser access to a cluster.
This role has available actions:
- changeCustomData
- changePassword
- createRole
- createUser
- dropRole
- dropUser
- grantRole
- revokeRole
- setAuthenticationRestriction
- viewRole
- viewUser
dbOwner
This is the god of all roles. This role has all of the actions available composed of 3 other roles: readWrite (a user role), dbAdmin as well as userAdmin.