Actions and Roles
There are many actions in a mongodb.
Actions are taken on resources.
Resources are databases, collections, & clusters.
A tabular view
| Action | Action Description | On Resources | Docs Link |
|---|---|---|---|
| Query & Write | |||
| find | get data: aggregate, countm distinct, find, listCollections, listIndexes, etc. | Databases, Collections | find |
| insert | add data: insert & create | database, collection | insert |
| remove | remove data: delete | database, collection | delete |
| update | update data: update | database, collection | delete |
| bypassDocumentValidation | skip validation. specific commands & methods can support ddoc validation: aggregate, applyOps, insert, update, mapReduce, and findAndModify | database, collection | delete |
| useUUID | remove data: delete | database, collection | delete |
| DB Management | |||
| changeCustomData | change any "custom info" of any user in a db | Databases | changeCustomData |
| changeOwnCustomData | change any "custom info" of themselves | Databases | changeOwnCustomData |
| changePassword | change the pw of any user in a db | Databases | changePassword |
| createCollection | allows a user to run db.createCollection |
Databases, Collections | createCollection |
| createIndex | allows a user to run db.db.collection.createIndex() and and createIndexes |
Databases, Collections | createIndex |
| createRole | create a role on a db | Databases | createRole |
| createUser | allows a user to create a user on a db | Databases | createUser |
| dropCollection | allows a user to run db.dropCollection |
Databases, Collections | dropCollection |
| dropRole | delete a role from a db | Databases | dropRole |
| dropUser | drop a user from a db | Databases | dropUser |
| enableProfiler | allows running db.setProfilingLevel() |
Databases | enableProfiler |
| grantRole | grant any role to any user | Databases | grantRole |
| killCursors | ...has no effect in mongoDB 4.2+ - all users can kill their own cursor | Collections | killCursors |
| killAnyCursor | kill cursors created by any user | Collections | killAnyCursor |
| revokeRole | remove any role from any user in a db | Databases | revokeRole |
| setAuthenticationRestriction | specify authentication field on users when running createUser amd updateUser. specify authenticationRestrictions in roles when running createRole and updateRole |
Databases | setAuthenticationRestriction |
| unlock | allows a user to run db.fsyncUnlock |
Cluster | unlock |
| viewRole | view any role in a db | Databases | viewRole |
| viewUser | view info on any user in a db | Databases | viewUser |
| DB Deployment Management | |||
| authSchemaUpgrade | Clusters | authSchemaUpgrade | |
| cleanupOrphaned | Clusters | cleanupOrphaned | |
| cpuProfile | enable & view the cpu profiler | Databases | cpuProfile |
| inprog | run the db.currentOp() to get info on pending & active operations. NOTE: since v3.2.9, all users can see their own running operations with db.currentOps({$own: true}) |
Clusters | inprog |
| invalidateUserCache | Clusters | invalidateUserCache | |
| killop | can run the db.killOp(). NOTE: sinve v3.2.9 users can kill their own ops |
Clusters | killop |
| planCacheRead | can run $planCacheStats in a agg stage |
Databases | planCacheRead |
| planCacheWrite | can perform planCacheClear, PlanCache.clear() and PlanCache.clearPlansByQuery(). |
Databases, Collections | planCacheWrite |
| storageDetails | this is still a permission, but storageDetails is deprecated |
Databases, Collections | storageDetails |
| Change Stream Action | |||
| changeStream | open a changeStream cursor on a non-system collection across all dbs | Database | changeStream |
| Replication Actions | |||
| appendOplogNote | append note to the oplog | Cluster | appendOplogNote |
| replSetConfigure | configure a replica set | Cluster | replSetConfigure |
| replSetGetConfig | view a replica set's config, allow users to run rs.conf() |
Cluster | replSetGetConfig |
| replSetGetStatus | get the status of a replicaSet with replSetGetStatus |
Cluster | replSetGetStatus |
| replSetHeartbeat | run replSetHeartbeat which is deprecated |
Cluster | replSetHeartbeat |
| replSetStateChange | change the state of a replicaSet: replSetFreeze, replSetMaintenance,replSetStepDown, replSetSyncFrom |
Cluster | replSetStateChange |
| resync | run resync which is deprecated |
Cluster | resync |
| Sharding Actions | |||
| Server Admin Actions | |||
| Session Actions | |||
| Free Monitoring Actions | |||
| Diagnostic Actions | |||
| Internal Actions |