MongoDB Table View of Permissions and Roles
Actions and Roles
There are many actions in a mongodb.
Actions are taken on resources.
Resources are databases, collections, & clusters.
A tabular view
| Action | Action Description | On Resources | Docs Link |
| :--------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------- | -------------------------------------------------------------------------------------------------------------------------------------------: |
| **Query & Write** | | | |
| find | get data: aggregate, countm distinct, find, listCollections, listIndexes, etc. | Databases, Collections | [find](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-find) |
| insert | add data: insert & create | database, collection | [insert](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-insert) |
| remove | remove data: delete | database, collection | [delete](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-remove) |
| update | update data: update | database, collection | [delete](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-remove) |
| bypassDocumentValidation | skip validation. specific commands & methods can support ddoc validation: aggregate, applyOps, insert, update, mapReduce, and findAndModify | database, collection | [delete](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-remove) |
| useUUID | remove data: delete | database, collection | [delete](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-remove) |
| **DB Management** | | | |
| changeCustomData | change any "custom info" of any user in a db | Databases | [changeCustomData](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-changeCustomData) |
| changeOwnCustomData | change any "custom info" of themselves | Databases | [changeOwnCustomData](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-changeOwnCustomData) |
| changePassword | change the pw of any user in a db | Databases | [changePassword](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-changePassword) |
| createCollection | allows a user to run `db.createCollection` | Databases, Collections | [createCollection](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-createCollection) |
| createIndex | allows a user to run `db.db.collection.createIndex()` and and `createIndexes` | Databases, Collections | [createIndex](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-createIndex) |
| createRole | create a role on a db | Databases | [createRole](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-createRole) |
| createUser | allows a user to create a user on a db | Databases | [createUser](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-createUser) |
| dropCollection | allows a user to run `db.dropCollection` | Databases, Collections | [dropCollection](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-dropCollection) |
| dropRole | delete a role from a db | Databases | [dropRole](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-dropRole) |
| dropUser | drop a user from a db | Databases | [dropUser](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-dropUser) |
| enableProfiler | allows running `db.setProfilingLevel()` | Databases | [enableProfiler](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-enableProfiler) |
| grantRole | grant any role to any user | Databases | [grantRole](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-grantRole) |
| killCursors | ...has no effect in mongoDB 4.2+ - all users can kill their own cursor | Collections | [killCursors](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-killCursors) |
| killAnyCursor | kill cursors created by any user | Collections | [killAnyCursor](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-killAnyCursor) |
| revokeRole | remove any role from any user in a db | Databases | [revokeRole](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-revokeRole) |
| setAuthenticationRestriction | specify authentication field on users when running `createUser` amd `updateUser`. specify authenticationRestrictions in roles when running `createRole` and `updateRole` | Databases | [setAuthenticationRestriction](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-setAuthenticationRestriction) |
| unlock | allows a user to run `db.fsyncUnlock` | Cluster | [unlock](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-unlock) |
| viewRole | view any role in a db | Databases | [viewRole](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-viewRole) |
| viewUser | view info on any user in a db | Databases | [viewUser](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-viewUser) |
| **DB Deployment Management** | | |
| authSchemaUpgrade | | Clusters | [authSchemaUpgrade](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-authSchemaUpgrade) |
| cleanupOrphaned | | Clusters | [cleanupOrphaned](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-cleanupOrphaned) |
| cpuProfile | enable & view the cpu profiler | Databases | [cpuProfile](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-cpuProfile) |
| inprog | run the `db.currentOp()` to get info on pending & active operations. NOTE: since v3.2.9, all users can see _their own running operations_ with `db.currentOps({$own: true})` | Clusters | [inprog](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-inprog) |
| invalidateUserCache | | Clusters | [invalidateUserCache](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-invalidateUserCache) |
| killop | can run the `db.killOp()`. NOTE: sinve v3.2.9 users can kill their own ops | Clusters | [killop](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-killop) |
| planCacheRead | can run `$planCacheStats` in a agg stage | Databases | [planCacheRead](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-planCacheRead) |
| planCacheWrite | can perform `planCacheClear`, `PlanCache.clear()` and `PlanCache.clearPlansByQuery()`. | Databases, Collections | [planCacheWrite](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-planCacheWrite) |
| storageDetails | this is still a permission, but `storageDetails` is deprecated | Databases, Collections | [storageDetails](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-storageDetails) |
| **Change Stream Action** | | |
| changeStream | open a changeStream cursor on a non-system collection across all dbs | Database | [changeStream](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-changeStream) |
| **Replication Actions** | | |
| appendOplogNote | append note to the oplog | Cluster | [appendOplogNote](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-appendOplogNote) |
| replSetConfigure | configure a replica set | Cluster | [replSetConfigure](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-replSetConfigure) |
| replSetGetConfig | view a replica set's config, allow users to run `rs.conf()` | Cluster | [replSetGetConfig](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-replSetGetConfig) |
| replSetGetStatus | get the status of a replicaSet with `replSetGetStatus` | Cluster | [replSetGetStatus](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-replSetGetStatus) |
| replSetHeartbeat | run `replSetHeartbeat` which is deprecated | Cluster | [replSetHeartbeat](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-replSetHeartbeat) |
| replSetStateChange | change the state of a replicaSet: `replSetFreeze`, `replSetMaintenance`,`replSetStepDown`, `replSetSyncFrom` | Cluster | [replSetStateChange](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-replSetStateChange) |
| resync | run `resync` which is deprecated | Cluster | [resync](https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-resync) |
| **Sharding Actions** | | |
| **Server Admin Actions** | | |
| **Session Actions** | | |
| **Free Monitoring Actions** | | |
| **Diagnostic Actions** | | |
| **Internal Actions** | | |Page Tags:
database
javascript
overview
tech
users
roles