๐ Role-Based Access Control (RBAC)
Role-Based Access Control (RBAC) in MongoDB provides fine-grained access control for your database. It allows you to grant users specific privileges on databases, collections, and operations.
Understanding RBAC Componentsโ
Rolesโ
A role consists of:
- Privileges (actions allowed on resources)
- Roles (other roles from which this role inherits privileges)
- MongoDB Atlas
- On-Premises
Built-in Roles in Atlasโ
- Organization Roles (examples)
Organization OwnerOrganization MemberOrganization Read Only
For all roles see this Documentation.
- Project Roles (examples)
Project OwnerProject Data Access AdminProject Data Access Read/WriteProject Read Only
For more project level roles see this Documentation.
Managing Roles in Atlasโ
## Using Atlas CLI to create a user with specific roles
atlas dbusers create \
--username dataAdmin \
--password "securePassword" \
--role "readWrite@admin" \
--projectId your-project-id
## Add additional roles
atlas dbusers update dataAdmin \
--role "readAnyDatabase@admin" \
--projectId your-project-id
Custom Roles Exampleโ
## Create a custom role for sales data access
atlas customDbRoles create <role-name> --inheritedRole read@salesDB --projectId {project_id}
## Assign a custom role
atlas dbusers create --username readOnlyUser --password readOnlyPass --role <role-name> --projectId {project_id}
Built-in Roles in MongoDBโ
-
Database User Roles
readreadWrite
-
Database Administration Roles
dbAdmindbOwneruserAdmin
-
Cluster Administration Roles
clusterAdminclusterManagerclusterMonitorhostManager
Managing Rolesโ
// Create an admin user
use admin
db.createUser({
user: "dbAdmin",
pwd: "securePassword",
roles: [
{ role: "userAdmin", db: "admin" },
{ role: "dbAdmin", db: "admin" }
]
})
// Create application-specific roles
db.createRole({
role: "applicationUser",
privileges: [
{
resource: { db: "appDB", collection: "" },
actions: [ "find", "insert", "update" ]
}
],
roles: []
})
Role Management Best Practicesโ
- MongoDB Atlas
- On-Premises
-
Project-Level Access Control
- Use Project roles for team-based access
- Implement separate projects for development/production
- Regular audit of project members
-
API Access
- Use programmatic API keys with appropriate roles
- Rotate API keys regularly
- Monitor API key usage
Example:
// Create programmatic API key
atlas organizations apiKeys create \
--desc "Application API Key" \
--role ORG_MEMBER
-
Role Hierarchy
- Design role hierarchy based on job functions
- Use role inheritance to maintain consistency
- Document role relationships
-
Monitoring and Auditing
- Enable audit logging for role changes
- Regular review of role assignments
- Document all role modifications
Example:
// Enable audit logging
db.setParameter({
auditAuthorizationSuccess: true
})
Practical Examplesโ
- MongoDB Atlas
- On-Premises
Application-Specific Rolesโ
// Create read-only analytics role
atlas customDBRoles create analyticsReader \
--privilege '{ resource: { db: "analytics", collection: "" }, actions: ["find"] }' \
--projectId your-project-id
Custom role 'analyticsReader' successfully created.
// Assign role to user
atlas dbusers create \
--username analyst \
--password "securePassword" \
--role analyticsReader \
--projectId your-project-id
Database user 'analyst' successfully created.
Application-Specific Rolesโ
// Create a custom role for order processing
db.createRole({
role: "orderProcessor",
privileges: [
{
resource: { db: "sales", collection: "orders" },
actions: [ "find", "insert", "update" ]
},
{
resource: { db: "sales", collection: "customers" },
actions: [ "find" ]
}
],
roles: []
})
// Assign role to user
db.createUser({
user: "orderApp",
pwd: "securePassword",
roles: [ "orderProcessor" ]
})
Next Stepsโ
After understanding RBAC, lets do a challenge to test our knowledge.