Try Free

Documentation

Role-Based Access Control (RBAC)

Access Control

Manage MongoDB users, roles, and permissions. Create database users with different authentication methods, define custom roles with granular privileges, and monitor active sessions.

Note: Admin access to the admin database is required for full RBAC management. Without admin privileges, you'll have limited functionality.

Video RBAC02 Getting Started with RBAC - Overview of dashboard, creating users, and assigning roles

Dashboard Overview

The Dashboard tab provides a high-level view of your MongoDB security configuration.

Statistics Cards

Total Users - Count of all database users
Active Users - Non-disabled user accounts
Total Roles - Built-in and custom roles combined
Custom Roles - User-defined custom roles
Total Databases - Databases in the deployment
Active Sessions - Currently active user connections

Quick Actions

Create User - Opens the create user form
Create Role - Opens the custom role creation form
View All Users - Navigate to Users tab
View Roles - Navigate to Roles tab
Refresh - Reload dashboard statistics

Users Tab

The Users tab provides comprehensive user management with filtering, search, and bulk operations.

User List Features

Search - Search by username, principal, or auth database
Type Filter - Filter by SCRAM, X.509, or External auth
Role Filter - Filter users by assigned role
Database Filter - Filter by authentication database
Bulk Selection - Select multiple users for bulk operations

User Display Columns

Column	Description
Principal	Username@authDB for SCRAM, DN for X.509, or principal for External
Type	Authentication type badge (SCRAM, X509, EXTERNAL)
Roles	Assigned roles in role@database format
Status	Active or Disabled indicator
Actions	View, Enable/Disable, Delete buttons

Creating Users

Video RBAC04 Creating a New User - Step-by-step guide with role assignment

Create User modal showing authentication type selection and form fields

SCRAM Authentication (Default)

Field	Description	Required
`Username`	Unique username for database authentication	Yes
`Password`	User password (masked with show/hide toggle)	Yes
`Auth Database`	Database where credentials are stored (typically 'admin')	Yes
`Roles`	Assign roles with database scope (e.g., readWrite@mydb)	At least one

X.509 Certificate Authentication

Field	Description	Required
`Distinguished Name`	Full X.509 certificate subject DN	Yes
`Roles`	Assign roles with database scope	At least one

External Authentication (LDAP, Kerberos, AWS IAM)

Field	Description	Required
`Principal`	External principal identifier (LDAP DN, Kerberos principal, AWS ARN)	Yes
`Mechanism`	Authentication mechanism (LDAP, GSSAPI, MONGODB-AWS)	Yes
`Roles`	Assign roles with database scope	At least one

User Detail View

User Detail modal showing Overview, Roles, Effective Privileges, and Sessions tabs

Overview Tab - Principal, auth type, roles, status, timestamps
Roles Tab - Manage assigned roles (grant/revoke)
Effective Privileges Tab - Computed permissions from all roles
Sessions Tab - Active sessions with client IP and connection time

Roles Tab

Manage built-in MongoDB roles and create custom roles for specific security requirements.

Built-in Database Roles

Role	Description
`read`	Read-only access to all non-system collections
`readWrite`	Read and write access to all non-system collections
`dbAdmin`	Database administration (create collections, indexes)
`dbOwner`	Full database admin (readWrite + dbAdmin + userAdmin)
`userAdmin`	Create and manage users and roles

Built-in Cluster Roles

Role	Description
`clusterAdmin`	Full cluster administration access
`clusterMonitor`	Read-only monitoring access
`backup`	Backup operations
`restore`	Restore from backups
`root`	Superuser with all privileges

Creating Custom Roles

Video RBAC08 Creating a Custom Role - Defining privileges and inheritance

Create Role modal with name, database, privileges, and inherited roles

Role Configuration

Field	Description	Required
`Role Name`	Unique name for the custom role	Yes
`Database`	Database where the role is defined	Yes
`Description`	Human-readable description of the role	No
`Privileges`	Specific actions on resources	At least one
`Inherited Roles`	Other roles this role inherits from	No

Privilege Resource Types

Cluster - Cluster-wide administrative actions
Database - Database-level operations (createCollection, dropDatabase)
Collection - Collection-level operations (find, insert, update, remove)
Any Resource - Grants privilege on all databases/collections

Common Collection Actions

Action	Description
`find`	Query documents
`insert`	Insert new documents
`update`	Modify existing documents
`remove`	Delete documents
`createIndex`	Create indexes
`dropIndex`	Remove indexes

Effective Privileges

View the complete set of permissions a user or role has, including inherited privileges.

Privilege Aggregation - Computes all privileges from roles and inheritance
Resource Grouping - Organizes by resource type (cluster, database, collection)
Inheritance Chain - Shows which role granted each privilege

Session Monitoring

Monitor active user sessions to track database connections.

Sessions tab showing active connections with session details

Session Information

Field	Description
Session ID	Unique identifier for the connection
Client IP	Source IP address
Connection Time	When the session started
Last Active	Timestamp of last operation
Client App	Driver or application name

Tips

Least Privilege - Grant only minimum permissions needed for tasks
Use Built-in Roles First - Create custom roles only when needed
Role Composition - Build complex roles by inheriting from simpler ones
Regular Audits - Periodically review user accounts and role assignments
Disable vs Delete - Disable accounts temporarily instead of deleting

Connection Manager - Configure SSL/TLS for X.509 authentication
Query Monitor - See what queries users are running
Database Statistics - Monitor resource usage by users

Ready to try VisuaLeaf?

Download and start managing your MongoDB databases with ease.

Download Free Trial