Learn about role-based access control concepts, roles, and permissions in MongoDash

Understanding RBAC

Role-Based Access Control (RBAC) in MongoDash provides fine-grained control over what team members can see and do within your workspace.

What is RBAC?

RBAC is a security model that restricts workspace access based on assigned roles. Instead of managing permissions for each user individually, you assign users to roles that define their capabilities.

Key Benefits

Simplified Management - Control permissions through roles instead of individual user settings
Principle of Least Privilege - Users only get access to what they need
Consistency - Similar team members get identical permissions
Compliance - Meet security and audit requirements with documented access controls
Scalability - Easily onboard new team members with predefined roles

Core Concepts

Roles

A role is a collection of permissions that define what actions a user can perform. MongoDash provides built-in roles and allows custom role creation.

Permissions

Permissions are individual capabilities granted to a role, such as viewing collections, running queries, or managing connections.

Assignment

Users are assigned one or more roles. Their effective permissions are the union of all assigned roles.

A user with both Viewer and Editor roles will have all permissions from both roles combined.

Built-in Roles

MongoDash includes four predefined roles that cover common team structures:

Owner

Complete workspace control, including:

All workspace settings and configuration
Billing and subscription management
User and role management
Connection management
Full data access (read and write)
Dashboard creation and sharing
Workspace deletion

Owner role cannot be removed from the workspace creator. Each workspace must have at least one Owner.

Admin

Administrative access without billing control:

User and role management
Connection management
Full data access (read and write)
Dashboard creation and management
Query and aggregation execution
Export capabilities

Editor

Standard working permissions:

Read and write data access
Execute queries and aggregations
Create personal dashboards
Save queries
View connections (without editing)
Export data within limits

Viewer

Read-only access:

View data in collections
Execute read-only queries
View shared dashboards
View saved queries (without editing)
No data modification or export

Custom Roles

Business

Business and Enterprise plans can create custom roles with granular permission sets tailored to specific team needs.

Use Cases for Custom Roles

Read-Only Analyst - View data and run queries but cannot save or export
Dashboard Designer - Create dashboards without data write access
Connection Manager - Manage connections but limited data access
Support Engineer - View audit logs and run diagnostics without data modification

Custom roles are ideal for organizations with specialized team structures or strict compliance requirements.

Permission Hierarchy

Permissions follow a hierarchical structure from broad workspace-level access down to specific resource actions:

Workspace Permissions - Settings, members, billing
Connection Permissions - Create, edit, delete connections
Data Permissions - Read, write, delete documents
Dashboard Permissions - Create, edit, share dashboards
Query Permissions - Execute, save, share queries

Permission Inheritance

Some permissions automatically grant related capabilities:

Workspace Admin automatically includes connection management
Write Data automatically includes read data
Share Dashboard requires create dashboard permission

Role Assignment Best Practices

Assign Roles Based on Responsibility

Match roles to actual job functions:

Developers and data engineers typically need Editor role
Analysts and stakeholders work well with Viewer role
Team leads may need Admin role for user management

Use the Minimum Required Role

Start with the most restrictive role and elevate only when necessary. It's easier to grant additional permissions than to revoke them.

Review Regularly

Audit role assignments quarterly to ensure they reflect current responsibilities:

Remove access for departed team members
Adjust roles for team members with changed responsibilities
Review custom role definitions for ongoing relevance

Document Custom Roles

Business

When creating custom roles, document their intended use:

Who should be assigned this role?
What business need does it address?
What are the key permission boundaries?

What's Next?

Now that you understand RBAC concepts, learn how to apply them:

Role Management - Create and assign roles
User Permissions - Manage individual user access
Team Workspace Settings - Configure workspace-wide security settings

Understanding RBAC

Role-Based Access Control (RBAC) in MongoDash provides fine-grained control over what team members can see and do within your workspace.

What is RBAC?

RBAC is a security model that restricts workspace access based on assigned roles. Instead of managing permissions for each user individually, you assign users to roles that define their capabilities.

Key Benefits

Simplified Management - Control permissions through roles instead of individual user settings
Principle of Least Privilege - Users only get access to what they need
Consistency - Similar team members get identical permissions
Compliance - Meet security and audit requirements with documented access controls
Scalability - Easily onboard new team members with predefined roles

Core Concepts

Roles

A role is a collection of permissions that define what actions a user can perform. MongoDash provides built-in roles and allows custom role creation.

Permissions

Permissions are individual capabilities granted to a role, such as viewing collections, running queries, or managing connections.

Assignment

Users are assigned one or more roles. Their effective permissions are the union of all assigned roles.

A user with both Viewer and Editor roles will have all permissions from both roles combined.

Built-in Roles

MongoDash includes four predefined roles that cover common team structures:

Owner

Complete workspace control, including:

All workspace settings and configuration
Billing and subscription management
User and role management
Connection management
Full data access (read and write)
Dashboard creation and sharing
Workspace deletion

Owner role cannot be removed from the workspace creator. Each workspace must have at least one Owner.

Admin

Administrative access without billing control:

User and role management
Connection management
Full data access (read and write)
Dashboard creation and management
Query and aggregation execution
Export capabilities

Editor

Standard working permissions:

Read and write data access
Execute queries and aggregations
Create personal dashboards
Save queries
View connections (without editing)
Export data within limits

Viewer

Read-only access:

View data in collections
Execute read-only queries
View shared dashboards
View saved queries (without editing)
No data modification or export

Custom Roles

Business

Business and Enterprise plans can create custom roles with granular permission sets tailored to specific team needs.

Use Cases for Custom Roles

Read-Only Analyst - View data and run queries but cannot save or export
Dashboard Designer - Create dashboards without data write access
Connection Manager - Manage connections but limited data access
Support Engineer - View audit logs and run diagnostics without data modification

Custom roles are ideal for organizations with specialized team structures or strict compliance requirements.

Permission Hierarchy

Permissions follow a hierarchical structure from broad workspace-level access down to specific resource actions:

Workspace Permissions - Settings, members, billing
Connection Permissions - Create, edit, delete connections
Data Permissions - Read, write, delete documents
Dashboard Permissions - Create, edit, share dashboards
Query Permissions - Execute, save, share queries

Permission Inheritance

Some permissions automatically grant related capabilities:

Workspace Admin automatically includes connection management
Write Data automatically includes read data
Share Dashboard requires create dashboard permission

Role Assignment Best Practices

Assign Roles Based on Responsibility

Match roles to actual job functions:

Developers and data engineers typically need Editor role
Analysts and stakeholders work well with Viewer role
Team leads may need Admin role for user management

Use the Minimum Required Role

Start with the most restrictive role and elevate only when necessary. It's easier to grant additional permissions than to revoke them.

Review Regularly

Audit role assignments quarterly to ensure they reflect current responsibilities:

Remove access for departed team members
Adjust roles for team members with changed responsibilities
Review custom role definitions for ongoing relevance

Document Custom Roles

Business

When creating custom roles, document their intended use:

Who should be assigned this role?
What business need does it address?
What are the key permission boundaries?

What's Next?

Now that you understand RBAC concepts, learn how to apply them:

Role Management - Create and assign roles
User Permissions - Manage individual user access
Team Workspace Settings - Configure workspace-wide security settings

Understanding RBAC

Understanding RBAC

What is RBAC?

Key Benefits

Core Concepts

Roles

Permissions

Assignment

Built-in Roles

Owner

Admin

Editor

Viewer

Custom Roles

Use Cases for Custom Roles

Permission Hierarchy

Permission Inheritance

Role Assignment Best Practices

Assign Roles Based on Responsibility

Use the Minimum Required Role

Review Regularly

Document Custom Roles

What's Next?

On this page

Understanding RBAC

Understanding RBAC

What is RBAC?

Key Benefits

Core Concepts

Roles

Permissions

Assignment

Built-in Roles

Owner

Admin

Editor

Viewer

Custom Roles

Use Cases for Custom Roles

Permission Hierarchy

Permission Inheritance

Role Assignment Best Practices

Assign Roles Based on Responsibility

Use the Minimum Required Role

Review Regularly

Document Custom Roles

What's Next?

On this page