Understanding RBAC
Learn about role-based access control concepts, roles, and permissions in MongoDash
Understanding RBAC
Role-Based Access Control (RBAC) in MongoDash provides fine-grained control over what team members can see and do within your workspace.
What is RBAC?
RBAC is a security model that restricts workspace access based on assigned roles. Instead of managing permissions for each user individually, you assign users to roles that define their capabilities.
Key Benefits
- Simplified Management - Control permissions through roles instead of individual user settings
- Principle of Least Privilege - Users only get access to what they need
- Consistency - Similar team members get identical permissions
- Compliance - Meet security and audit requirements with documented access controls
- Scalability - Easily onboard new team members with predefined roles
Core Concepts
Roles
A role is a collection of permissions that define what actions a user can perform. MongoDash provides built-in roles and allows custom role creation.
Permissions
Permissions are individual capabilities granted to a role, such as viewing collections, running queries, or managing connections.
Assignment
Users are assigned one or more roles. Their effective permissions are the union of all assigned roles.
A user with both Viewer and Editor roles will have all permissions from both roles combined.
Built-in Roles
MongoDash includes four predefined roles that cover common team structures:
Owner
Complete workspace control, including:
- All workspace settings and configuration
- Billing and subscription management
- User and role management
- Connection management
- Full data access (read and write)
- Dashboard creation and sharing
- Workspace deletion
Owner role cannot be removed from the workspace creator. Each workspace must have at least one Owner.
Admin
Administrative access without billing control:
- User and role management
- Connection management
- Full data access (read and write)
- Dashboard creation and management
- Query and aggregation execution
- Export capabilities

Editor
Standard working permissions:
- Read and write data access
- Execute queries and aggregations
- Create personal dashboards
- Save queries
- View connections (without editing)
- Export data within limits
Viewer
Read-only access:
- View data in collections
- Execute read-only queries
- View shared dashboards
- View saved queries (without editing)
- No data modification or export

Custom Roles
BusinessBusiness and Enterprise plans can create custom roles with granular permission sets tailored to specific team needs.
Use Cases for Custom Roles
- Read-Only Analyst - View data and run queries but cannot save or export
- Dashboard Designer - Create dashboards without data write access
- Connection Manager - Manage connections but limited data access
- Support Engineer - View audit logs and run diagnostics without data modification
Custom roles are ideal for organizations with specialized team structures or strict compliance requirements.
Permission Hierarchy
Permissions follow a hierarchical structure from broad workspace-level access down to specific resource actions:
- Workspace Permissions - Settings, members, billing
- Connection Permissions - Create, edit, delete connections
- Data Permissions - Read, write, delete documents
- Dashboard Permissions - Create, edit, share dashboards
- Query Permissions - Execute, save, share queries
Permission Inheritance
Some permissions automatically grant related capabilities:
- Workspace Admin automatically includes connection management
- Write Data automatically includes read data
- Share Dashboard requires create dashboard permission
Role Assignment Best Practices
Assign Roles Based on Responsibility
Match roles to actual job functions:
- Developers and data engineers typically need Editor role
- Analysts and stakeholders work well with Viewer role
- Team leads may need Admin role for user management
Use the Minimum Required Role
Start with the most restrictive role and elevate only when necessary. It's easier to grant additional permissions than to revoke them.
Review Regularly
Audit role assignments quarterly to ensure they reflect current responsibilities:
- Remove access for departed team members
- Adjust roles for team members with changed responsibilities
- Review custom role definitions for ongoing relevance
Document Custom Roles
BusinessWhen creating custom roles, document their intended use:
- Who should be assigned this role?
- What business need does it address?
- What are the key permission boundaries?
What's Next?
Now that you understand RBAC concepts, learn how to apply them:
- Role Management - Create and assign roles
- User Permissions - Manage individual user access
- Team Workspace Settings - Configure workspace-wide security settings