User Permissions
Manage user-level permissions, understand permission inheritance, and configure overrides
User Permissions
Learn how individual user permissions work, how they inherit from roles, and when to use permission overrides.
How User Permissions Work
User permissions in MongoDash are determined by:
- Role Assignment - Permissions granted through assigned roles
- Permission Inheritance - Automatic permissions from role hierarchy
- Direct Overrides - Explicit permissions added or removed for specific users
Most teams rely solely on role assignments. Direct permission overrides are only needed for exceptional cases.
Viewing User Permissions
Navigate to Members From workspace settings, click Members in the left sidebar.
Select a User Click on a user's name to view their permission details.
Review Permissions The permission panel shows:
- Assigned roles
- Effective permissions (combined from all roles)
- Any direct permission overrides
- Last permission change timestamp
Permission Inheritance
Users automatically inherit all permissions from their assigned roles. When a user has multiple roles, they receive the union of all permissions.
Inheritance Example
A user assigned both Editor and Dashboard Designer (custom role) would have:
- All Editor permissions (read/write data, execute queries)
- Plus additional dashboard creation permissions
- No conflicts - permissions are additive
Use multiple role assignment instead of permission overrides when possible. This keeps access control predictable and auditable.
Understanding Effective Permissions
Effective permissions are the actual capabilities a user has after combining:
- All assigned role permissions
- Any direct permission grants
- Minus any direct permission revocations
Permission Calculation
Effective Permissions =
(Role A Permissions ∪ Role B Permissions ∪ ...)
+ Direct Grants
- Direct Revocations
Permission Categories
Workspace-Level Permissions
Control administrative capabilities:
- View Workspace Settings - See workspace configuration
- Edit Workspace Settings - Modify workspace name, slug, settings
- Manage Members - Invite, remove, and modify user roles
- Manage Billing - Access and modify subscription details
- Delete Workspace - Permanently remove workspace
Connection Permissions
Control database access:
- View Connections - See connection list and details
- Create Connections - Add new MongoDB connections
- Edit Connections - Modify connection settings and credentials
- Delete Connections - Remove connections
- Test Connections - Verify connectivity
Data Permissions
Control data access and modification:
- Read Data - View documents and collections
- Write Data - Insert and update documents
- Delete Data - Remove documents
- Export Data - Download data in various formats
- Import Data - Upload and insert data
Query Permissions
Control query capabilities:
- Execute Find Queries - Run basic queries
- Execute Aggregations - Run aggregation pipelines
- Save Queries - Store queries for reuse
- Share Queries - Make queries available to team
- Use AI Query Builder - Access AI-assisted query generation
Dashboard Permissions
Control dashboard access:
- View Dashboards - See shared dashboards
- Create Dashboards - Build new dashboards
- Edit Own Dashboards - Modify dashboards you created
- Edit All Dashboards - Modify any dashboard
- Share Dashboards - Make dashboards available to others
- Delete Dashboards - Remove dashboards
Direct Permission Overrides
BusinessIn rare cases, you may need to grant or revoke specific permissions for individual users outside their role assignments.
When to Use Overrides
Only use direct permission overrides for:
- Temporary elevated access - Short-term admin needs
- Unique exceptions - One-off requirements that don't warrant a custom role
- Temporary restrictions - Limiting a user temporarily without changing their role
Overuse of permission overrides makes access control difficult to audit and maintain. Create custom roles instead for recurring patterns.
Granting Direct Permissions
Select User Navigate to Members, click the user, then click Manage Permissions.
Add Permission Click Grant Additional Permission and select the permission to add.
Set Expiration Optionally set an expiration date for the permission grant.
Always set expiration dates for temporary access grants to ensure automatic cleanup.
Add Justification Document why this override is needed. This appears in audit logs.
Save Click Grant Permission to apply the override immediately.
Revoking Direct Permissions
Select User Navigate to Members and click the user with permission overrides.
View Overrides In the Permissions tab, scroll to the Direct Permission Overrides section.
Revoke Permission Click Revoke next to the specific permission to remove it.
Revoking a permission override removes that capability immediately, even if the user is currently using it.
Confirm Confirm the revocation and add a note explaining the change.
Permission Override Best Practices
Document All Overrides
Always include a justification when granting or revoking permissions:
- Why is this override needed?
- How long should it last?
- Who approved it?
- What business need does it address?
Use Expiration Dates
Set automatic expiration for all temporary permission grants:
- Hours/Days - Incident response or troubleshooting
- Weeks - Project-specific temporary access
- Months - Extended but finite requirements
Audit Regularly
Review permission overrides monthly:
- Remove expired grants that weren't cleaned up automatically
- Convert recurring patterns into custom roles
- Verify justifications are still valid
Prefer Role Changes
Before adding a permission override, consider:
- Would a different role assignment work better?
- Should you create a custom role for this pattern?
- Is this truly a one-time exception?
Permission Conflicts and Resolution
Multiple Roles
When multiple roles grant conflicting permission levels, the most permissive wins:
- User has Viewer (read-only) and Editor (read/write) roles
- Effective permission: Read/write access
Override Priority
Direct permission grants and revocations override role-based permissions:
- Role grants "Edit Dashboards"
- Direct revocation removes "Edit Dashboards"
- Effective permission: Cannot edit dashboards
Checking Your Own Permissions
All users can view their own permissions:
- Click your profile picture in the top right
- Select My Permissions from the dropdown
- View your roles and effective permissions
If you believe you should have access to something but don't, check your permissions first before contacting an admin.
What's Next?
- Role Management - Learn about creating and managing roles
- Audit Logs - Track permission changes over time
- Two-Factor Authentication - Add an extra layer of account security