-
Notifications
You must be signed in to change notification settings - Fork 1
Health Check Database Permissions
Yaoxing edited this page Nov 22, 2025
·
3 revisions
Important: The tool will connect to each node in the cluster to gather information.
- For replica sets, you only need to create the user on the primary, and it will be replicated to all members.
- For sharded cluster, however, the user you created will only be stored in the CSRS, which let mongos and CSRS nodes pass the authentication. The shards will not accept the credential unless you also create the same user on the shards.
- If the cluster is created by Ops Manager, this has been done by the automation agents.
- If the clusters is manually created, this needs to be done by yourself.
Each optional check item requires different permissions. Please properly grant the permissions to the user that you use to access MongoDB.
| Module | Command |
|---|---|
| Shared |
replSetGetStatus, getShardMap
|
| ClusterItem |
collStats against local.oplog.rs, serverStatus, replSetGetStatus, replSetGetConfig
|
| HostInfoItem | hostInfo |
| SecurityItem | getCmdLineOpts |
| IndexInfoItem |
listDatabases, listCollections, indexStats
|
| ShardKeyItem |
find against config.collections and config.shards
|
| CollInfoItem |
listDatabases, collStats against all collections, |
| ServerStatusItem | serverStatus |
| BuildInfoItem | buildInfo |
To define a role that has all the permissions:
db.createRole({
role: "xray",
roles: [],
privileges: [{
resource: {
cluster: true
}, actions: ["replSetGetStatus", "replSetGetConfig", "getShardMap", "serverStatus", "hostInfo", "getCmdLineOpts", "listDatabases"]
}, {
resource: {
db: "", collection: ""
}, actions: ["collStats", "listCollections", "indexStats"]
}, {
resource: {
db: "local", collection: "oplog.rs"
}, actions: ["collStats"]
}, {
resource: {
db: "config",
collection: "collections"
}, actions: ["find"]
}, {
resource: {
db: "config",
collection: "shards"
}, actions: ["find"]
}, {
resource: {
db: "local",
collection: "oplog.rs"
}, actions: ["find"]
}]
})If you are using Atlas, there's no indexStats permission. You can inherit clusterMonitor to have the right permission.
If you are using sharded cluster 8.0 or later, MongoDB doesn't allow direct access to the shard members. You'll need the directShardOperations role to run the tool:
db.createRole({
role: "xray",
roles: ['clusterMonitor', 'directShardOperations'],
// ...
});