OPTIONS

Create a User Administrator

Overview

User administrators create users and create and assigns roles. A user administrator can grant any privilege in the database and can create new ones. In a MongoDB deployment, create the user administrator as the first user. Then let this user create all other users.

To provide user administrators, MongoDB has userAdmin and userAdminAnyDatabase roles, which grant access to actions that support user and role management. Following the policy of least privilege userAdmin and userAdminAnyDatabase confer no additional privileges.

Carefully control access to these roles. A user with either of these roles can grant itself unlimited additional privileges. Specifically, a user with the userAdmin role can grant itself any privilege in the database. A user assigned either the userAdmin role on the admin database or the userAdminAnyDatabase can grant itself any privilege in the system.

Prerequisites

You must have the createUser action on a database to create a new user on that database.

You must have the grantRole action on a role’s database to grant the role to another user.

If you have the userAdmin or userAdminAnyDatabase role, or if you are authenticated using the localhost exception, you have those actions.

Procedure

1

Connect to MongoDB with the appropriate privileges.

Connect to the mongod or mongos as a user with the privileges required in the Prerequisites section.

The following example operation connects to MongoDB as an authenticated user named manager:

mongo --port 27017 -u manager -p 12345678 --authenticationDatabase admin
2

Verify your privileges.

Use the usersInfo command with the showPrivileges option.

The following example operation checks privileges for a user connected as manager:

db.runCommand(
  {
    usersInfo:"manager",
    showPrivileges:true
  }
)

The resulting users document displays the privileges granted to manager.

3

Create the system user administrator.

Add the user with the userAdminAnyDatabase role, and only that role.

The following example creates the user siteUserAdmin user on the admin database:

use admin
db.createUser(
  {
    user: "siteUserAdmin",
    pwd: "password",
    roles:
    [
      {
        role: "userAdminAnyDatabase",
        db: "admin"
      }
    ]
  }
)
4

Create a user administrator for a single database.

Optionally, you may want to create user administrators that only have access to administer users in a specific database by way of the userAdmin role.

The following example creates the user recordsUserAdmin on the records database:

use products
db.createUser(
  {
    user: "recordsUserAdmin",
    pwd: "password",
    roles:
    [
      {
        role: "userAdmin",
        db: "records"
      }
    ]
  }
)