OPTIONS

Create a User Administrator

Overview

User administrators create users and create and assigns roles. A user administrator can grant any privilege in the database and can create new ones. In a MongoDB deployment, create the user administrator as the first user. Then let this user create all other users.

To provide user administrators, MongoDB has userAdmin and userAdminAnyDatabase roles, which grant access to actions that support user and role management. Following the policy of least privilege userAdmin and userAdminAnyDatabase confer no additional privileges.

Carefully control access to these roles. A user with either of these roles can grant itself unlimited additional privileges. Specifically, a user with the userAdmin role can grant itself any privilege in the database. A user assigned either the userAdmin role on the admin database or the userAdminAnyDatabase can grant itself any privilege in the system.

Prerequisites

Required Access

You must have the createUser action on a database to create a new user on that database.

You must have the grantRole action on a role’s database to grant the role to another user.

If you have the userAdmin or userAdminAnyDatabase role, you have those actions.

First User Restrictions

If your MongoDB deployment has no users, you must connect to mongod using the localhost exception or use the --noauth option when starting mongod to gain full access the system. Once you have access, you can skip to Creating the system user administrator in this procedure.

If users exist in the MongoDB database, but none of them has the appropriate prerequisites to create a new user or you do not have access to them, you must restart mongod with the --noauth option.

Procedure

1

Connect to MongoDB with the appropriate privileges.

Connect to mongod or mongos either through the localhost exception or as a user with the privileges indicated in the prerequisites section.

In the following example, manager has the required privileges specified in Prerequisites.

mongo --port 27017 -u manager -p 123456 --authenticationDatabase admin
2

Create the system user administrator.

Add the user with the userAdminAnyDatabase role, and only that role.

The following example creates the user siteUserAdmin user on the admin database:

use admin
db.createUser(
  {
    user: "siteUserAdmin",
    pwd: "password",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)
3

Create a user administrator for a single database.

Optionally, you may want to create user administrators that only have access to administer users in a specific database by way of the userAdmin role.

The following example creates the user recordsUserAdmin on the records database:

use records
db.createUser(
  {
    user: "recordsUserAdmin",
    pwd: "password",
    roles: [ { role: "userAdmin", db: "records" } ]
  }
)