Create a role to admin users and just that

Hi guys, I’m trying to create a role able to admin users but only that, I did it like this but I still can create databases and collections, etc, should I revoke specific permissions?

     role: "ADMON_USRS",
     privileges: [],
     roles: [
 { role: "userAdminAnyDatabase", db: "admin" }

MongoDB Enterprise mongos> db.getUser("user")
        "_id" : "$external.user",
        "userId" : UUID("8d1ca4a0-3560-46c3-9ef6-d126092be54c"),
        "user" : "user",
        "db" : "$external",
        "roles" : [
                        "role" : "ADMON_USRS",
                        "db" : "admin"
        "mechanisms" : [
MongoDB Enterprise mongos>

Hi @Oscar_Cervantes and welcome to the community!!

The userAdminAnyDatabase is an extension of userAdmin with applies to all the databases.
The userAdmin provides the ability to create and modify roles and users on the current database and the following actions are provided with the userAdmin roles.

However, note that neither userAdmin nor userAdminAnyDatabase roles have permission to create/drop collections (which is available on dbAdmin/dbAdminAnyDatabase roles) so I think you’re on the right track by using the userAdminAnyDatabase role.

The scenario you mentioned (userAdmin role can create/drop collections) is a possibility when the mongod process was not started with the --auth parameter. Without the --auth parameter, users can be created and can login, but the authorisation are not enforced.

Can you please confirm that the MongoDB process is started with --auth being enabled?

Please refer to the documentations on Built-in Roles to understand further.

The Enable Access Control may be useful as well for details into enabling auth. If you need further help, could you post:

  1. The output of db.adminCommand({usersInfo:1})
  2. The output of db.adminCommand({getCmdLineOpts:1}) for all mongod & mongos processes.

Let us know if you have any further questions.



This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.