Custom role cannot create user

I create a custom role in AdminDB for a user that can create users and create DB. create DB worked But cannot create a user. i get the error below:

MongoServerError[Unauthorized]: not authorized on Minotaur to execute command { createUser: “reportsUser”, pwd: “xxx”, roles: [ { role: “read”, db: “Test123” }, { role: “readWrite”, db: “Minotaur” } ], lsid: { id: UUID(“b7ae3c37-5a31-42c5-afb0-e2fa4d27b2e3”) }, $db: “Minotaur” }
at Connection.sendCommand (C:\Users\Jason\AppData\Local\MongoDBCompass\app-1.43.1\resources\app.asar.unpacked\node_modules@mongosh\node-runtime-worker-thread\dist\worker-runtime.js:2:890376)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Connection.command (C:\Users\Jason\AppData\Local\MongoDBCompass\app-1.43.1\resources\app.asar.unpacked\node_modules@mongosh\node-runtime-worker-thread\dist\worker-runtime.js:2:891272)
at async Server.command (C:\Users\Jason\AppData\Local\MongoDBCompass\app-1.43.1\resources\app.asar.unpacked\node_modules@mongosh\node-runtime-worker-thread\dist\worker-runtime.js:2:1110788)
at async RunCommandOperation.execute (C:\Users\Jason\AppData\Local\MongoDBCompass\app-1.43.1\resources\app.asar.unpacked\node_modules@mongosh\node-runtime-worker-thread\dist\worker-runtime.js:2:1081925)
at async t.executeOperation (C:\Users\Jason\AppData\Local\MongoDBCompass\app-1.43.1\resources\app.asar.unpacked\node_modules@mongosh\node-runtime-worker-thread\dist\worker-runtime.js:2:1060567)
at async Db.command (C:\Users\Jason\AppData\Local\MongoDBCompass\app-1.43.1\resources\app.asar.unpacked\node_modules@mongosh\node-runtime-worker-thread\dist\worker-runtime.js:2:980280)
at async CompassServiceProvider.runCommandWithCheck (C:\Users\Jason\AppData\Local\MongoDBCompass\app-1.43.1\resources\app.asar.unpacked\node_modules@mongosh\node-runtime-worker-thread\dist\worker-runtime.js:134:125195)
at async Proxy.createUser (C:\Users\Jason\AppData\Local\MongoDBCompass\app-1.43.1\resources\app.asar.unpacked\node_modules@mongosh\node-runtime-worker-thread\dist\worker-runtime.js:134:214199)
at async Proxy.createUser (C:\Users\Jason\AppData\Local\MongoDBCompass\app-1.43.1\resources\app.asar.unpacked\node_modules@mongosh\node-runtime-worker-thread\dist\worker-runtime.js:134:256261)
at async Proxy. (C:\Users\Jason\AppData\Local\MongoDBCompass\app-1.43.1\resources\app.asar.unpacked\node_modules@mongosh\node-runtime-worker-thread\dist\worker-runtime.js:134:250872)
at async evalmachine.:77:25
at async ShellEvaluator.innerEval (C:\Users\Jason\AppData\Local\MongoDBCompass\app-1.43.1\resources\app.asar.unpacked\node_modules@mongosh\node-runtime-worker-thread\dist\worker-runtime.js:134:404748)
at async ShellEvaluator.customEval (C:\Users\Jason\AppData\Local\MongoDBCompass\app-1.43.1\resources\app.asar.unpacked\node_modules@mongosh\node-runtime-worker-thread\dist\worker-runtime.js:134:405016)
at async OpenContextRuntime.evaluate (C:\Users\Jason\AppData\Local\MongoDBCompass\app-1.43.1\resources\app.asar.unpacked\node_modules@mongosh\node-runtime-worker-thread\dist\worker-runtime.js:134:9489)
at async ElectronRuntime.evaluate (C:\Users\Jason\AppData\Local\MongoDBCompass\app-1.43.1\resources\app.asar.unpacked\node_modules@mongosh\node-runtime-worker-thread\dist\worker-runtime.js:134:10901)
at async evaluate (C:\Users\Jason\AppData\Local\MongoDBCompass\app-1.43.1\resources\app.asar.unpacked\node_modules@mongosh\node-runtime-worker-thread\dist\worker-runtime.js:2:1392900)
at async C:\Users\Jason\AppData\Local\MongoDBCompass\app-1.43.1\resources\app.asar.unpacked\node_modules@mongosh\node-runtime-worker-thread\dist\worker-runtime.js:2:1388863

You need createUser action to create users on a DB
So give this action on the resource you need or choose a built in role which has this action
Check mongodb documentation for userAdmin role

1 Like

second admin can access all roles without specified in the roles.

but second cannot change superadmin or user password.

Built in role are include changepassword and remove user.

I wanna create two admins.
One has all the permission like superadmin

second one only can view all db, createdb, removedb, createuser.
for changepassword and remove user i dont want second admin can has this two permission.

after i create new roles for the second admin. they can createdb removedb but cannot createuser

db.createRole(
{
role: “oo2”,
privileges: [
{ resource: { db: “admin”, collection: “” }, actions: [ “changeCustomData”, “dropDatabase”, “createUser”, “setAuthenticationRestriction”, “updateUser”, “viewUser”, “insert”, “find”, “resync”, “createSearchIndexes” ] }
],
roles:
}
)

db.createUser( { user: “testUser”,
pwd: “password”,
roles: [ { role: “oo2”, db: “admin” },
{ role: “readWriteAnyDatabase”, db: “admin” }
] } );