On this page
To authenticate a client in MongoDB, you must add a corresponding user to MongoDB.
You can add a user with the
db.createUser() method using
mongosh. The first user you create must have privileges
to create other users. The
userAdminAnyDatabase role both confer the privilege to
create other users.
You can grant a user privileges by assinging roles to the user when you create the user. You can also grant or revoke roles, as well as update passwords, by updating existing users. For a full list of user management methods, see User Management.
A user is uniquely identified by the user's name and associated
authentication database. MongoDB
associates a user with a unique
userId upon creation in MongoDB.
LDAP Managed Users
LDAP managed users created on an LDAP
server do not have an associated document in the system.users collection, and therefore don't
userId field associated with them.
When you add a user, you create the user in a specific database. The database you create the user in is the authentication database for the user.
However, a user's privileges are not limited to their authentication database. Therefore, a user can have privileges across different databases. For more information on roles, see Role-Based Access Control.
A user's name and authentication database serve as a unique identifier
for that user. MongoDB associates a user with a unique
creation in MongoDB. However, LDAP managed users
created on an LDAP server do not have an associated document in the
system.users collection, and
therefore don't have a
associated with them.
If two users have the same name but are created in different databases, they are two separate users. If you want to have a single user with permissions on multiple databases, create a single user with a role for each applicable database.
Centralized User Data
For users created in MongoDB, MongoDB stores all user information,
password, and the user's
database, in the system.users collection in the
Do not modify this collection directly. To manage users, use the designated user management commands.
Sharded Cluster Users
To create users for a sharded cluster, connect to a
mongos instance and add the users. To authenticate as a
user created on a
mongos instance, you must authenticate
In sharded clusters, MongoDB stores user configuration data in the
admin database of the config servers.
Shard Local Users
Some maintenance operations, such as
rs.reconfig(), require direct
connections to specific shards in a sharded cluster. To perform these
operations, you must connect directly to the shard and authenticate as a
shard local administrative user.
To create a shard local administrative user, connect directly to the primary of the shard and create the user. For instructions on how to create a shard local user administrator see the Deploy Sharded Cluster with Keyfile Authentication tutorial.
MongoDB stores shard local users in the
admin database of the
shard itself. These shard local users are independent from
the users added to the sharded cluster through a
Shard local users are local to the shard and are inaccessible by
Direct connections to a shard should only be used for shard-specific
maintenance and configuration or for targeted analytics workloads. In
general, clients should connect to the sharded cluster through the