- Security >
- Security Tutorials >
- User and Role Management Tutorials >
- Create an Administrative User with Unrestricted Access
Create an Administrative User with Unrestricted Access¶
On this page
Overview¶
Most users should have only the minimal set of privileges required for their operations, in keeping with the policy of least privilege. However, some authorization architectures may require a user with unrestricted access. To support these super users, you can create users with access to all database resources and actions.
For many deployments, you may be able to avoid having any users with
unrestricted access by having an administrative user with the
createUser
and grantRole
actions granted as needed
to support operations.
If users truly need unrestricted access to a MongoDB deployment,
MongoDB provides a built-in role
named root
that grants the combined privileges of all
built-in roles. This document describes how to create an administrative
user with the root
role.
For descriptions of the access each built-in role provides, see the section on built-in roles.
Prerequisites¶
Required Access¶
You must have the createUser
action on a database to create a new user on that
database.
You must have the grantRole
action on a role’s database to grant the role to another
user.
If you have the userAdmin
or userAdminAnyDatabase
role, you have those actions.
First User Restrictions¶
If your MongoDB deployment has no users, you must connect to
mongod
using the localhost exception or use the --noauth
option when starting mongod
to gain full access the
system. Once you have access, you can skip to Creating the system
user administrator in this procedure.
If users exist in the MongoDB database, but none of them has the
appropriate prerequisites to create a new user or you do not have access
to them, you must restart mongod
with the --noauth
option.
Procedure¶
Connect to MongoDB with the appropriate privileges.¶
Connect to the mongod
or mongos
as a user with the
privileges specified in the Prerequisites section.
The following procedure uses the siteUserAdmin
created in
Create a User Administrator.
Create the administrative user.¶
In the admin
database, create a new user using the
db.createUser()
method. Give the user the built-in
root
role.
For example:
Authenticate against the admin
database to test the new user
account. Use db.auth()
while using the admin
database
or use the mongo
shell with the --authenticationDatabase
option.