- Security >
- Security Tutorials >
- User and Role Management Tutorials >
- Create a User Administrator
Create a User Administrator¶
On this page
Overview¶
User administrators create users and create and assigns roles. A user administrator can grant any privilege in the database and can create new ones. In a MongoDB deployment, create the user administrator as the first user. Then let this user create all other users.
To provide user administrators, MongoDB has
userAdmin
and userAdminAnyDatabase
roles,
which grant access to actions that support user and
role management. Following the policy of least privilege
userAdmin
and userAdminAnyDatabase
confer no
additional privileges.
Carefully control access to these roles. A user with either of these roles can grant
itself unlimited additional privileges. Specifically, a user with the
userAdmin
role can grant itself any privilege in the database.
A user assigned either the userAdmin
role on the admin
database or the userAdminAnyDatabase
can grant itself any
privilege in the system.
Prerequisites¶
Required Access¶
You must have the createUser
action on a database to create a new user on that
database.
You must have the grantRole
action on a role’s database to grant the role to another
user.
If you have the userAdmin
or userAdminAnyDatabase
role, you have those actions.
First User Restrictions¶
If your MongoDB deployment has no users, you must connect to
mongod
using the localhost exception or use the --noauth
option when starting mongod
to gain full access the
system. Once you have access, you can skip to Creating the system
user administrator in this procedure.
If users exist in the MongoDB database, but none of them has the
appropriate prerequisites to create a new user or you do not have access
to them, you must restart mongod
with the --noauth
option.
Procedure¶
Connect to MongoDB with the appropriate privileges.¶
Connect to mongod
or mongos
either
through the localhost exception or as a
user with the privileges indicated in the prerequisites section.
In the following example, manager
has the required privileges
specified in Prerequisites.
Create the system user administrator.¶
Add the user with the userAdminAnyDatabase
role, and
only that role.
The following example creates the user siteUserAdmin
user on the
admin
database: