This version of the documentation is archived and no longer supported.

system.users Collection

Changed in version 2.6.

The system.users collection in the admin database stores user authentication and authorization information. To manage data in this collection, MongoDB provides user management commands.

system.users Schema

The documents in the system.users collection have the following schema:

  _id: <system defined id>,
  userId : <system assigned UUID>,  // Starting in MongoDB 3.6.13
  user: "<name>",
  db: "<database>",
  credentials: { <authentication credentials> },
  roles: [
           { role: "<role name>", db: "<database>" },
  customData: <custom information>,

Each system.users document has the following fields:


A unique identifier for the user assigned to the user upon creation.

userId is available for users (not managed via LDAP) created in MongoDB 3.6.13+.

For LDAP managed users, users may not have an associated userId.

New in version 3.6.13.


The user name. A user exists in the context of a single logical database (see admin.system.users.db) but can have access on other databases through roles specified in the roles array.


The authentication database associated with the user. The user’s privileges are not necessarily limited to this database. The user can have privileges in additional databases through the roles array.


User’s authentication information. For users with externally stored authentication credentials, such as users that use Kerberos or x.509 certificates for authentication, the system.users document for that user does not contain the credentials field.


An array of roles granted to the user. The array contains both built-in roles and user-defined role.

A role document has the following syntax:

{ role: "<role name>", db: "<database>" }

A role document has the following fields:


The name of a role. A role can be a built-in role provided by MongoDB or a custom user-defined role.


The name of the database where role is defined.

When specifying a role using the role management or user management commands, you can specify the role name alone (e.g. "readWrite") if the role that exists on the database on which the command is run.


Optional custom information about the user.


Changed in version 3.0.0.

Consider the following document in the system.users collection:


  _id : "home.Kari",
  "userId" : UUID("ec1eced7-055a-4ca8-8737-60dd02c52793"),  // Available starting in MongoDB 3.6.13
  user : "Kari",
  db : "home",
  credentials : {
         "SCRAM-SHA-1" : {
                 "iterationCount" : 10000,
                 "salt" : nkHYXEZTTYmn+hrY994y1Q==",
                 "storedKey" : "wxWGN3ElQ25WbPjACeXdUmN4nNo=",
                 "serverKey" : "h7vBq5tACT/BtrIElY2QTm+pQzM="
  roles : [
            { role: "read", db: "home" },
            { role: "readWrite", db: "test" },
            { role: "appUser", db: "myApp" }
  customData : { zipCode: "64157" }

The document shows that a user Kari is associated with the home database. Kari has the read role in the home database, the readWrite role in the test database, and the appUser role in the myApp database.