• Security >
• Security Tutorials >
• User and Role Management Tutorials >
• Create an Administrative User with Unrestricted Access

Create an Administrative User with Unrestricted Access

Overview

Most users should have only the minimal set of privileges required for their operations, in keeping with the policy of least privilege. However, some authorization architectures may require a user with unrestricted access. To support these super users, you can create users with access to all database resources and actions.

For many deployments, you may be able to avoid having any users with unrestricted access by having an administrative user with the createUser and grantRole actions granted as needed to support operations.

If users truly need unrestricted access to a MongoDB deployment, MongoDB provides a built-in role named root that grants the combined privileges of all built-in roles. This document describes how to create an administrative user with the root role.

For descriptions of the access each built-in role provides, see the section on built-in roles.

Prerequisites

Required Access

• To create a new user in a database, you must have createUser action on that database resource.
• To grant roles to a user, you must have the grantRole action on the role’s database.

Built-in roles userAdmin and userAdminAnyDatabase provide createUser and grantRole actions on their respective resources.

First User Restrictions

If your MongoDB deployment has no users, you must connect to mongod using the localhost exception or use the --noauth option when starting mongod to gain full access the system. Once you have access, you can skip to Creating the system user administrator in this procedure.

If users exist in the MongoDB database, but none of them has the appropriate prerequisites to create a new user or you do not have access to them, you must restart mongod with the --noauth option.

Procedure

1

Connect to MongoDB with the appropriate privileges.

Connect to the mongod or mongos as a user with the privileges specified in the Prerequisites section.

The following procedure uses the siteUserAdmin created in Create a User Administrator.

mongo --port 27017 -u siteUserAdmin -p password --authenticationDatabase admin

2

Create the administrative user.

In the admin database, create a new user using the db.createUser() method. Give the user the built-in root role.

For example:

use admin
db.createUser(
    {
      user: "superuser",
      pwd: "12345678",
      roles: [ "root" ]
    }
)

Authenticate against the admin database to test the new user account. Use db.auth() while using the admin database or use the mongo shell with the --authenticationDatabase option.

←   Change Your Password and Custom Data Auditing Tutorials  →

Was this page helpful?

Yes No

Thank you for your feedback!

We're sorry! You can Report a Problem to help us improve this page.

Copyright © 2011-2015 MongoDB, Inc. Licensed under Creative Commons. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.