• Security >
• Security Tutorials >
• User and Role Management Tutorials >
• Create an Administrative User with Unrestricted Access

Create an Administrative User with Unrestricted Access

Overview

Most users should have only the minimal set of privileges required for their operations, in keeping with the policy of least privilege. However, some authorization architectures may require a user with unrestricted access. To support these super users, you can create users with access to all database resources and actions.

For many deployments, you may be able to avoid having any users with unrestricted access by having an administrative user with the createUser and grantRole actions granted as needed to support operations.

If users truly need unrestricted access to a MongoDB deployment, MongoDB provides a built-in role named root that grants the combined privileges of all built-in roles. This document describes how to create an administrative user with the root role.

For descriptions of the access each built-in role provides, see the section on built-in roles.

Prerequisites

Required Access

You must have the createUser action on a database to create a new user on that database.

You must have the grantRole action on a role’s database to grant the role to another user.

If you have the userAdmin or userAdminAnyDatabase role, you have those actions.

First User Restrictions

If your MongoDB deployment has no users, you must connect to mongod using the localhost exception or use the --noauth option when starting mongod to gain full access the system. Once you have access, you can skip to Creating the system user administrator in this procedure.

If users exist in the MongoDB database, but none of them has the appropriate prerequisites to create a new user or you do not have access to them, you must restart mongod with the --noauth option.

Procedure

1

Connect to MongoDB with the appropriate privileges.

Connect to the mongod or mongos as a user with the privileges specified in the Prerequisites section.

The following procedure uses the siteUserAdmin created in Create a User Administrator.

copy

mongo --port 27017 -u siteUserAdmin -p password --authenticationDatabase admin

2

Create the administrative user.

In the admin database, create a new user using the db.createUser() method. Give the user the built-in root role.

For example:

copy

use admin
db.createUser(
    {
      user: "superuser",
      pwd: "12345678",
      roles: [ "root" ]
    }
)

Authenticate against the admin database to test the new user account. Use db.auth() while using the admin database or use the mongo shell with the --authenticationDatabase option.

←   Add a User to a Database Create a Role  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.