MongoDB User Management

MongoDB provides Role-Based Access Control (RBAC), allowing administrators to create users and assign different permission roles to ensure database security.

Enable Authentication

Modify Configuration File

# mongod.conf
security:
  authorization: enabled

Restart MongoDB Service

# Linux/macOS
sudo systemctl restart mongod

# Windows
net stop MongoDB
net start MongoDB

Create Administrator User

Connect to admin Database

mongosh
use admin

Create Super Admin

db.createUser({
  user: "admin",
  pwd: "strongPassword123",
  roles: [
    { role: "userAdminAnyDatabase", db: "admin" },
    { role: "readWriteAnyDatabase", db: "admin" },
    { role: "dbAdminAnyDatabase", db: "admin" },
    { role: "clusterAdmin", db: "admin" }
  ]
})

mongosh -u admin -p --authenticationDatabase admin

Built-in Roles

Database User Roles

Role	Permissions
read	Read all non-system collections
readWrite	Read and write all non-system collections

Database Administration Roles

Role	Permissions
dbAdmin	Perform administrative tasks (indexes, statistics, etc.)
dbOwner	Database owner permissions (readWrite + dbAdmin + userAdmin)
userAdmin	Manage users and roles

Cluster Administration Roles

Role	Permissions
clusterAdmin	Cluster administration permissions
clusterManager	Cluster monitoring and management
clusterMonitor	Read-only cluster monitoring
hostManager	Server management

Backup and Restore Roles

Role	Permissions
backup	Backup data
restore	Restore data

All Database Roles

Role	Permissions
readAnyDatabase	Read all databases
readWriteAnyDatabase	Read and write all databases
userAdminAnyDatabase	Manage users for all databases
dbAdminAnyDatabase	Administer all databases

Create Regular Users

Read-Only User

use mydb

db.createUser({
  user: "readonly",
  pwd: "password123",
  roles: [
    { role: "read", db: "mydb" }
  ]
})

Read-Write User

db.createUser({
  user: "appuser",
  pwd: "appPassword456",
  roles: [
    { role: "readWrite", db: "mydb" }
  ]
})

Multi-Database User

db.createUser({
  user: "multiuser",
  pwd: "multiPassword789",
  roles: [
    { role: "readWrite", db: "mydb" },
    { role: "read", db: "reporting" },
    { role: "dbAdmin", db: "mydb" }
  ]
})

User Management Operations

View All Users

use admin
db.system.users.find().pretty()

// Or
show users

View Current Database Users

use mydb
db.getUsers()

Change User Password

db.changeUserPassword("appuser", "newPassword")

Grant Roles

db.grantRolesToUser("appuser", [
  { role: "dbAdmin", db: "mydb" }
])

Revoke Roles

db.revokeRolesFromUser("appuser", [
  { role: "dbAdmin", db: "mydb" }
])

Drop User

db.dropUser("appuser")

Custom Roles

Create Custom Role

use admin

db.createRole({
  role: "appReadWrite",
  privileges: [
    {
      resource: { db: "mydb", collection: "" },
      actions: ["find", "insert", "update", "remove"]
    },
    {
      resource: { db: "mydb", collection: "system.indexes" },
      actions: ["find"]
    }
  ],
  roles: []
})

Use Custom Role

db.createUser({
  user: "customuser",
  pwd: "customPass",
  roles: [
    { role: "appReadWrite", db: "admin" }
  ]
})

View Role Information

db.getRole("appReadWrite", { showPrivileges: true })

Drop Role

db.dropRole("appReadWrite")

Connection String Authentication

Basic Connection String

mongodb://username:password@localhost:27017/database?authSource=admin

Examples

// Node.js
const uri = "mongodb://appuser:appPassword456@localhost:27017/mydb?authSource=mydb";

// Python
client = MongoClient("mongodb://appuser:appPassword456@localhost:27017/mydb?authSource=mydb")

// Java
String uri = "mongodb://appuser:appPassword456@localhost:27017/mydb?authSource=mydb";

Best Practices

1. Use Strong Passwords

At least 12 characters
Include uppercase, lowercase, numbers, and special characters
Regular password rotation

2. Principle of Least Privilege

Grant only necessary permissions
Avoid using super admin roles
Create separate users for different applications

3. Network Security

Bind to specific IP addresses
Use firewall to restrict access
Enable SSL/TLS encryption

# mongod.conf
net:
  bindIp: 127.0.0.1,10.0.0.5  # Restrict access IPs
  port: 27017

security:
  authorization: enabled
  keyFile: /path/to/keyfile  # Replica set authentication

4. Regular Auditing

// View user permissions
db.getUsers()

// View role permissions
db.getRoles({ showPrivileges: true })

Summary

MongoDB's user management features provide:

Role-Based Access Control (RBAC)
Rich built-in roles
Custom role support
Flexible user permission management

Proper use of user management features can effectively protect database security.

In the next chapter, we will learn about MongoDB Create Database.

#MongoDB User Management

#Enable Authentication

#Modify Configuration File

#Restart MongoDB Service

#Create Administrator User

#Connect to admin Database

#Create Super Admin

#Login as Administrator

#Built-in Roles

#Database User Roles

#Database Administration Roles

#Cluster Administration Roles

#Backup and Restore Roles

#All Database Roles

#Create Regular Users

#Read-Only User

#Read-Write User

#Multi-Database User

#User Management Operations

#View All Users

#View Current Database Users

#Change User Password

#Grant Roles

#Revoke Roles

#Drop User

#Custom Roles

#Create Custom Role

#Use Custom Role

#View Role Information

#Drop Role

#Connection String Authentication

#Basic Connection String

#Examples

#Best Practices

#1. Use Strong Passwords

#2. Principle of Least Privilege

#3. Network Security

#4. Regular Auditing

#Summary