Creating Users and Assigning Roles in MongoDB

Creating Users and Assigning Roles in MongoDB

In MongoDB, access control is managed through users and roles. When authorization is enabled, users must be created and authenticated before they can perform actions on the database.

Each user is associated with one or more roles, which determine what the user is allowed to do — such as reading from a collection, writing to a database, or administering the server.

Why Use Users and Roles?

By default, MongoDB starts with no authentication, which means anyone can access the database. This might be fine for development, but it’s insecure for production.

Creating users and assigning specific roles helps you:

• Control who can access your database
• Restrict actions users can perform
• Enforce least-privilege principles

Enabling Authorization

Before you can use users and roles, make sure MongoDB is running with authorization enabled.

    mongod --auth --dbpath /data/db
    

This starts the MongoDB server with authentication mode on.

Step 1: Connect Without Authentication (Initial Setup)

If you haven’t created any users yet, you can connect to the database without credentials (just for initial setup).

    mongo
    

Step 2: Switch to the admin Database

    use admin
    

Step 3: Create the First Admin User

This user will have full privileges over the entire server.

    db.createUser({
      user: "adminUser",
      pwd: "adminPass123",
      roles: [ { role: "userAdminAnyDatabase", db: "admin" }, "readWriteAnyDatabase" ]
    });
    

    Successfully added user: { "user" : "adminUser", "roles" : [ ... ] }
    

Explanation: The userAdminAnyDatabase role allows this user to create and manage other users. readWriteAnyDatabase gives read and write permissions on all databases.

Step 4: Authenticate with the Admin User

    mongo -u "adminUser" -p "adminPass123" --authenticationDatabase "admin"
    

Explanation: Now that authentication is enabled, you must use the admin credentials to connect and perform further operations.

Step 5: Create a Regular Application User

Let’s create a user that only has access to a specific database, for example, inventory.

    use inventory

    db.createUser({
      user: "appUser",
      pwd: "appPass456",
      roles: [ { role: "readWrite", db: "inventory" } ]
    });
    

    Successfully added user: { "user" : "appUser", "roles" : [ { "role" : "readWrite", "db" : "inventory" } ] }
    

Explanation: This user can only read and write data in the inventory database. They cannot access other databases or perform administrative tasks.

Intuition Check

Q: Can appUser drop collections in the admin database?

A: No! Because their role is scoped only to the inventory database and does not include admin privileges.

Common Built-in Roles

• read: Can read data from a database.
• readWrite: Can read and write data.
• dbAdmin: Database administration tasks (indexes, stats, etc.)
• userAdmin: Create and manage users on a specific DB.
• readWriteAnyDatabase: Read/write on all databases.
• dbOwner: Full control over a specific database.
• userAdminAnyDatabase: Manage users on any database.

Verifying Users

To list all users in the current database:

    db.getUsers()
    

    [
      {
        "_id" : "inventory.appUser",
        "user" : "appUser",
        "db" : "inventory",
        "roles" : [ { "role" : "readWrite", "db" : "inventory" } ]
      }
    ]
    

Deleting a User

If you want to delete a user:

    db.dropUser("appUser")
    

    true
    

Summary

MongoDB provides a flexible, role-based access control system. By defining users and roles, you can ensure that only authorized users can perform specific actions on your databases.

This not only protects your data but also allows better organization of user responsibilities across your application.

Next Step

In the next lesson, we’ll cover MongoDB Security Best Practices to further harden your deployment for production environments.