Mongodb User Management And Roles Complete Guide

Last Update:2025-06-23T00:00:00 .NET School AI Teacher - SELECT ANY TEXT TO EXPLANATION. 8 mins read Difficulty-Level: beginner

Understanding the Core Concepts of MongoDB User Management and Roles

MongoDB User Management and Roles: Detailed Explanation with Important Information

MongoDB user management is a crucial aspect of database security. It involves creating, modifying, and deleting users who have access to the MongoDB deployment. The primary goals are to ensure that only authorized individuals can access specific data and functions within the database and to maintain accountability.

Creating Users

To create users in MongoDB, you must use an administraive user account. You can create a new user by using the createUser method on the specific database where you want the user to be active. For instance:

use admin
db.createUser({
    user: "johndoe",
    pwd: "securePassword123",
    roles: [
        { role: "read", db: "inventory" },
        { role: "readWrite", db: "sales" }
    ]
})

In this example, a user named johndoe is created with a password on the admin database but has different roles assigned to it in other databases (inventory and sales).

Modifying Users

Modifying users includes changing their password or updating their roles. To change a password:

use sales
db.changeUserPassword("johndoe", "newSecurePassword456")

To update roles, you can use updateUser method:

use inventory
db.updateUser("johndoe", { 
    roles: [ 
        { role: "readWrite", db: "inventory" }, 
        { role: "read", db: "sales" } 
    ] 
})

This command updates the roles of johndoe, granting readWrite access to the inventory db but downgrading his access to read for the sales db.

Deleting Users

Users can be deleted using the dropUser method:

use inventory
db.dropUser("johndoe")

This will remove johndoe from the inventory database.

Authentication Mechanisms

MongoDB supports several authentication mechanisms including SCRAM-SHA-1, SCRAM-SHA-256, MONGODB-X509 (X509 Certificate-based), GSSAPI (Kerberos v5), and LDAP. SCRAM-SHA-256 is the default mechanism starting from version 4.0.

Role-Based Access Control (RBAC)

MongoDB uses Role-Based Access Control to manage permissions. Each role defines a set of actions that can be performed on the database resources. Custom roles can also be created to include any combination of built-in roles and actions.

Built-In Roles

MongoDB includes a set of built-in roles grouped into categories:

Cluster Roles: Administer the cluster, monitor its performance, and back it up.
Database Roles: Control operations on a specific database.
Backup Restore Roles: Back up and restore the entire MongoDB instance or a specific database.
All Database Roles: Control actions across multiple databases.
Superuser Roles: Have all the rights in the system.
Read Write Roles: Manage read and write access.
Read Only Roles: Manage read-only access.

Custom Roles

If predefined roles do not meet your needs, you can create custom roles. Here’s an example for a custom role that combines privileges from two built-in roles, along with a few extra privileges:

use admin
db.createRole({
   role: "customReadWrite",
   privileges: [
      { resource: { db: "myDatabase", collection: "myCollection" }, actions: ["find", "insert", "update", "remove"] },
      { resource: { db: "myDatabase", collection: "" }, actions: ["collStats"] },
      { resource: { db: "", collection: "" }, actions: ["killCursors"] }
   ],
   roles: [ { role: "read", db: "myDatabase" }, { role: "readWrite", db: "myDatabase" } ]
})

The "customReadWrite" role provides find, insert, update, and remove permissions on a specific collection (in this case, "myCollection"), along with collStats for the entire database, and killCursors for the entire cluster.

Assigning Roles to Users

Roles can be assigned to users either at creation time or via the updateUser method. Assigning roles grants a user specific privileges as per the role definition:

use myDatabase
db.grantPrivilegesToUser(
   "johndoe",
   [
     { resource: { db: "myDatabase", collection: "importantCollection" }, actions: [ "find", "update" ] }
   ]
)

This command grants additional privileges to the johndoe user on the importantCollection collection.

Revoking Roles

You can revoke roles from users using the revokeRolesFromUser method:

use myDatabase
db.revokeRolesFromUser("johndoe", [
   { role: "dbAdmin", db: "administration" },
   { role: "readWrite", db: "myDatabase" }
])

This revokes dbAdmin role on administration DB and readWrite role on myDatabase from the johndoe user.

Viewing Users and Roles

To inspect existing users and roles, you can use specific commands. For instance, to list all users in a particular database:

use myDatabase
db.getUsers()

And to list all roles in a particular database:

use myDatabase
db.getRoles()

Important Information

Enable Authorization: By default MongoDB runs without authentication enabled. To enforce strict control, you must enable authorization, usually by setting the security.authorization parameter to enabled in the MongoDB configuration file.
Access Control List (ACL): MongoDB maintains an ACL that controls access. This ACL stores information about users and their roles.
Auditing Role Assignments: Regularly inspect role assignments to ensure that no user has unnecessary or outdated permissions.
Encryption for Credentials: MongoDB encrypts stored credentials in the $external database when X509 certificates are used to authenticate users.
Audit Logging: Enable audit logging to track who accesses your database, what action they perform, and when. This can help investigate unauthorized access and ensure compliance with regulations.
Role Inheritance: Users inherit roles from their direct roles as well as roles that those roles inherit. Be cautious while assigning multiple roles to prevent unexpected permissions escalations.
Role Updates Affect Sessions: If you update roles granted to a user, changes take effect for subsequent user sessions, not the current session.
Admin Roles: Users with admin roles have the most extensive set of privileges and should be granted carefully.

By understanding and properly managing MongoDB users and roles, you can ensure your database environment remains secure and compliant with industry standards. Proper implementation of RBAC principles, such as least privilege and role segregation, is essential for effective MongoDB security management.

General Keywords:

Online Code run

🔔 Note: Select your programming language to check or run code at

💻 Run Code Compiler

Step-by-Step Guide: How to Implement MongoDB User Management and Roles

Environment Setup

Before we start, ensure you have MongoDB installed and running on your machine. You can download it from the official website and follow the installation instructions for your operating system.

Step 1: Enable Authorization

By default, MongoDB runs without authorization. To enable it, you need to modify the MongoDB configuration file (mongod.conf).

security:
  authorization: enabled

After editing the configuration file, restart your MongoDB server:

For Linux: sudo service mongod restart
For macOS: brew services restart mongodb-community
For Windows: Use the Services manager to restart MongoDB

Step 2: Connect to MongoDB

Connect to the MongoDB instance using the mongo shell:

mongo --host localhost --port 27017

Step 3: Create an Admin User

Switch to the admin database and create an admin user. The admin user will have full control over MongoDB.

use admin
db.createUser(
  {
    user: "adminUser",
    pwd: "adminPassword",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)

Now, you need to exit the shell and reconnect with the credentials of the newly created admin user.

exit
mongo -u adminUser -p adminPassword --authenticationDatabase admin

Step 4: Create a New Database

Create a new database to work with. In this example, we'll create a testDB database.

use testDB

Step 5: Create a User with Built-in Roles

MongoDB comes with several built-in roles that you can use. Here, we'll create a new user with read and write access to testDB.

db.createUser(
  {
    user: "testUser",
    pwd: "testPassword",
    roles: [
      { role: "readWrite", db: "testDB" }
    ]
  }
)

Step 6: List Users

You can list all users in the current database or in a specific database.

To list all users in the current database (testDB):

db.getUsers()

To list all users in the admin database:

use admin
db.getUsers()

Step 7: Modify User Roles

To update the roles of an existing user, use the db.grantRolesToUser() method.

For example, let's grant the dbOwner role to testUser in the testDB database.

use testDB
db.grantRolesToUser(
  "testUser",
  [
    { role: "dbOwner", db: "testDB" }
  ]
)

Step 8: Revoke User Roles

To revoke roles from a user, use the db.revokeRolesFromUser() method.

Let's revoke the readWrite role from testUser in the testDB database.

use testDB
db.revokeRolesFromUser(
  "testUser",
  [
    { role: "readWrite", db: "testDB" }
  ]
)

Step 9: Create a Custom Role

You can also create custom roles if you need more granular control over user permissions. Here’s how you can create a custom role called customReadWriteRole in the testDB database.

use testDB
db.createRole(
  {
    role: "customReadWriteRole",
    privileges: [
      { resource: { db: "testDB", collection: "" }, actions: ["find", "insert", "update", "remove"] }
    ],
    roles: []
  },
  { w: "majority" , wtimeout: 5000 }
)

Step 10: Assign the Custom Role to a User

After creating a custom role, you can assign it to a user.

use testDB
db.grantRolesToUser(
  "testUser",
  [
    { role: "customReadWriteRole", db: "testDB" }
  ]
)

Step 11: Remove a User

To remove a user from a database, use the db.dropUser() method.

For example, let's remove testUser from the testDB database.

use testDB
db.dropUser("testUser")

Step 12: Remove a Role

To remove a role from the database, use the db.dropRole() method.

For example, let's remove customReadWriteRole from the testDB database.

use testDB
db.dropRole("customReadWriteRole")

Example: Connecting to MongoDB as a Specific User

Finally, let’s see how you connect to MongoDB as the testUser.

mongo -u testUser -p testPassword --authenticationDatabase testDB

Summary

We covered the basics of MongoDB user management and roles:

Enabled authorization.
Connected to MongoDB and created an admin user.
Created a new database.
Created a user with built-in roles.
Listed users in a database.
Modified user roles.
Revoked user roles.
Created a custom role.
Assigned the custom role to a user.
Removed a user.
Removed a role.
Connected to MongoDB as a specific user.

Top 10 Interview Questions & Answers on MongoDB User Management and Roles

Top 10 Questions and Answers for MongoDB User Management and Roles

1. What is MongoDB User Management?

Answer: MongoDB User Management involves the creation, modification, and management of user accounts within a MongoDB database to control who can access and interact with the database. It provides a mechanism to authenticate and authorize users to perform actions based on their assigned roles.

2. How do you create a user in MongoDB?

Answer: To create a user in MongoDB, you can use the db.createUser() method. Here is an example:

db.createUser({
  user: "myUser",
  pwd: "securePassword",
  roles: [{ role: "readWrite", db: "myDatabase" }]
});

This command creates a user named "myUser" with a password "securePassword" and assigns the "readWrite" role to the "myDatabase" database.

3. What are the different built-in roles in MongoDB?

Answer: MongoDB comes with a set of built-in roles that grant varying levels of permissions:

Read/Write Roles: read, readWrite
Database Administration Roles: dbAdmin, dbOwner, userAdmin
Cluster Administration Roles: clusterAdmin, clusterManager, clusterMonitor, hostManager
Backup and Restore Roles: backup, restore
All Database Roles: readAnyDatabase, readWriteAnyDatabase, userAdminAnyDatabase, dbAdminAnyDatabase
Superuser Roles: root

4. How do you modify a user's roles in MongoDB?

Answer: To modify a user's roles, you can use the db.grantPrivilegesToUser() method to add roles and db.revokePrivilegesFromUser() to remove roles, or you can use db.updateUser() to replace roles altogether. Here’s an example using db.updateUser():

db.updateUser(
  "myUser",
  {
    roles: [
      { role: "readWrite", db: "myDatabase" },
      { role: "dbAdmin", db: "myDatabase" }
    ]
  }
);

This command updates "myUser" to have both readWrite and dbAdmin roles on "myDatabase".

5. Can you create custom roles in MongoDB?

Answer: Yes, you can create custom roles in MongoDB by using the db.createRole() method. Custom roles can be tailored to specific needs and combined with actions to grant permissions not covered by the built-in roles. Here's an example:

db.createRole(
  {
    role: "customRole",
    privileges: [
      { resource: { db: "myDatabase", collection: "" }, actions: [ "find", "insert" ] }
    ],
    roles: [ "read" ]
  }
);

This command creates a role named "customRole" in "myDatabase" that allows finding and inserting documents, along with the permissions granted by the "read" role.

6. How do you delete a user in MongoDB?

Answer: To delete a user in MongoDB, you can use db.dropUser() method. Here's how to delete a user named "myUser" from the current database:

db.dropUser("myUser");

This command removes "myUser" from the current database. Before doing this, ensure you have the appropriate permissions (userAdmin or userAdminAnyDatabase).

7. How do you audit user actions and permissions in MongoDB?

Answer: MongoDB provides auditing features to monitor and record user actions. You can enable auditing by using the --auditDestination option when starting the MongoDB server. Additionally, MongoDB logs detailed information regarding user authentication and authorization in the MongoDB logs, which can be used for auditing purposes.

8. What is role inheritance in MongoDB?

Answer: Role inheritance is when a role includes other roles, thereby inheriting all the privileges of the roles it includes. This allows for a more modular and manageable role assignment. For example:

db.createRole(
  {
    role: "superRole",
    roles: [
      { role: "readWrite", db: "myDatabase" },
      { role: "dbAdmin", db: "myDatabase" }
    ],
    privileges: []
  }
);

Here, superRole inherits the privileges of both readWrite and dbAdmin roles.

9. How do you ensure data security using MongoDB User Management?

Answer: Ensuring data security in MongoDB involves:

Enabling Authentication: Use the --auth option to enforce authentication.
Role-Based Access Control (RBAC): Define roles with the minimum necessary permissions.
Audit Logging: Monitor and log activities for auditing.
Network Encryption: Use TLS/SSL to encrypt data in transit.
Data Encryption: Use encryption at rest to protect sensitive data.

10. Can users have multiple roles in MongoDB?

Answer: Yes, users in MongoDB can have multiple roles. When assigning roles to a user, you can specify multiple role entries, either within the same database or across different databases, allowing for a fine-grained access control strategy. Here is an example:

db.createUser(
  {
    user: "multiRoleUser",
    pwd: "securePassword",
    roles: [
      { role: "read", db: "database1" },
      { role: "dbAdmin", db: "database2" },
      { role: "userAdminAnyDatabase", db: "admin" }
    ]
  }
);

Here, "multiRoleUser" has read role on "database1", dbAdmin role on "database2", and userAdminAnyDatabase role in the "admin" database.