1. _create-users:

Create a User

  1. default-domain:: mongodb

  2. facet:: :name: programming_language :values: shell

  3. contents:: On this page :local: :backlinks: none :depth: 3 :class: singlecol

With access control enabled, users are required to identify themselves. You have to grant a user one or more :ref:`roles <roles>`. A role grants a user :ref:`privileges <privileges>` to perform certain :ref:`actions <security-user-actions>` on MongoDB :ref:`resources <resource-document>`.

Each application and user of a MongoDB system should map to a distinct user. This principle of access isolation facilitates access revocation and ongoing user maintenance. To ensure a system of :term:`least privilege`, only grant the minimal set of privileges required to a user.

  1. _add-user-prereq:

Prerequisites

To be able to create users, you need to:

  • :ref:`enable access control <enable-access-control>`

  • :ref:`create a user administrator <create-user-admin>`

For routine user creation, you must possess the following permissions:

  1. include:: /includes/access-create-user.rst

  2. _create-user-procedure:

Procedure

  1. note::

    The following procedure uses :ref:`authentication-scram`
authentication. For additional information on other authentication
mechanisms, see :ref:`create-users-examples`.

  2. include:: /includes/steps/authorization-create-users.rst

  3. seealso::

    :doc:`/tutorial/manage-users-and-roles`

  4. _create-users-examples:

  5. _add-new-user:

Additional Examples

Username/Password Authentication

The following operation creates a user in the reporting database with the specified name, password, and roles.

  1. tip::

  2. include:: /includes/extracts/mongosh-password-prompt.rst

  3. code-block:: javascript

    use reporting
db.createUser(
  {
    user: "reportsUser",
    pwd: passwordPrompt(),  // or cleartext password
    roles: [
       { role: "read", db: "reporting" },
       { role: "read", db: "products" },
       { role: "read", db: "sales" },
       { role: "readWrite", db: "accounts" }
    ]
  }
)

Kerberos Authentication

  1. include:: /includes/extracts/create-user-intro-kerberos.rst

For Kerberos authentication, you must add the Kerberos principal as the username. You do not need to specify a password.

The following operation adds the Kerberos principal reportingapp@EXAMPLE.NET with read-only access to the records database:

  1. code-block:: javascript

    use $external
db.createUser(
    {
      user: "reportingapp@EXAMPLE.NET",
      roles: [
         { role: "read", db: "records" }
      ]
    }
)

  2. seealso::

    For more information about setting up Kerberos authentication for
your MongoDB deployment, see the following tutorials:

    • :doc:`/tutorial/control-access-to-mongodb-with-kerberos-authentication`

    • :doc:`/tutorial/control-access-to-mongodb-windows-with-kerberos-authentication`

LDAP Authentication

  1. include:: /includes/extracts/create-user-intro-ldap.rst

For LDAP authentication, you must specify a username. You do not need to specify the password, as that is handled by the LDAP service.

The following operation adds the reporting user with read-only access to the records database:

  1. code-block:: javascript

    use $external
db.createUser(
    {
      user: "reporting",
      roles: [
         { role: "read", db: "records" }
      ]
    }
)

  2. seealso::

    For more information about setting up LDAP authentication for
your MongoDB deployment, see the following tutorials:

    • :doc:`/tutorial/configure-ldap-sasl-activedirectory`

    • :doc:`/tutorial/configure-ldap-sasl-openldap`

x.509 Client Certificate Authentication

  1. include:: /includes/extracts/create-user-intro-x509.rst

For x.509 Client Certificate authentication, you must add the value of the subject from the client certificate as a MongoDB user. Each unique x.509 client certificate corresponds to a single MongoDB user. You do not need to specify a password.

The following operation adds the client certificate subject CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry user with read-only access to the records database.

  1. code-block:: javascript

    use $external
db.createUser(
    {
      user: "CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry",
      roles: [
         { role: "read", db: "records" }
      ]
    }
)

  2. seealso::

    For more information about setting up x.509 Client Certificate
authentication for your MongoDB deployment, see the following
tutorials:

    • :doc:`/tutorial/configure-x509-client-authentication`

Next Steps

To manage users, assign roles, and create custom roles, see :doc:`/tutorial/manage-users-and-roles`.