-
_create-users:
Create a User
-
default-domain:: mongodb
-
facet:: :name: programming_language :values: shell
-
contents:: On this page :local: :backlinks: none :depth: 3 :class: singlecol
With access control enabled, users are required to identify themselves. You have to grant a user one or more :ref:`roles <roles>`. A role grants a user :ref:`privileges <privileges>` to perform certain :ref:`actions <security-user-actions>` on MongoDB :ref:`resources <resource-document>`.
Each application and user of a MongoDB system should map to a distinct user. This principle of access isolation facilitates access revocation and ongoing user maintenance. To ensure a system of :term:`least privilege`, only grant the minimal set of privileges required to a user.
-
_add-user-prereq:
Prerequisites
To be able to create users, you need to:
-
:ref:`enable access control <enable-access-control>`
-
:ref:`create a user administrator <create-user-admin>`
For routine user creation, you must possess the following permissions:
-
include:: /includes/access-create-user.rst
-
_create-user-procedure:
Procedure
-
note::
The following procedure uses :ref:`authentication-scram` authentication. For additional information on other authentication mechanisms, see :ref:`create-users-examples`.
-
include:: /includes/steps/authorization-create-users.rst
-
seealso::
:doc:`/tutorial/manage-users-and-roles`
-
_create-users-examples:
-
_add-new-user:
Additional Examples
Username/Password Authentication
The following operation creates a user in the reporting
database with the specified name, password, and roles.
-
tip::
-
include:: /includes/extracts/mongosh-password-prompt.rst
-
code-block:: javascript
use reporting db.createUser( { user: "reportsUser", pwd: passwordPrompt(), // or cleartext password roles: [ { role: "read", db: "reporting" }, { role: "read", db: "products" }, { role: "read", db: "sales" }, { role: "readWrite", db: "accounts" } ] } )
Kerberos Authentication
-
include:: /includes/extracts/create-user-intro-kerberos.rst
For Kerberos authentication, you must add the Kerberos principal as the username. You do not need to specify a password.
The following operation adds the Kerberos principal
reportingapp@EXAMPLE.NET
with read-only access to the records
database:
-
code-block:: javascript
use $external db.createUser( { user: "reportingapp@EXAMPLE.NET", roles: [ { role: "read", db: "records" } ] } )
-
seealso::
For more information about setting up Kerberos authentication for your MongoDB deployment, see the following tutorials:
-
:doc:`/tutorial/control-access-to-mongodb-with-kerberos-authentication`
-
:doc:`/tutorial/control-access-to-mongodb-windows-with-kerberos-authentication`
-
LDAP Authentication
-
include:: /includes/extracts/create-user-intro-ldap.rst
For LDAP authentication, you must specify a username. You do not need to specify the password, as that is handled by the LDAP service.
The following operation adds the reporting
user with read-only
access to the records
database:
-
code-block:: javascript
use $external db.createUser( { user: "reporting", roles: [ { role: "read", db: "records" } ] } )
-
seealso::
For more information about setting up LDAP authentication for your MongoDB deployment, see the following tutorials:
-
:doc:`/tutorial/configure-ldap-sasl-activedirectory`
-
:doc:`/tutorial/configure-ldap-sasl-openldap`
-
x.509 Client Certificate Authentication
-
include:: /includes/extracts/create-user-intro-x509.rst
For x.509 Client Certificate authentication, you must add the value of
the subject
from the client certificate as a MongoDB user. Each
unique x.509 client certificate corresponds to a single MongoDB user.
You do not need to specify a password.
The following operation adds the client certificate subject
CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry
user with read-only access to the records
database.
-
code-block:: javascript
use $external db.createUser( { user: "CN=myName,OU=myOrgUnit,O=myOrg,L=myLocality,ST=myState,C=myCountry", roles: [ { role: "read", db: "records" } ] } )
-
seealso::
For more information about setting up x.509 Client Certificate authentication for your MongoDB deployment, see the following tutorials:
-
:doc:`/tutorial/configure-x509-client-authentication`
-
Next Steps
To manage users, assign roles, and create custom roles, see :doc:`/tutorial/manage-users-and-roles`.