Mongodb logo SQL Tutorial

MongoDB User Management Commands

Create New User - createUser Command

The createUser command is used to create a new user on the database where you run the command. The createUser command returns an error message if the user already exists.

A database name must have to mention at the time to create a new user with createUser action.

A grantRole action must have to mention on a role’s database to grant the role to another user.

If you have the userAdmin or userAdminAnyDatabase role, or if you are authenticated using the localhost exception, you have those actions.

Syntax:

{ createUser: "<name>",
  pwd: "<cleartext password>",
  customData: { <any information> },
  roles: [
    { role: "<role>", db: "<database>" } | "<role>",
    ...
  ],
  writeConcern: { <write concern> }
}			 

Parameters:

Name Type Description
createUser string The name of the new user.
pwd string The user’s password.
customData document Optional.
roles array The roles granted to the user
writeConcern document Optional. The write concern briefs the guarantee that MongoDB provides at the time of reporting on the success of a write operation. w: 1 as the default write concern.

Assume that our database name is userdetails and there are the following document:

db.userdetails.insert({"user_id" : "user1","password" :"1a2b3c" ,
"date_of_join" : "16/10/2010" ,"education" :"M.C.A." ,
 "profession" : "CONSULTANT","interest" : "MUSIC",
 "community_name" :["MODERN MUSIC", "CLASSICAL MUSIC","WESTERN MUSIC"],
 "community_moder_id" : ["MR. Alex","MR. Dang","MR Haris"],
 "community_members" : [700,200,1500],
 "friends_id" : ["kumar","harry","anand"],
 "ban_friends_id" :["Amir","Raja","mont"]});   

Example

The following createUser command creates a user myNewuser on the userdetails database. The command gives myNewuser the clusterAdmin and readAnyDatabase roles on the admin database and the readWrite role on the userdetails database:

db.getSiblingDB("userdetails").runCommand( { createUser: "myNewuser",
                                          pwd: "thisPassword",
                                          customData: { profession : "DOCTOR" },
                                          roles: [
                                                   { role: "clusterAdmin", db: "admin" },
                                                   { role: "readAnyDatabase", db: "admin" },
                                                   "readWrite"
                                                 ],
                                          writeConcern: { interest : "SPORTS" }
                                       } )             

Example: Create more user

The following createUser command creates a user myNewuser1 on the userdetails database. The command gives myNewuser1 the clusterAdmin and the readWrite role on the userdetails database:

db.getSiblingDB("userdetails").runCommand( { createUser: "myNewuser1",
                                          pwd: "thisPassword",
                                          customData: { profession : "DOCTOR" },
                                          roles: [
                                                   { role: "clusterAdmin", db: "admin" },
                                                   "readWrite"
                                                 ],
                                          writeConcern: { interest : "SPORTS" }
                                       } )             

If we type wrongly in the above statement myNewuser instead of myNewuser1 then the following error message as an output will appear beacuse the user already exists

{
        "ok" : 0,
        "errmsg" : "User \"[email protected]\" already exists",
        "code" : 11000
}         

To see the User Information - usersInfo Command

The command usersInfo returns information about one or more users.

Syntax:

{ usersInfo: { user: <name>, db: <db> },
  showCredentials: <Boolean>,
  showPrivileges: <Boolean>
}			 

Parameters:

Name Type Description
usersInfo various The user(s) about whom to return information.
showCredentials Boolean Optional. If the field set to true the user’s password hash will be displayed, it is false by default.
showPrivileges Boolean Optional. If the field set to true to show the user’s full set of privileges, including expanded information for the inherited roles, it is false by default.

Example to View Specific User

To see information but not the credentials, for the user "myNewuser" defined in "userdetails" database, run the following command:

db.runCommand(
               {
                 usersInfo:  { user: "myNewuser", db: "userdetails" },
                 showPrivileges: false
               }
)     

Output:

{
        "users" : [
                {
                        "_id" : "userdetails.myNewuser",
                        "user" : "myNewuser",
                        "db" : "userdetails",
                        "customData" : {
                                "profession" : "DOCTOR"
                        },
                        "roles" : [
                                {
                                        "role" : "clusterAdmin",
                                        "db" : "admin"
                                },
                                {
                                        "role" : "readAnyDatabase",
                                        "db" : "admin"
                                },
                                {
                                        "role" : "readWrite",
                                        "db" : "userdetails"
                                }
                        ]
                }
        ],
        "ok" : 1
}    

Example to View Multiple User

To view info for several users, use an array, with or without the optional fields showPrivileges and showCredentials. For example:

db.runCommand( { usersInfo: [ { user: "myNewuser", db: "userdetails" }, 
                 { user: "myNewuser1", db: "userdetails" } ],
                 showPrivileges: false
                 } );     

Output:

{
        "users" : [
                {
                        "_id" : "userdetails.myNewuser",
                        "user" : "myNewuser",
                        "db" : "userdetails",
                        "customData" : {
                                "profession" : "DOCTOR"
                        },
                        "roles" : [
                                {
                                        "role" : "clusterAdmin",
                                        "db" : "admin"
                                },
                                {
                                        "role" : "readAnyDatabase",
                                        "db" : "admin"
                                },
                                {
                                        "role" : "readWrite",
                                        "db" : "userdetails"
                                }
                        ]
                },
                {
                        "_id" : "userdetails.myNewuser1",
                        "user" : "myNewuser1",
                        "db" : "userdetails",
                        "customData" : {
                                "profession" : "Engineer"
                        },
                        "roles" : [
                                {
                                        "role" : "clusterAdmin",
                                        "db" : "admin"
                                },
                                {
                                        "role" : "readWrite",
                                        "db" : "userdetails"
                                }
                        ]
                }
        ],
        "ok" : 1
}

Example to View All Users for a Database

To view all users on the database the following command can be used:

db.runCommand( { usersInfo: 1 , showCredentials : false} );   

Output:

{
        "users" : [
                {
                        "_id" : "userdetails.myNewuser",
                        "user" : "myNewuser",
                        "db" : "userdetails",
                        "customData" : {
                                "profession" : "DOCTOR"
                        },
                        "roles" : [
                                {
                                        "role" : "clusterAdmin",
                                        "db" : "admin"
                                },
                                {
                                        "role" : "readAnyDatabase",
                                        "db" : "admin"
                                },
                                {
                                        "role" : "readWrite",
                                        "db" : "userdetails"
                                }
                        ]
                },
                {
                        "_id" : "userdetails.myNewuser1",
                        "user" : "myNewuser1",
                        "db" : "userdetails",
                        "customData" : {
                                "profession" : "Engineer"
                        },
                        "roles" : [
                                {
                                        "role" : "clusterAdmin",
                                        "db" : "admin"
                                },
                                {
                                        "role" : "readWrite",
                                        "db" : "userdetails"
                                }
                        ]
                }
        ],
        "ok" : 1
}

If showCredential is true the output will be the following:

{
        "users" : [
                {
                        "_id" : "userdetails.myNewuser",
                        "user" : "myNewuser",
                        "db" : "userdetails",
                        "credentials" : {
                                "MONGODB-CR" : "28fcdbb5d879ccf086bd6404bd06b230"
                        },
                        "customData" : {
                                "profession" : "DOCTOR"
                        },
                        "roles" : [
                                {
                                        "role" : "clusterAdmin",
                                        "db" : "admin"
                                },
                                {
                                        "role" : "readAnyDatabase",
                                        "db" : "admin"
                                },
                                {
                                        "role" : "readWrite",
                                        "db" : "userdetails"
                                }
                        ]
                },
                {
                        "_id" : "userdetails.myNewuser1",
                        "user" : "myNewuser1",
                        "db" : "userdetails",
                        "credentials" : {
                                "MONGODB-CR" : "9b08b3a68eef34d462bdb2e5b2037438"
                        },
                        "customData" : {
                                "profession" : "Engineer"
                        },
                        "roles" : [
                                {
                                        "role" : "clusterAdmin",
                                        "db" : "admin"
                                },
                                {
                                        "role" : "readWrite",
                                        "db" : "userdetails"
                                }
                        ]
                }
        ],
        "ok" : 1
}

To Update the User Information - updateUser Command

The updateUser command updates the profile of the user on the specific database. This command completely replaces the data of the previous field’s values. It is required to specify the updateUser field and at least one other field, other than writeConcern to update a user.

Syntax:

{ updateUser: "<username>",
  pwd: "<cleartext password&glt;",
  customData: { <any information> },
  roles: [
    { role: "<role>", db: "<database>" } | "<role>",
    ...
  ],
  writeConcern: { <write concern> }
}		 

Parameters:

Name Type Description
updateUser string The name of the user to update.
pwd string Optional. The user’s password.
customData document Optional. Any arbitrary information.
roles array Optional. The roles granted to the user. An update to the roles array replace the values of the previous array.
writeConcern document Optional. The write concern briefs the guarantee that MongoDB provides at the time of reporting on the success of a write operation. w: 1 as the default write concern.

Example

Here in below a user myNewuser in the userdetails database with the following user info:

{
        "users" : [
                {
                        "_id" : "userdetails.myNewuser",
                        "user" : "myNewuser",
                        "db" : "userdetails",
                        "customData" : {
                                "profession" : "DOCTOR"
                        },
                        "roles" : [
                                {
                                        "role" : "clusterAdmin",
                                        "db" : "admin"
                                },
                                {
                                        "role" : "readAnyDatabase",
                                        "db" : "admin"
                                },
                                {
                                        "role" : "readWrite",
                                        "db" : "userdetails"
                                }
                        ]
                }
        ]
  }    

The following updateUser command completely replaces the user’s customData and roles data:

use userdetails
db.runCommand( { updateUser : "myNewuser",
                 customData : { profession : "Classical Music" },
                 roles : [
                           { role : "read", db : "assets"  }
                         ]
             } ) 

Here is the output after update the user:

> db.runCommand(
                {
                  usersInfo:  { user: "myNewuser", db: "userdetails" },
                 showPrivileges: false
               }
 );

{
        "users" : [
                {
                        "_id" : "userdetails.myNewuser",
                        "user" : "myNewuser",
                        "db" : "userdetails",
                        "customData" : {
                                "profession" : "Classical Music"
                        },
                        "roles" : [
                                {
                                        "role" : "read",
                                        "db" : "assets"
                                }
                        ]
                }
        ],
        "ok" : 1
}

To Drop the User Information - dropUser Command

The dropUser command is used to remove the user from the concern database.

Syntax:

{
  dropUser: "<user>",
  writeConcern: { <write concern> }
}

Parameters:

Name Type Description
dropUser string The name of the user to delete. This command will work only the database where the user exists.
writeConcern document Optional. The write concern briefs the guarantee that MongoDB provides at the time of reporting on the success of a write operation. w: 1 as the default write concern. .

Example

If we want to remove the user myNewuser1 from the userdetails database the following sequence of operations in the mongo shell can be used.

> use userdetails
switched to db userdetails
> db.runCommand( { dropUser: "myNewuser1"} );
  { "ok" : 1 }

Now if we want to view all the user for database userdetails the following result will appear where the user myNewuser1 will be excluded.

> db.runCommand( { usersInfo: 1 , showCredentials : false} );
{
        "users" : [
                {
                        "_id" : "userdetails.myNewuser",
                        "user" : "myNewuser",
                        "db" : "userdetails",
                        "customData" : {
                                "profession" : "Classical Music"
                        },
                        "roles" : [
                                {
                                        "role" : "read",
                                        "db" : "assets"
                                }
                        ]
                }
        ],
        "ok" : 1
}

To Drop All the Users Information - dropAllUsersFromDatabase Command

This command removes all users from the concern database on which you run the command.

Syntax:

{
dropAllUsersFromDatabase: 1,
 writeConcern: { <write concern> }
}

Parameters:

Name Type Description
dropAllUsersFromDatabase integer Specify 1 to drop all the users from the current database.
writeConcern document Optional. The write concern briefs the guarantee that MongoDB provides at the time of reporting on the success of a write operation. w: 1 as the default write concern.

Example

If we want to remove the user myNewuser1 from the userdetails database the following sequence of operations in the mongo shell can be used.

> use userdetails;
switched to db userdetails
> db.runCommand( { dropAllUsersFromDatabase: 1, writeConcern: { w: "majority" }});

Here is the output

{ "n" : 1, "ok" : 1 }

It means that the n field in the results document shows the number of users removed, here 1 user have been removed.

Now if we want to view the information of the user for database userdetails the following result will appear.

> db.runCommand( { usersInfo: 1 , showCredentials : false} );
{ "users" : [ ], "ok" : 1 }

To Grants additional roles to a user - grantRolesToUser Command

This command grants additional roles to a user.

Syntax:

{ grantRolesToUser: "<user>",
  roles: [ <roles> ],
  writeConcern: { <write concern> }
}

Parameters:

Name Type Description
grantRolesToUser string The name of the user to give additional roles.
roles array An array of additional roles to grant to the user.
writeConcern document Optional. The write concern briefs the guarantee that MongoDB provides at the time of reporting on the success of a write operation. w: 1 as the default write concern.

Example

Given a user myNewuser2 in the userdetails database with the following roles:

 {
                        "_id" : "userdetails.myNewuser2",
                        "user" : "myNewuser2",
                        "db" : "userdetails",
                        "customData" : {
                                "profession" : "painter"
                        },
                        "roles" : [
                                {
                                        "role" : "read",
                                        "db" : "usertransact"
                                },
                                {
                                        "role" : "readWrite",
                                        "db" : "userdetails"
                                }
                        ]
                }

The following grantRolesToUser operation gives myNewuser2 the read role on the usertransact database and the readWrite role on the userdetails database.

 {
                       "_id" : "userdetails.myNewuser2",
                       "user" : "myNewuser2",
                       "db" : "userdetails",
                       "customData" : {
                               "profession" : "painter"
                       },
                       "roles" : [
                               {
                                       "role" : "read",
                                       "db" : "usertransact"
                               },
                               {
                                       "role" : "read",
                                       "db" : "useraccount"
                               },
                               {
                                       "role" : "readWrite",
                                       "db" : "userdetails"
                               }
                       ]
               };

To Revoke Roles From a User - revokeRolesFromUser Command

This command is used to remove a one or more roles from a user on the database where the roles exist.

Syntax:

{ revokeRolesFromUser: "<user>",
  roles: [
    { role: "<role>", db: "<database>" } | "<role>",
    ...
  ],
  writeConcern: { <write concern> }
}

Parameters:

Name Type Description
revokeRolesFromUser string The user to remove roles from.
roles array The roles to revoke from the user.
writeConcern document Optional. The write concern briefs the guarantee that MongoDB provides at the time of reporting on the success of a write operation. w: 1 as the default write concern.

Example

Given a user myNewuser2 in the userdetails database with the following roles:

      {
                       "_id" : "userdetails.myNewuser2",
                       "user" : "myNewuser2",
                       "db" : "userdetails",
                       "customData" : {
                               "profession" : "painter"
                       },
                       "roles" : [
                               {
                                       "role" : "read",
                                       "db" : "usertransact"
                               },
                               {
                                       "role" : "read",
                                       "db" : "useraccount"
                               },
                               {
                                       "role" : "readWrite",
                                       "db" : "userdetails"
                               }
                       ]
               };

To remove the two of the user’s roles such as the read role on the usertransact database and the readWrite role on the userdetails database the following sequence of commands can be used.

use userdetails;
db.runCommand( { revokeRolesFromUser: "myNewuser2",
                 roles: [
                          { role: "read", db: "usertransact" },
                          "readWrite"
                 ],
                 writeConcern: { w: "majority" }
             } );

The user myNewuser2 in the userdetails database now has only one remaining role:

{
                        "_id" : "userdetails.myNewuser2",
                        "user" : "myNewuser2",
                        "db" : "userdetails",
                        "customData" : {
                                "profession" : "painter"
                        },
                        "roles" : [
                                {
                                        "role" : "read",
                                        "db" : "useraccount"
                                }
                        ]
                }