Access Control

MongoDB provides support for authentication and authorization on a per-database level. Users exist in the context of a single logical database.


MongoDB provisions authentication, or verification of the user identity, on a per-database level. Authentication disables anonymous access to the database. For basic authentication, MongoDB stores the user credentials in a database’s system.users collection.

Authentication is disabled by default. To enable authentication for a given mongod or mongos instance, use the auth and keyFile configuration settings. For details, see Enable Authentication.

For MongoDB Enterprise installations, authentication using a Kerberos service is available. See Deploy MongoDB with Kerberos Authentication.


You can authenticate as only one user for a given database. If you authenticate to a database as one user and later authenticate on the same database as a different user, the second authentication invalidates the first. You can, however, log into a different database as a different user and not invalidate your authentication on other databases, though this is not a recommended approach.

Each client connection should authenticate as exactly one user.


MongoDB provisions authorization, or access to databases and operations, on a per-database level. MongoDB uses a role-based approach to authorization, storing each user’s roles in a privilege document in a database’s system.users collection. For more information on privilege documents and available user roles, see system.users Privilege Documents and User Privilege Roles in MongoDB.


The admin database provides roles that are unavailable in other databases, including a role that effectively makes a user a MongoDB system superuser. See Database Administration Roles and Administrative Roles.

To assign roles to users, you must be a user with administrative role in the database. As such, you must first create an administrative user. For details, see Create a User Administrator and Add a User to a Database.

system.users Collection

A database’s system.users collection stores information for authentication and authorization to that database. Specifically, the collection stores user credentials for authentication and user privilege information for authorization. MongoDB requires authorization to access the system.users collection in order to prevent privilege escalation attacks. To access the collection, you must have either userAdmin or userAdminAnyDatabase role.

Changed in version 2.4: The schema of system.users changed to accommodate a more sophisticated authorization using user privilege model, as defined in privilege documents.