IBM Cloud Docs
Managing users and roles

Managing users and roles

Databases for MongoDB deployments come with authentication enabled and use MongoDB's role-based access control.

Add users in the UI in Service Credentials, with the Cloud Databases CLI plug-in, or the Cloud Databases API.

The admin user

When you provision a Databases for MongoDB deployment, an admin user is automatically created.

Set the admin password before using it to connect.

The admin user has the following permissions:

  • userAdminAnyDatabase provides the same privileges as userAdmin on all databases except local and config. userAdminAnyDatabase provides the administrative power to the admin user. It provides the listDatabases action on the cluster as a whole. With userAdminAnyDatabase, create and grant roles to any other user on your deployment, including any of the MongoDB built-in roles. For example, to monitor your deployment, use admin to log in to the mongo shell and grant the clusterMonitor role to any user (including itself). Use a command like:

    db.grantRolesToUser(
     "admin",
     [
       { role: "clusterMonitor", db: "admin" }
     ]
    )
    
  • readWriteAnyDatabase provides the same privileges as readWrite on all databases except local and config.

  • dbAdminAnyDatabase provides the same privileges as dbAdmin on all databases except local and config.

Setting the admin password in the UI

Set your Admin Password through the UI by selecting your instance from the IBM Cloud Resource list. Then, select Settings. Next, select Change Database Admin Password.

Setting the admin password in the CLI

Use the cdb user-password command from the IBM Cloud CLI Cloud Databases plug-in to set the admin password.

For example, to set the admin password for your deployment, use the following command:

ibmcloud cdb user-password <INSTANCE_NAME_OR_CRN> admin <NEWPASSWORD>

Setting the admin password in the API

The Foundation Endpoint that is shown on the Overview panel Deployment Details section of your service provides the base URL to access this deployment through the API. Use it with the Set specified user's password endpoint to set the admin password.

curl -X PATCH `https://api.{region}.databases.cloud.ibm.com/v5/ibm/deployments/{id}/users/admin` \
-H `Authorization: Bearer <>` \
-H `Content-Type: application/json` \ 
-d `{"password":"newrootpasswordsupersecure21"}` \

Managing users and roles through the UI

  1. Go to the service dashboard for your service.
  2. Click Service Credentials to open the Service Credentials section.
  3. Click New Credential.
  4. Choose a descriptive name for your new credential.
  5. (Optional) Specify whether the new credentials use a public or private endpoint. Use either { "service-endpoints": "public" } / { "service-endpoints": "private" } in the Add Inline Configuration Parameters field to generate connection strings that use the specified endpoint. Use of the endpoint is not enforced. It just controls which hostnames are in the connection strings. Public endpoints are generated by default.
  6. Click Add to provision the new credentials. A username and password, and an associated MongoDB user is auto-generated.

The new credentials appear in the table, and the connection strings are available as JSON in a click-to-copy field under View Credentials.

Creating a user from the CLI or API doesn't automatically populate that user's connection strings into Service Credentials. If you want to add them there, you can create a new credential with the existing user information. Enter the username and password in the JSON field under Add Inline Configuration Parameters. For example, {"existing_credentials":{"username":"Robert","password":"supersecure"}}. Basically, you send in the username and password, and Service Credentials generates the connection strings with the credentials filled in.

Generating credentials from an existing user does not check for or create that user.

Users that you create through Service Credentials are given the roles readWriteAnyDatabase and dbAdminAnyDatabase.

If you need users that are created from Service Credentials to have a different role, you can use the admin user to change their role.

Managing users and roles through the CLI

Users that are created in the CLI are given the roles readWriteAnyDatabase and dbAdminAnyDatabase.

If you need users to have a different role, you can use the admin user to change their role.

Users that are created directly from the CLI do not appear in Service Credentials, but you can add them.

  1. If you manage your service through the Cloud Databases CLI plug-in, create a new user with cdb user-create. For example, to create a new user for your deployment, use the following command:
ibmcloud cdb user-create <INSTANCE_NAME_OR_CRN> <NEWUSERNAME> <NEWPASSWORD>
  1. When the task finishes, retrieve the new user's connection strings with the ibmcloud cdb deployment-connections command.

  2. MongoDB centralizes user data in the admin database. List all users and their roles and database permissions in the mongo shell by using the show users command.

ibmcloud cdb deployment-connections --start -u admin mongodb-production
Database Password>>
MongoDB shell version v4.0.3
connecting to: mongodb://....
....
replset:PRIMARY> use admin
switched to db admin
replset:PRIMARY> show users

Managing users and roles through the API

Users that are created in the API are given the roles readWriteAnyDatabase and dbAdminAnyDatabase.

If you need users to have a different role, use the admin user to change their role.

Users that are created directly from the API do not appear in Service Credentials, but you can add them.

The Foundation Endpoint that is shown on the Overview section of your service provides the base URL to access this deployment through the API. To create and manage users, use the base URL with the /users endpoint.

The command looks like:

curl -X POST https://api.{region}.databases.cloud.ibm.com/v5/ibm/deployments/{id}/users/{user_type} 
-H 'Authorization: Bearer <>' 
-H 'Content-Type: application/json' 
-d '{"user": {"username": "user", "password": "v3ry-1-secUre-pAssword-2"}}' \

To retrieve a user's connection strings, use the base URL with the /users/{userid}/connections endpoint.

MongoDB-created users and roles

If the built-in users and roles do not suit your environment, create users and roles directly in MongoDB. The admin user for your deployment has the power to create any role or set of privileges for use on your deployment.

Users and roles that are created directly in MongoDB do not appear in Service Credentials and are not integrated with your IBM Cloud account or IAM.

The ibm user

If you use the mongo shell to list the users on your deployment, you might notice a user that is named ibm. The ibm user is the internal root account that manages replication, cluster operations, and other functions that ensure the stability of your deployment. Changing or deleting to the ibm user is not advised and disrupts the stability of your deployment.

The ops_manager users for MongoDB Enterprise Edition

The Ops Manager is only available in Databases for MongoDB Enterprise Edition deployments. The ops_manager user type has limited permissions. For more information, see the Ops Manager documentation.