Creating single user with readWrite permissions on multiple databases

[jpbla...@gmail.com]

I have an application that needs to be able to access multiple databases, with readWrite permissions.  In keeping with the principle of least access, it should not have further access beyond that.  It appears that this should be possible by adding roles like so, with one for each database, changing the value of the db field:

{
    "role": "readWrite",
    "db": "some_db"
}

What I'm stuck on is where that user should get created.  It seems like it should be created in the admin database, and then when my app connects it uses authSource=admin.  But I want to be sure that creating the user in the admin database doesn't grant actual admin access, to the admin database or otherwise.  From what I can tell, creating a user "in" a database, like this...

use admin
db.createUser({ user: "my_user", pwd: "my_pwd", roles: [{"role": "readWrite", "db": "my_db"}] });

...does not imply any permissions for the database where the user is created (in this case, admin), but I haven't seen anywhere in the documentation that says so explicitly and unambiguously.

[jpbla...@gmail.com]

I spoke with a representative from Mongo and confirmed that my assumptions are correct.

[Wan Bachtiar]

does not imply any permissions for the database where the user is created (in this case, admin)

Hi,

This is referred to as the authentication database, the user’s name and authentication database serve as a unique identifier for that user.

This is not to be confused with granting permissions to users. See also Authorisation / Role-Based Access Control

Regards,
Wan.

​