In 2.5.2, it looks like someone with a userAdmin role can no longer directly manipulate documents in the system.users collection as I'm told we added helper functions for user management. However, the error given to a user manipulating the collection directly should be clearer.

I authenticated myself with role userAdmin and I do:

> db.system.users.insert({user: "test", pwd: "test"})
not authorized for insert on admin.system.users

It should say something like: "Cannot manipulate the system.users collection directly - use helper method"