[DOCS-9921] Suggest rewriting description of userAdmin built-in role, for clarity Created: 19/Feb/17  Updated: 30/Oct/23  Resolved: 16/Oct/17

Status: Closed
Project: Documentation
Component/s: manual
Affects Version/s: None
Fix Version/s: Server_Docs_20231030

Type: Improvement Priority: Minor - P4
Reporter: Spencer Brown Assignee: Stennie Steneker (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Participants:
Days since reply: 6 years, 17 weeks, 2 days ago

 Description   

the paragraph in this section currently reads:

"Provides the ability to create and modify roles and users on the current database. This role also indirectly provides superuser access to either the database or, if scoped to the admin database, the cluster. The userAdmin role allows users to grant any user any privilege, including themselves."

The second and third sentences are essentially a security warning. The warning is, if you grant a user the userAdmin role, they can increase their privileges.

But these sentences can be misinterpreted as a statement that granting the userAdmin role is a kind of superuser access. It's easy to miss the implication of the word "indirectly".

Thus, we propose replacing that paragraph with the following:

"Provides the ability to create and modify roles and users on the current database.

It is important to understand the security implications of granting the userAdmin role to a user on a database. That user can modify themselves, granting themselves any other role or privilege on that database. That user can also create new users with any role or privilege on that database.

Granting the userAdmin role to a user on the admin database has further security implications. That user can modify themselves, granting themselves the userAdminAnyDatabase role, and then create or modify any user with any role or privilege on any database."



 Comments   
Comment by Githook User [ 16/Oct/17 ]

Author:

{'email': 'stennie@cpan.org', 'name': 'Stephen Steneker', 'username': 'stennie'}

Message: DOCS-9921: Rewrite description of userAdmin built-in role for clarity
Branch: v3.4
https://github.com/mongodb/docs/commit/32e199dcd3453611b4d2d16cb1abba355ace9b61

Comment by Githook User [ 16/Oct/17 ]

Author:

{'email': 'stennie@cpan.org', 'name': 'Stephen Steneker', 'username': 'stennie'}

Message: DOCS-9921: Rewrite description of userAdmin built-in role for clarity
Branch: master
https://github.com/mongodb/docs/commit/a9ef75a540c60edc9f274f272e18f50ad1465de4

Generated at Thu Feb 08 07:59:26 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.