Error
Error Code:
35
MongoDB Error 35: User Update Access Denied
Description
MongoDB Error 35, 'User Modification Failed', indicates that an attempt to alter a user's properties, such as roles, password, or authentication details, could not be completed. This error typically occurs when there are issues with permissions, the target user's existence, or the modification parameters themselves.
Error Message
User Modification Failed
Known Causes
3 known causesInsufficient User Permissions
The user account attempting to modify another user lacks the necessary administrative roles (e.g., `userAdmin` or `userAdminAnyDatabase`) to perform the operation.
Target User Does Not Exist
The user account specified for modification could not be found in the authentication database or the specified database context.
Invalid Modification Parameters
The command or method used to modify the user contained incorrect syntax, malformed data, or invalid parameters for the user's properties.
Solutions
3 solutions available1. Verify User Permissions for User Management easy
Ensure the user attempting to modify another user has the necessary roles for user administration.
1
Connect to your MongoDB instance using a user that has administrative privileges (e.g., a user with the `userAdminAnyDatabase` or `root` role).
mongosh --username <admin_user> --password --authenticationDatabase admin2
Switch to the `admin` database.
use admin3
Find the user attempting to perform the modification and check their roles. Replace `<user_to_check>` with the actual username.
db.getUser('<user_to_check>')4
If the user lacks the required roles (e.g., `userAdminAnyDatabase`, `userAdmin` on a specific database, or `clusterAdmin`), grant them. For example, to grant `userAdminAnyDatabase` to a user named `modifier_user`:
db.grantRolesToUser('modifier_user', [{ role: 'userAdminAnyDatabase', db: 'admin' }])5
Retry the user modification operation with the corrected user. You may need to log out and log back in with the `modifier_user` for changes to take effect.
mongosh --username modifier_user --password --authenticationDatabase admin2. Check Database Context for User Operations easy
Confirm that user management operations are being executed in the correct database context.
1
When modifying users, ensure you are connected to the database where the user is defined or to the `admin` database if the user has global privileges or is an administrative user.
use <database_name> # or use admin2
Attempt to create or modify a user. For example, to create a user named `new_user` in the `my_app_db` database:
db.createUser({ user: 'new_user', pwd: 'password123', roles: [{ role: 'readWrite', db: 'my_app_db' }] })3
If you were trying to modify a user that exists in a different database, switch to that database first before executing the modification command.
use <database_where_user_exists>3. Ensure Correct Syntax for User Modification Commands medium
Validate the syntax of the commands used to create, update, or delete users.
1
When using the `db.updateUser()` command, ensure you are providing the correct arguments. The basic syntax is `db.updateUser(username, update, session)`. The `update` document specifies the changes.
db.updateUser('existing_user', { password: 'new_secure_password', roles: [{ role: 'read', db: 'my_db' }] })2
If you are trying to add or remove roles, use the `roles` field within the update document. For example, to add a role:
db.updateUser('user_to_modify', { roles: [ { role: 'readWrite', db: 'another_db' } ] })3
To remove a role, you typically need to fetch the current roles, modify the array, and then update. However, a simpler approach is often to create a new user with the desired roles or use `db.grantRolesToUser` and `db.revokeRolesFromUser`.
db.revokeRolesFromUser('user_to_modify', [{ role: 'read', db: 'old_db' }])4
Consult the MongoDB documentation for the specific version you are using to ensure the syntax for `createUser`, `updateUser`, `dropUser`, `grantRolesToUser`, and `revokeRolesFromUser` is correct.
https://www.mongodb.com/docs/manual/reference/method/db.updateUser/