ISSUE SUMMARY
The built-in role userAdminAnyDatabase does not have permissions to create and drop indexes on the collections admin.system.users and admin.system.roles.
USER IMPACT
Database administrators may wish to create indexes on the users or roles collection if they contain many users or roles, in order to make queries on the collections more efficient. Similarly, once these indexes have been created, the administrators should be able to drop said indexes. Currently they are unable to do so.
WORKAROUNDS
Create a new user-defined role that grants the necessary permissions and add that role to the desired admin user. In this case, the role creation would look like:
db.runCommand( { createRole: "workaroundRole", roles: ["userAdminAnyDatabase"], privileges: [ { resource: { db: "admin", collection: "system.users" }, actions: ["createIndex", "dropIndex"] }, { resource: { db: "admin", collection: "system.roles" }, actions: ["createIndex", "dropIndex"] } ] } );
AFFECTED VERSIONS
All production release versions from 2.6.0 to 2.6.3 are affected by this issue.
FIX VERSION
The fix is included in the 2.6.4 production release.
RESOLUTION DETAILS
The privileges to dropIndex and createIndex on the admin.system.users and admin.system.roles collections were added to the userAdminAnyDatabase role.
Original description
userAdminAnyDatabase cannot create indexes on system.users or system.roles collections.