User Management


This section provides instructions on how to create, update and delete users with mongoRealAuthenticator.

It also shows how to manage permissions with mongoAclAuthorizer.

mongoRealAuthenticator uses the collection /users by default.

Before running the example requests

The following examples assume RESTHeart running on the localhost with the default configuration: the database restheart is bound to / and the user admin exists with default password secret.

User document

With the default configuration, a user is represented as follows:

    "_id": "username",
    "roles": [ "list", "of", "roles" ],
    "password": "secret"

mongoRealAuthenticatorr can be configured to use different properties for the username, roles an password. Check mongoRealAuthenticator for more information.

Get existing users

GET /users HTTP/1.1
    "_id": "admin",
    "roles": [
    "_etag": {
      "$oid": "5d2edb155883c050065d6a8a"

The password is always hidden on GET requests.

For security reasons, it not possbile to use the filter query parameter on the password field; the following request is forbidden and will cause an error: GET /users?filter={"password":{"$regex":"^a.*"}}

Create a user

POST /users HTTP/1.1

    "_id": "foo",
    "roles": [ "user" ],
    "password": "secret"

The password is automatically encrypted by RESTHeart.

Update a user

PATCH /users/foo HTTP/1.1

    "password": "betterSecret"

Delete a user

DELETE /users/foo HTTP/1.1

Create an ACL document

POST /acl HTTP/1.1

  "predicate": "path-prefix[/inventory] and method[GET]",
  "roles": [ "user" ],
  "priority": 1,
  "readFilter": null,
  "writeFilter": null

If the /acl collection has not been created before and you get 404 Not Found, create if first with:

PUT /acl HTTP/1.1