2 files changed, 33 insertions, 2 deletions

diff --git a/jstests/auth/builtin_roles_system_colls.js b/jstests/auth/builtin_roles_system_colls.js
new file mode 100644
index 00000000000..5bdafdb745e
--- /dev/null
+++ b/jstests/auth/builtin_roles_system_colls.js
@@ -0,0 +1,25 @@
+// These tests cover any additional built-in role privileges
+// that do not easily fit into the commands_lib.js framework.
+// Specifically, they test the running of commands on the system
+// collections such as system.users, etc.
+
+// SERVER-13833: userAdminAnyDatabase role should be able to
+// create and drop indexes on the admin.system.users and
+// admin.system.roles collections, in order to make querying
+// the users collection easier if you have a lot of users, etc.
+function testUserAdminAnyDatabaseSystemCollIndexing(conn) {
+    var adminDB = conn.getDB("admin");
+    adminDB.createUser({ user: "king", pwd: "pwd", roles: ["userAdminAnyDatabase"] });
+    adminDB.auth("king", "pwd");
+
+    assert.commandWorked(adminDB.system.users.createIndex({ db: 1 }));
+    assert.commandWorked(adminDB.system.roles.createIndex({ db: 1 }));
+    assert.commandWorked(adminDB.system.users.dropIndex({ db: 1 }));
+    assert.commandWorked(adminDB.system.roles.dropIndex({ db: 1 }));
+};
+
+// ************************************************************
+
+var conn = MongoRunner.runMongod({ auth: "" });
+testUserAdminAnyDatabaseSystemCollIndexing(conn);
+MongoRunner.stopMongod(conn);
diff --git a/src/mongo/db/auth/role_graph_builtin_roles.cpp b/src/mongo/db/auth/role_graph_builtin_roles.cpp
index f04cb71430a..a057c3d2881 100644
--- a/src/mongo/db/auth/role_graph_builtin_roles.cpp
+++ b/src/mongo/db/auth/role_graph_builtin_roles.cpp
@@ -355,6 +355,12 @@ namespace {
         Privilege::addPrivilegeToPrivilegeVector(
                 privileges,
                 Privilege(ResourcePattern::forClusterResource(), ActionType::invalidateUserCache));
+
+
+        ActionSet readRoleAndIndexActions;
+        readRoleAndIndexActions += readRoleActions;
+        readRoleAndIndexActions << ActionType::createIndex << ActionType::dropIndex;
+
         Privilege::addPrivilegeToPrivilegeVector(
                 privileges,
                 Privilege(ResourcePattern::forCollectionName("system.users"),
@@ -363,12 +369,12 @@ namespace {
                 privileges,
                 Privilege(ResourcePattern::forExactNamespace(
                                   AuthorizationManager::usersCollectionNamespace),
-                          readRoleActions));
+                          readRoleAndIndexActions));
         Privilege::addPrivilegeToPrivilegeVector(
                 privileges,
                 Privilege(ResourcePattern::forExactNamespace(
                                   AuthorizationManager::rolesCollectionNamespace),
-                          readRoleActions));
+                          readRoleAndIndexActions));
         Privilege::addPrivilegeToPrivilegeVector(
                 privileges,
                 Privilege(ResourcePattern::forExactNamespace(