Requires = createUser action  Built in role 'userAdmin' can do those actions
            setAuthenticationRestriction action if add those also
UserName is on the command-map,and :pwd for password

Removes all users from the argument db(users that belong to the database)
Requires = dropUser action

Removes a user from the db(only if user belong to the database)
Requires = dropUser action

Roles= [{ :role 'rolename', :db 'databasename' } 'role' ... ]
if not :db ,the db is the one that the command runned from
Requires = grantRole action

Roles = [{ :role 'rolename', :db 'databasename' } 'rolename' ...]
if not :db ,the db is the one that the command runned from
The user that have this roles will lose them
Requires =  revokeRole action

Requires = revokeRole/grantRole/ action
            changeAnyPassword action if update on password(or changeOwnPassword if i update my own)
            changeAnyCustomData action if update custom data(or changeOwnCustomData)
            setAuthenticationRestriction action if change those also
A top level field that is present in the update command => completly replace the old one,
its like invoke first and grant after
For not fully replace use  grant/revoke commands
UserName is on the command-map,and :pwd for password

Command
 {
  usersInfo: <see below>
  showCredentials: <Boolean>
  showPrivileges: <Boolean>
  showAuthenticationRestrictions: <Boolean>
  filter: <document> (aggregation operators here only)
  }

usersInfo
  { usersInfo: 1 } => for all users in the db
  { forAllDBs: true } => for all users in all databases

  { usersInfo: username } => for specific user on db run the command
  { usersInfo: [username1 ....] } => for specific users

  { usersInfo: { user: <name>, db: <db> } }
    => specific user but from another db not the one runs the command
  { usersInfo: [{ user: <name>, db: <db> } ...] }
    => for specific users from those databases

Requires = viewUser action to see another users info
          (but each user is allowed to see their personal info)