Navigation

Configure Custom MongoDB Roles

You can create custom MongoDB roles in Atlas when the built-in Atlas database user privileges cannot describe your desired set of privileges.

Free and Shared Cluster Limitation

Changes to custom roles make take up to 30 seconds to deploy in M0 free tier and M2/M5 shared clusters.

Add Custom MongoDB Roles

The following procedure shows how to create a custom role through the Atlas UI. To create custom roles through the Atlas API, see Create a Custom MongoDB Role.

1

Open the Add Custom Role dialog.

  1. In the Security section of the left navigation, click Database Access. The MongoDB Roles tab displays.
  2. Click plus icon Add New Custom Role.
2

Enter role information.

Field Description
Custom Role Name

Name of your custom role.

Important

The specified role name can only contain letters, digits, underscores, and dashes. Additionally, you cannot specify a role name which meets any of the following criteria:

  • Is a name already used by an existing custom role in the project
  • Is a name of any of the built-in roles
  • Is atlasAdmin
  • Starts with xgen-
Action or Role

Privileges granted by the role. Click the dropdown to view the list of available privilege actions and roles.

Atlas groups the actions and roles into the following categories:

  • Collection Actions,
  • Database Actions and Roles,
  • Global Actions and Roles,
  • Custom Roles (if any)

Select the action(s)/role(s) from a single category. Once you select an action/role, Atlas disables the other categories with the following exception. If you select an action/role from the Global Actions and Roles, you can still select actions/roles from Custom Roles.

To grant actions and roles from a different category, click Add an action or role to add a new row.

Atlas disables actions not available to any cluster version in your project. Custom roles are defined at the project level, and must be compatible with each MongoDB version used by your project’s clusters.

Example

If you have a cluster in your project with MongoDB 3.4, you cannot create a custom role that uses actions introduced in MongoDB 3.6. Atlas explicitly marks actions only available in MongoDB 3.6 and greater in the Custom Role dialog.

Database

Database on which the selected actions and roles are granted, if applicable.

This field is required for all roles and actions under the Collection Actions and Database Actions and Roles categories.

Collection

Collection within the specified database on which the actions and roles are granted, if applicable.

This field is required for all roles and actions under Collection Actions.

To grant the same set of privileges on multiple databases and collections, click Add a database or collection.

3

Click Add Custom Role.

Modify Custom MongoDB Roles

The following procedure shows how to modify custom roles through the Atlas UI. To modify custom roles through the Atlas API, see Update a Custom MongoDB Role.

  1. In the Security section of the left navigation, click Database Access. The MongoDB Roles tab displays.
  2. Click pencil icon Edit next to the role you want to modify. You can modify the following components of the role:
    • The action(s)/role(s) the custom role inherits.
    • The database(s)/collection(s) on which those privileges apply.
  3. Click Update Custom Role to save the changes.

Delete Custom MongoDB Roles

The following procedure shows how to delete custom roles through the Atlas UI. To delete custom roles through the Atlas API, see Delete a Custom MongoDB Role.

  1. In the Security section of the left navigation, click Database Access. The MongoDB Roles tab displays.
  2. Click trash icon Delete next to the role you want to delete.
  3. Click Delete in the dialog to confirm deletion.

You cannot delete a custom MongoDB role in the following scenarios:

  • When deleting the role would leave one or more child roles with no parent roles or actions.
  • When deleting the role would leave one or more MongoDB users with no roles.

Considerations

  • If a MongoDB user is assigned a custom role, they cannot be assigned any other roles.
  • Atlas rolls back any role modifications not made through the UI or API. You must use the Atlas UI or API to add, modify, or delete custom roles on Atlas clusters.
  • Atlas audits the creation, deletion, and updates of custom MongoDB roles in the project’s Activity Feed.