Navigation

Configure Custom MongoDB Roles

You can create custom MongoDB roles in Atlas when the built-in Atlas database user privileges cannot describe your desired set of priveleges. Use this functionality to create custom roles with a specific set of privileges to match your exact needs for your environment.

Note

If a MonogDB user is assigned a custom role, they cannot be assigned any other roles.

Atlas audits the creation, deletion, and updates of custom MongoDB roles in the project’s Activity Feed. To view the project’s Activity Feed, click Alerts in the left navigation pane and select the All Activity tab. For more information on the project Activity Feed, see View All Activity.

Important

Atlas rolls back any role modifications not made through the UI or API. You must use the Atlas UI or API to add, modify, or delete custom roles on Atlas clusters.

Add Custom MongoDB Roles

1

Open the Add Custom Role dialog.

  1. Navigate to the Clusters view.
  2. Click the Security tab.
  3. Click MongoDB Roles.
  4. Click Add New Custom Role.
2

Enter role information.

Field Description
Custom Role Name

The name of your custom role.

Important

The specified role name can only contain letters, digits, underscores, and dashes. Additionally, you cannot specify a role name which meets any of the following criteria:

  • Is a name already used by an existing custom role in the project
  • Is a name of any of the built-in roles
  • Is atlasAdmin
  • Starts with xgen-
Action or Role

Click the dropdown to view the list of available privilege actions and roles your custom role can inherit. You can also inherit previously created custom roles.

Note

The available privilege actions for custom MongoDB roles support a subset of MongoDB commands. See Unsupported Commands in M10+ Clusters for more information.

The Custom Roles list contains custom MongoDB roles you have previously created in Atlas. Use these roles to create a custom role which is a superset of other previously created custom roles.

All actions and roles selected as part of a single Action or Role item in the dialog must be part of the same top-level menu group in the Select Actions dropdown (e.g. Collection Actions or Global Actions and Roles). To grant actions and roles from a different top-level group, you must add a new action by clicking Add an action or role.

Note

There is an exception to this behavior in which you can specify both Global Actions and Roles and Custom Roles as part of a single Action or Role item.

Database

The database on which the selected actions and roles are granted, if applicable.

This field is required for all roles and actions under the Collection Actions and Database Actions and Roles menu groups.

Collection

The collection within the specified database on which the actions and roles are granted, if applicable.

You can specify a collection for the read and readWrite roles. If you do not specify a collection, the privileges are granted on all non-system collections within the specified database.

To grant the same set of privileges on multiple databases and collections, click Add a database or collection.

To grant additional sets of privileges on different databases and collections as part of a single custom role, click Add an action or role.

Example

You can create a custom role that inherits the dbAdmin role on the QA database, and the read role on the production database.

3

Click Add Custom Role.

To add custom MongoDB roles through the Atlas API, see Create a Custom MongoDB Role.

Modify Custom MongoDB Roles

To modify existing custom MongoDB roles for an Atlas project:

  1. Navigate to the Clusters view.
  2. Select the Security tab.
  3. Click MongoDB Roles.
  4. Click Edit for the role you want to modify. You can modify the following components of the role:
    • The Actions or Roles the role inherits.
    • The database(s) and collection(s) on which those actions and roles apply.
  5. Click Update Custom Role to save the changes.

To modify existing custom MongoDB roles through the Atlas API, see Update a Custom MongoDB Role.

Delete Custom MongoDB Roles

To delete existing custom MongoDB roles for an Atlas project:

  1. Navigate to the Clusters view.
  2. Select the Security tab.
  3. Click MongoDB Roles.
  4. Click Delete for the role you want to delete.
  5. Click Delete in the dialog to confirm deletion.

To delete existing custom MongoDB roles through the Atlas API, see Delete a Custom MongoDB Role.

Condsiderations

You cannot delete a custom MongoDB role in the following scenarios:

  • When deleting the role would leave one or more child roles with no parent roles or actions.
  • When deleting the role would leave one or more MongoDB users with no roles.