Navigation

Configure Database Users

Create database users to provide clients access to the clusters in your project. A database user's access is determined by the roles assigned to the user. When you create a database user, the user is added to all clusters in your Atlas project.

Database users are separate from Atlas users. Database users have access to MongoDB databases, while Atlas users have access to the Atlas application itself. Atlas supports creating temporary database users that automatically expire within a user-configurable 7-day period.

Atlas audits the creation, deletion, and updates of database users in the project's Activity Feed. Atlas audits actions pertaining to both temporary and non-temporary database users. To view the project's Activity Feed, click Activity Feed in the Project section of the left navigation. For more information on the project Activity Feed, see View All Activity.

The available Atlas database user privileges support a subset of MongoDB commands. See Unsupported Commands in M10+ Clusters for more information.

Atlas supports a maximum of 100 database users per Atlas project.

Info With Circle IconCreated with Sketch.Note

If you require more than 100 database users on a project, please contact Atlas support.

Important With Circle IconCreated with Sketch.Important

Atlas rolls back any user modifications not made through the UI or API. You must use the Atlas UI or API to add, modify, or delete database users on Atlas clusters.

Atlas offers the following forms of authentication for database users:

SCRAM is MongoDB's default authentication method. SCRAM requires a password for each user.

The authentication database for SCRAM-authenticated users is the admin database.

A project can have users with different authentication methods.

You cannot change a user's authentication method after creating that user. To use an alternative authentication method, you must create a new user.

Select an authentication mechanism and follow the steps to create a new database user.

1
  1. In the Security section of the left navigation, click Database Access. The Database Users tab displays.
  2. Click Add New Database User.
2

In the Authentication Method section of the Add New Database User modal window, select the box labeled Password.

3

Under Password Authentication, there are two text fields.

  1. Enter a username for the new user in the top text field.
  2. Enter a password for the new user in the lower text field.

To use a password auto-generated by Atlas, click the Autogenerate Secure Password button.

4

You can assign privileges to the new user in one of the following ways:

5

By default, users can access all the clusters and Atlas Data Lakes in the project. You can restrict access to specific clusters and Atlas Data Lakes by doing the following:

  1. Toggle Restrict Access to Specific Clusters/Data Lakes to ON.
  2. Select the clusters and Atlas Data Lakes to grant the user access to from the Grant Access To list.
6

Toggle Temporary User to On and choose a time after which Atlas can delete the user from the Temporary User Duration dropdown. You can select one of the following time periods for the user to exist:

  • 6 hours
  • 1 day
  • 1 week

In the Database Users tab, temporary users display the time remaining until Atlas will delete the user. Once Atlas deletes the user, any client or application that uses the temporary user's credententials loses access to the cluster.

7

You can also add database users through the Atlas API. See Create a Database User.

To modify existing users for an Atlas project:

  1. In the Security section in the left navigation, click Database Access. The Database Users tab displays.
  2. Click Edit for the user you want to modify. You can modify the privileges and authentication details assigned to the user. You cannot modify the authentication method.

    • For SCRAM authenticated users, you can edit a user's password.
    • For X.509 certificate authenticated users, you can download a new certificate.
    • For AWS IAM users, you can only modify database access privileges.

    For temporary users, you can also modify the time period the user exists or make the user a permanent user, provided the user's expiration date has not already passed.

    Info With Circle IconCreated with Sketch.Note

    You cannot change a permanent user into a temporary user. If you change a temporary user into a permanent user, you cannot make it temporary again.

  3. Click Update User to save the changes.

You can also modify existing users through the Atlas API. See Update a Database User.

To delete existing users for an Atlas project:

  1. In the Security section in the left navigation, click Database Access. The Database Users tab displays.
  2. Click Delete next to the user you want to delete.
  3. Click Delete again to confirm.

You can also delete existing users through the Atlas API. See Delete a Database User.

The following table describes the Database User Privileges and the MongoDB Built-in Roles or privilege actions they represent.

Info With Circle IconCreated with Sketch.Note
Protected MongoDB Database Namespaces

The following databases are read-only for all users, including those with the readWriteAnyDatabase role.

  • admin
  • local
  • config
Database User Privilege
MongoDB Role
Inherited Roles or Privilege Actions
Atlas admin
atlasAdmin
Read and write to any database
readWriteAnyDatabase
Only read any database
readAnyDatabase

See Unsupported Commands in M10+ Clusters for more information on common commands not supported by the current Atlas user privileges.

Give Feedback