Navigation

Configure MongoDB Users

Create MongoDB users to provide clients access to the clusters in your project. A MongoDB user’s access is determined by the roles assigned to the user. When you create a MongoDB user, the user is added to all clusters in your Atlas project.

MongoDB users are separate from Atlas users. MongoDB users have access to MongoDB databases, while Atlas users have access to the Atlas application itself. Atlas supports creating temporary MongoDB users that automatically expire within a user-configurable 7-day period.

Atlas audits the creation, deletion, and updates of MongoDB users in the project’s Activity Feed. Atlas audits actions pertaining to both temporary and non-temporary database users. To view the project’s Activity Feed, click Alerts in the left navigation pane and select the All Activity tab. For more information on the project Activity Feed, see View All Activity.

The available Atlas database user privileges support a subset of MongoDB commands. See Unsupported Commands in M10+ Clusters for more information.

Atlas supports a maximum of 100 MongoDB users per Atlas project.

Note

If you require more than 100 MongoDB users on a project, please contact Atlas support.

Important

Atlas rolls back any user modifications not made through the UI or API. You must use the Atlas UI or API to add, modify, or delete MongoDB users on Atlas clusters.

Add MongoDB Users

1

Open the Add New User dialog.

  1. Navigate to the Clusters view.
  2. Click the Security tab.
  3. Click MongoDB Users.
  4. Click Add New User.
2

Enter user information.

Field Description
User Name

The user’s login name. All MongoDB users for Atlas are associated with the admin database; i.e. their authentication database is admin. To access MongoDB, a user provides a username and the name of the authentication database, as well as a password. The authentication database does not determine the user’s roles. You can assign a user different roles in different database namespaces.

Example

You can create a user to have the readWrite role on the test database but only the read role on the production database. The authentication database would still be admin.

Password

The user’s password.

Atlas clusters use SCRAM to authenticate MongoDB users.

User Privileges

You can assign roles in one of the following ways:

  • Select Atlas admin, which provides the user with privileges to administer the Atlas project’s clusters.

  • Select Read and write to any database, which provides the user with privileges to read and write to any database.

  • Select Only read any database which provides the user with privileges to read any database.

  • Select Select Custom Role, which allows you to select a custom MongoDB role previously created in Atlas. For more information on custom MongoDB roles, see Configure Custom MongoDB Roles.

  • Click Add Default Privileges. When you click this option, you can select individual roles and specify the database on which the roles apply. Optionally, for the read and readWrite roles, you can also specify a collection. If you do not specify a collection for read and readWrite, the role applies to all non-system collections in the database.

    Note

    When applied to a collection, the read and readWrite roles in Atlas differ slightly from the built-in MongoDB read and readWrite roles.

    In Atlas, read provides the following collection-level actions:

    In Atlas, readWrite provides the same actions as read, as well as the following additional collection-level actions:

    Tip

    You can create custom MongoDB roles in Atlas in cases where the built-in Atlas roles cannot describe the desired set of priveleges. For more information on custom roles, see Configure Custom MongoDB Roles.

For information on the built-in Atlas privileges, see MongoDB Database User Privileges.

For more information on authorization, see Role-Based Access Control and Built-in Roles in the MongoDB manual.

Save as temporary user

Check this option to specify a time after which Atlas will delete the user. You can select one of the following time periods for the user to exist:

  • 6 hours
  • 1 day
  • 1 week

In the MongoDB Users view, temporary users display the time remaining until Atlas will delete the user. Once Atlas deletes the user, any client or application attempting to authenticate with the user will lose access to the database.

3

Click Add User.

You can also add MongoDB users through the Atlas API. See Create a Database User.

Modify MongoDB Users

To modify existing users for an Atlas project, from the Clusters view:

  1. Select the Security tab.

  2. Click Users.

  3. Click Edit for the user you want to modify. You can modify the roles assigned to the user and the user’s password. For temporary users, you can also modify the time period the user exists or make the user a permanent user, provided the user’s expiration date has not already passed.

    Note

    You cannot change a permanent user into a temporary user. If you change a temporary user into a permanent user, you cannot make it temporary again.

  4. Click Update User to save the changes.

You can also modify existing users through the Atlas API. See Update a Database User.

Delete MongoDB Users

To delete existing users for an Atlas project, from the Clusters view:

  1. Select the Security tab.
  2. Click Users.
  3. Click Delete for the user you want to delete.
  4. Click Delete again to confirm.

You can also delete existing users through the Atlas API. See Delete a Database User.

MongoDB Database User Privileges

The following table describes the Atlas Database User Privileges and the MongoDB Built-in Roles or privilege actions they represent.

Protected MongoDB Database Namespaces

The following databases are read-only for all users, including those with the readWriteAnyDatabase role.

  • admin
  • local
  • config
User Privilege MongoDB Roles or Privileges
Atlas admin
Read and write to any database
Only read any database

See Unsupported Commands in M10+ Clusters for more information on common commands not supported by the current Atlas user privileges.