• Security Features and Setup >
• Configure Database Users

Configure Database Users

Create database users to provide clients access to the clusters in your project. A database user’s access is determined by the roles assigned to the user. When you create a database user, the user is added to all clusters in your Atlas project.

Database users are separate from Atlas users. Database users have access to MongoDB databases, while Atlas users have access to the Atlas application itself. Atlas supports creating temporary database users that automatically expire within a user-configurable 7-day period.

Atlas audits the creation, deletion, and updates of database users in the project’s Activity Feed. Atlas audits actions pertaining to both temporary and non-temporary database users. To view the project’s Activity Feed, click Activity Feed in the Project section of the left navigation. For more information on the project Activity Feed, see View All Activity.

The available Atlas database user privileges support a subset of MongoDB commands. See Unsupported Commands in M10+ Clusters for more information.

Atlas supports a maximum of 100 database users per Atlas project.

Note

If you require more than 100 database users on a project, please contact Atlas support.

Important

Atlas rolls back any user modifications not made through the UI or API. You must use the Atlas UI or API to add, modify, or delete database users on Atlas clusters.

Add Database Users

1

Open the Add New Database User dialog.

1. In the Security section of the left navigation, click Database Access. The Database Users tab displays.
2. Click plus icon Add New Database User.

2

Select an authentication method.

A project can have users with different authentication methods.

You cannot change a user’s authentication method after creating that user. To use an alternative authentication method, you must create a new user.

Method	Description
Password Authentication	SCRAM is MongoDB’s default authentication method. SCRAM requires a password for each user. Select this authentication method by clicking PASSWORD.
X.509 Certificates	X.509 Certificates allow for passwordless authentication by using a trusted certificate. Select this authentication method by clicking CERTIFICATE. To download the certificate upon saving, you must provide a certificate expiration date and check Download certificate when user is added. X.509 certificates expire and are invalid after the certificate expiration date you set. A user will not be able to log in with an expired X.509 certificate and must be issued a new certificate. To help manage this, Atlas automatically creates a project-level alert when you create a new user with X.509 authentication enabled. This alert sends a notification 30 days before that user’s latest certificate expires, repeating every 24 hours. You can view and edit this alert from Atlas’s Alert Settings page. For more information on configuring alerts, see Configure Alert Settings. Important If a user loses their certificate, they will need a new certificate to be generated for them before they can log in again. Important You cannot revoke X.509 certificates. To revoke an X.509 certificate-authenticated user’s access to your project, you must delete that user. Feature unavailable in Free and Shared-Tier Clusters This feature is not available for M0 (Free Tier), M2, and M5 clusters. To learn more about which features are unavailable, see Atlas M0 (Free Tier), M2, and M5 Limitations. If you prefer to manage your own X.509 certificates, you can upload a PEM-encoded certificate authority through Self-Managed X.509 Certificates.

3

Enter user information.

Field	Description
User Name	The user’s login name. SCRAM-authenticated users are associated with the admin database; i.e. their authentication database is admin. X.509-authenticated users are associated with the $external database; i.e. their authentication database is $external. To access MongoDB, a user provides a username and the name of the authentication database, as well as a password or X.509 certificate. The authentication database does not determine the user’s roles. You can assign a user different roles in different database namespaces. Example You can create a user to have the readWrite role on the test database but only the read role on the production database. For a SCRAM-authenticated user, the authentication database would still be admin.
User Privileges	You can assign roles in one of the following ways: Select Atlas admin, which provides the user with readWriteAnyDatabase as well as a number of administrative privileges. Select Read and write to any database, which provides the user with privileges to read and write to any database. Select Only read any database which provides the user with privileges to read any database. Select Select Custom Role to select a custom role previously created in Atlas. You can create custom roles for database users in cases where the built-in database user roles cannot describe the desired set of privileges. For more information on custom roles, see Configure Custom Roles. Click Add Default Privileges. When you click this option, you can select individual roles and specify the database on which the roles apply. Optionally, for the read and readWrite roles, you can also specify a collection. If you do not specify a collection for read and readWrite, the role applies to all non-system collections in the database. Note When applied to a collection, the read and readWrite roles in Atlas differ slightly from the built-in MongoDB read and readWrite roles. In Atlas, read provides the following collection-level actions: collStats dbHash find listIndexes In Atlas, readWrite provides the same actions as read, as well as the following additional collection-level actions: convertToCapped createCollection createIndex dropCollection dropIndex insert remove update For information on the built-in Atlas privileges, see Database User Privileges. For more information on authorization, see Role-Based Access Control and Built-in Roles in the MongoDB manual.
Save as temporary user	Check this option to specify a time after which Atlas will delete the user. You can select one of the following time periods for the user to exist: 6 hours 1 day 1 week In the Database Users tab, temporary users display the time remaining until Atlas will delete the user. Once Atlas deletes the user, any client or application attempting to authenticate with the user loses access to the database. Note X.509 certificate-authenticated users cannot be made temporary users.

4

Click Add User.

You can also add database users through the Atlas API. See Create a Database User.

Modify Database Users

To modify existing users for an Atlas project:

1. In the Security section in the left navigation, click Database Access. The Database Users tab displays.

2. Click pencil icon Edit for the user you want to modify. You can modify the privileges and authentication details assigned to the user. You cannot modify the authentication method.

   • For SCRAM authenticated users, you can edit a user’s password.
   • For X.509 certificate authenticated users, you can download a new certificate.

   For temporary users, you can also modify the time period the user exists or make the user a permanent user, provided the user’s expiration date has not already passed.

   Note

   You cannot change a permanent user into a temporary user. If you change a temporary user into a permanent user, you cannot make it temporary again.

3. Click Update User to save the changes.

You can also modify existing users through the Atlas API. See Update a Database User.

Delete Database Users

To delete existing users for an Atlas project:

1. In the Security section in the left navigation, click Database Access. The Database Users tab displays.
2. Click trash icon Delete next to the user you want to delete.
3. Click Delete again to confirm.

You can also delete existing users through the Atlas API. See Delete a Database User.

Database User Privileges

The following table describes the Database User Privileges and the MongoDB Built-in Roles or privilege actions they represent.

Protected MongoDB Database Namespaces

The following databases are read-only for all users, including those with the readWriteAnyDatabase role.

• admin
• local
• config

Database User Privilege	MongoDB Role	Inherited Roles or Privilege Actions
Atlas admin	atlasAdmin	readWriteAnyDatabase readAnyDatabase dbAdminAnyDatabase clusterMonitor cleanupOrphaned enableSharding flushRouterConfig moveChunk splitChunk viewUser
Read and write to any database	readWriteAnyDatabase	readWriteAnyDatabase
Only read any database	readAnyDatabase	readAnyDatabase

See Unsupported Commands in M10+ Clusters for more information on common commands not supported by the current Atlas user privileges.

←   Configure Whitelist Entries Configure Custom Roles  →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.