Docs Menu
Docs Home
/ /
Atlas App Services

Define Data Access Permissions

In traditional applications, an application server exposes an API to client applications and handles database queries on their behalf. To prevent malicious, improper, or incorrect read and write operations, clients don't query the database directly.

Atlas App Services provides a configurable and dynamic permissions engine that enables you to run MongoDB and Device Sync queries from client applications while transparently preventing unauthorized reads and writes. Permissions are defined for entire collections in a linked MongoDB Atlas cluster and apply to individual documents in the collection dynamically based on the application user that issues a query or uses Device Sync. You can also define default roles that serve as a fallback for any collection that doesn't have its own roles.


Federated data sources do not support rules or schemas. You can only access a Federated data source from a system function.

To understand how the permissions engine works and how to configure it for your use case, see Role-based Permissions.

You define permissions with Rule Expressions, a domain-specific language built on JSON.

You can optimize the performance of the permissions engine with filters. See Filter Incoming Queries.

If you're using Device Sync (Flexible Mode), permissions work a bit differently. See Device Sync-Compatible Permissions for important considerations.

The default or "Basic Mode" rules editor in the App Services UI covers the majority of use cases for collection rules. However, there are times when you need more fine-grained control than the UI interface provides. In those times, see Configure Advanced Rules.

Finally, to help you put these concepts into practice, we have provided some Data Access Role Examples.

← Access a Value