Configure Database Users

On this page

Database User Authentication

Required Access
Add Database Users
View Database Users and Certificates
Modify Database Users
Delete Database Users
Built-in Roles
Specific Privileges

Create database users to provide clients access to the database deployments in your project. A database user's access is determined by the roles assigned to the user. When you create a database user, any of the built-in roles add the user to all database deployments in your Atlas project. You can remove the default built-in role and set specific privileges and custom roles to add the user to specific database deployments.

Database users are separate from Atlas users. Database users have access to MongoDB databases, while Atlas users have access to the Atlas application itself. Atlas supports creating temporary database users that automatically expire within a user-configurable 7-day period.

Atlas audits the creation, deletion, and updates of database users in the project's Activity Feed. Atlas audits actions pertaining to both temporary and non-temporary database users. To view the project's Activity Feed, click Activity Feed in the Project section of the left navigation. For more information on the project Activity Feed, see View All Activity.

The available Atlas built-in roles and specific privileges support a subset of MongoDB commands. See Unsupported Commands in M10+ Clusters for more information.

Atlas supports a maximum of 100 database users per Atlas project. If you require more than 100 database users on a project, contact Atlas support.

Important

You must use the Atlas CLI, Atlas Administration API, Atlas UI, or a supported integration to add, modify, or delete database users on Atlas database deployments. Otherwise, Atlas rolls back any user modifications.

Database User Authentication

Atlas offers the following forms of authentication for database users:

Required Access

To add database users, you must have Organization Owner or Project Owner access to Atlas.

Add Database Users

A project can have users with different authentication methods.

You cannot change a user's authentication method after creating that user. To use an alternative authentication method, you must create a new user.

View Database Users and Certificates

Modify Database Users

Delete Database Users

Built-in Roles

The following table describes the Atlas built-in roles and the MongoDB Roles or privilege actions they represent.

Note

Protected MongoDB Database Namespaces

The following databases are read-only for all users, including those with the atlasAdmin or clusterMonitor role.

local
config

We discourage writing to the admin database. Atlas manages multiple collections in the admin database, and these collections are read-only for all users.

atlasAdmin has the update privilege on the config.settings collection to manage the balancer.

Atlas Built-in Role	MongoDB Role	Inherited Roles or Privilege Actions
`Atlas admin`	`atlasAdmin`	`readWriteAnyDatabase` `readAnyDatabase` `dbAdminAnyDatabase` `clusterMonitor` `cleanupOrphaned` `enableSharding` `flushRouterConfig` `moveChunk` `viewUser`
`Read and write to any database`	`readWriteAnyDatabase`	`readWriteAnyDatabase`
`Only read any database`	`readAnyDatabase`	`readAnyDatabase`

To learn more about common commands that Atlas doesn't support with the current Atlas user privileges, see Unsupported Commands in M10+ Clusters

Specific Privileges

The following table describes the Atlas specific privileges, the database it applies to, and the privilege actions they represent.

Atlas Specific Privilege	Database	Privilege Actions
`backup`	`admin`	`listDatabases` `listCollections` `listIndexes` `appendOplogNote` `getParameter` `serverStatus`
`clusterMonitor`	`admin`	`checkFreeMonitoringStatus` `connPoolStats` `getCmdLineOpts` `getDefaultRWConcern` `getLog` `getParameter` `getShardMap` `hostInfo` `inprog` `listDatabases` `listSessions` `listShards` `netstat` `replSetGetConfig` `replSetGetStatus` `serverStatus` `setFreeMonitoring` `shardingState` `top`
`dbAdmin`	User configured	`bypassDocumentValidation` `changeStream` `collMod` `collStats` `compact` `convertToCapped` `createCollection` `createIndex` `dbHash` `dbStats` `dropCollection` `dropDatabase` `dropIndex` `enableProfiler` `find` `killCursors` `listCollections` `listIndexes` `planCacheIndexFilter` `planCacheRead` `planCacheWrite` `reIndex` `renameCollectionSameDB` `storageDetails` `validate`
`dbAdminAnyDatabase`	User configured except `local` and `config`	`dbAdminAnyDatabase`
`enableSharding`		`enableSharding`
`read`	User configured	`changeStream` `collStats` `dbHash` `dbStats` `find` `killCursors` `listIndexes` `listCollections`
`readWrite`	User configured	`changeStream` `collStats` `convertToCapped` `createCollection` `dbHash` `dbStats` `dropCollection` `createIndex` `dropIndex` `find` `insert` `killCursors` `listIndexes` `listCollections` `remove` `renameCollectionSameDB` `update`
`killOpSession`	User configured	`inprog` `killop` `killAnySession` `listSessions`
`readWriteAnyDatabase`	User configured except `local` and `config`	`readWriteAnyDatabase` `changeStream` `collStats` `convertToCapped` `createCollection` `dbHash` `dbStats` `dropCollection` `createIndex` `dropIndex` `find` `insert` `killCursors` `listIndexes` `listCollections` `listDatabases` `remove` `renameCollectionSameDB` `update`
`readAnyDatabase`	User configured except `local` and `config`	`readAnyDatabase` `changeStream` `collStats` `dbHash` `dbStats` `find` `killCursors` `listIndexes` `listCollections` `listDatabases`

← Configure Database Deployment Authentication and Authorization Configure Custom Database Roles →