Create database users to provide clients access to the clusters in your project.
A database user's access is determined by the roles assigned to the user. When you create a database user, any of the built-in roles add the user to all clusters in your Atlas project. To specify which resources a database user can access in your project, you can select the option Restrict Access to Specific Clusters in the Atlas UI or set specific privileges and custom roles.
Database users are separate from Atlas users. Database users have access to MongoDB databases, while Atlas users have access to the Atlas application itself. Atlas supports creating temporary database users that automatically expire within a user-configurable 7-day period.
Atlas audits the creation, deletion, and updates of both temporary and non-temporary database users in the project's Activity Feed.
Note
Self-Managed Deployments
The information on this page applies only to deployments hosted in Atlas. To learn how to create database users on self-managed deployments, see Create a User on Self-Managed Deployments.
Limitations
The following limitations apply only to deployments hosted in MongoDB Atlas. If any of these limits present a problem for your organization, contact Atlas support.
You must use the Atlas CLI, Atlas Administration API, Atlas UI, or a supported integration to manage database users on Atlas clusters. Otherwise, Atlas rolls back any user modifications.
The available Atlas built-in roles and specific privileges support a subset of MongoDB commands. For more information, see Unsupported Commands in M10+ Clusters for more information.
You can create a maximum of 100 database users per Atlas project.
Database User Authentication
Atlas offers the following forms of authentication for database users:
SCRAM is MongoDB's default authentication method. SCRAM requires a password for each user.
The authentication database for
SCRAM-authenticated users is the admin database.
Note
By default, Atlas supports SCRAM-SHA-256 authentication. If you created a user before MongoDB 4.0, you must update MongoDB 4.0, update their passwords to generate SCRAM-SHA-256 credentials. You may reuse existing passwords.
X.509 Certificates, also known as mutual TLS or mTLS, allow passwordless authentication by using a trusted certificate.
The authentication database for
X.509-authenticated users is the $external database.
If you enable LDAP authorization, you can't connect to your clusters with users that authenticate with an Atlas-managed X.509 certificate. To enable LDAP and connecting to your clusters with X.509 users, see Set Up Self-Managed X.509 Certificates.
You can create a database user which uses an AWS IAM User or Role ARN for authentication.
The authentication database for
AWS IAM-authenticated users is the $external database.
AWS IAM authentication is available only on clusters which use MongoDB version 7.0 and higher.