This version of the documentation is archived and no longer supported. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.

Required Access for Automation Agent

If your MongoDB deployment enforces access control, the Ops Manager Automation Agent must authenticate to MongoDB as a user with the proper access.

If you use Automation, Ops Manager manages authentication. If you do not use Automation, follow the instructions on this page.

To authenticate, create a user with the appropriate roles in MongoDB. The following tutorials include instructions and examples for creating the MongoDB user:

MongoDB user roles are separate from Ops Manager user roles and are described in the MongoDB manual beginning with the Authorization page.


To authenticate to sharded clusters, create shard-local users on each shard and create cluster-wide users:

  • Create cluster users while connected to the mongos: these credentials persist to the config servers.
  • Create shard-local users by connecting directly to the replica set for each shard.


Every process in your Ops Manager deployment must use the same username and roles for the Automation Agent user.


Connect to the mongod or mongos instance as a user with access to create database users. See db.createUser() method page in the MongoDB Manual.

To automate MongoDB instances, the automation agent must authenticate to the database as a user with the following access:

Required Role Database
clusterAdmin admin
readWriteAnyDatabase admin
userAdminAnyDatabase admin
dbAdminAnyDatabase admin
backup admin
restore admin

Authentication Mechanisms

To authenticate, create the user in MongoDB with the appropriate access. The authentication method that the MongoDB deployment uses determines how to create the user as well as determine any additional agent configuration: