Built-In Roles and Privileges

On this page

Built-in Roles

Specific Privileges

The available Atlas built-in roles and specific privileges support a subset of MongoDB commands. See Unsupported Commands in M10+ Clusters for more information.

Built-in Roles

The following table describes the Atlas built-in roles and the MongoDB Roles or privilege actions they represent.

Note

Protected MongoDB Database Namespaces

The following databases are read-only for all users, including those with the atlasAdmin or clusterMonitor role.

local
config

We discourage writing to the admin database. Atlas manages multiple collections in the admin database, and these collections are read-only for all users.

atlasAdmin has the update privilege on the config.settings collection to manage the balancer.

Atlas Built-in Role	MongoDB Role	Inherited Roles or Privilege Actions
`Atlas admin`	`atlasAdmin`	`readWriteAnyDatabase` `dbAdminAnyDatabase` `clusterMonitor` `viewRole` `moveChunk` `enableSharding` `cleanupOrphaned` `flushRouterConfig` `checkMetadataConsistency`
`Read and write to any database`	`readWriteAnyDatabase`	`readWriteAnyDatabase`
`Only read any database`	`readAnyDatabase`	`readAnyDatabase`

To learn more about common commands that Atlas doesn't support with the current Atlas user privileges, see Unsupported Commands in M10+ Clusters

Specific Privileges

The following table describes the Atlas specific privileges, the database it applies to, and the privilege actions they represent.

Atlas Specific Privilege	Database	Privilege Actions
`backup`	`admin`	`listDatabases` `listCollections` `listIndexes` `appendOplogNote` `getParameter` `serverStatus`
`clusterMonitor`	`admin`	`connPoolStats` `getCmdLineOpts` `getDefaultRWConcern` `getLog` `getParameter` `getShardMap` `hostInfo` `inprog` `listDatabases` `listSessions` `listShards` `replSetGetConfig` `replSetGetStatus` `serverStatus` `shardingState` `top`
`dbAdmin`	User configured	`bypassDocumentValidation` `changeStream` `collMod` `collStats` `compact` `convertToCapped` `createCollection` `createIndex` `createSearchIndex` `dbHash` `dbStats` `dropCollection` `dropDatabase` `dropIndex` `dropSearchIndex` `enableProfiler` `find` `killCursors` `listCollections` `listIndexes` `listSearchIndexes` `planCacheIndexFilter` `planCacheRead` `planCacheWrite` `reIndex` `renameCollectionSameDB` `storageDetails` `updateSearchIndex` `validate`
`dbAdminAnyDatabase`	User configured except `local` and `config`	`dbAdminAnyDatabase`
`enableSharding`		`enableSharding`
`read`	User configured	`changeStream` `collStats` `dbHash` `dbStats` `find` `killCursors` `listIndexes` `listCollections` `listSearchIndexes`
`readWrite`	User configured	`changeStream` `collStats` `convertToCapped` `createCollection` `createSearchIndex` `dbHash` `dbStats` `dropCollection` `createIndex` `dropIndex` `dropSearchIndex` `find` `insert` `killCursors` `listIndexes` `listCollections` `listSearchIndexes` `remove` `renameCollectionSameDB` `update`
`killOpSession`	User configured	`inprog` `killop` `killAnySession` `killCursors` `listSessions`
`readWriteAnyDatabase`	User configured except `local` and `config`	`readWriteAnyDatabase` `changeStream` `collStats` `convertToCapped` `createCollection` `createSearchIndex` `dbHash` `dbStats` `dropCollection` `dropSearchIndex` `createIndex` `dropIndex` `find` `insert` `killCursors` `listIndexes` `listCollections` `listDatabases` `listSearchIndexes` `remove` `renameCollectionSameDB` `update`
`readAnyDatabase`	User configured except `local` and `config`	`readAnyDatabase` `changeStream` `collStats` `dbHash` `dbStats` `find` `killCursors` `listIndexes` `listCollections` `listDatabases` `listSearchIndexes`

Back

Database Users

Custom Database Roles