Atlas User Roles

Atlas user roles define the actions Atlas users can perform in organizations, projects, or both. Organization and project Owners can manage Atlas users and their roles within their respective organizations and projects.

You can apply these permissions only on the the organization level or the project level. So, you should carefully plan the hierarchy of your organizations and projects. To learn more, see Cluster Management.

Organization Roles

Organization Role (UI)	Organization Role (API, CLI)	Description
`Organization Owner`	`ORG_OWNER`	Grants root access to the organization, including: `Project Owner` access to all projects in the organization, which grants database access, even if added to a project with a non-Owner role. Privileges to administer organization settings. Privileges to add, modify, or delete Atlas users and database users within the organization. Privileges to delete the organization. Privileges to add, modify, or delete resource tags. All the privileges granted by the other organization roles combined.
`Organization Project Creator`	`ORG_GROUP_CREATOR`	Grants the following access: Privileges to create projects in the organization. Privileges granted by the `Organization Member` role.
`Organization Billing Admin`	`ORG_BILLING_ADMIN`	Grants the following access: Privileges to administer billing information for the organization. Privileges granted by the `Organization Member` role. Privileges to create, edit, delete, acknowledge, and unacknowledge billing alerts.
`Organization Stream Processing Admin`	`ORG_STREAM_PROCESSING_ADMIN`	Grants the following access: Privileges granted by the `Project Stream Processing Owner` role, for all projects within the organization. Privileges to create, modify, and delete private endpoints and VPC peering connections. Privileges granted by the `Organization Read Only` role.
`Organization Billing Viewer`	`ORG_BILLING_READ_ONLY`	Grants the following access: Privileges to view billing information for the organization. Privileges granted by the `Organization Member` role.
`Organization Read Only`	`ORG_READ_ONLY`	Provides read-only access to the settings, users, and projects in the organization.
`Organization Member`	`ORG_MEMBER`	Provides read-only access to the settings and users in the organization and the projects they belong to. Unlike `Organization Read Only`, an `Organization Member` can only access projects they have been explicitly added to. For an `Organization Member`, within a project, the user has the privileges as determined by the user's project role. If a user's project role is `Project Owner`, then the user can add a new user to the project, which results in adding the newly-added user to the organization as well (if the newly added user is not already in the organization).

Project Roles

The following roles grant privileges within a project. All the project roles also grant all the privileges included with the Project Read Only role.

Project Role (UI)	Project Role (API, CLI)	Description
`Project Owner`	`GROUP_OWNER`	Grants the privileges to perform the following actions: Cluster Types. Manage project access and project settings. Manage IP Access List entries. Manage programmatic access to a project. You can grant API Keys access to a project with either an organization or a project role. If your key has both the `Organization Owner` and `Project Owner` roles, it can access all projects in the organization. Manage database access for clusters within the project. Retrieve process and audit logs for all clusters in the project. Manage backups for and restore data to all clusters in the project. Access the Data Explorer. Launch MongoDB Charts. Connect or disconnect Charts data sources. Add, modify, or delete resource tags. Create, view, edit and delete stream processing workspaces Create, view, edit, and delete connections in connection registry Create, modify, or delete Triggers
`Project Replica Set Manager`	`GROUP_REPLICA_SET_MANAGER`	Grants the privileges to perform the following actions: Edit the following: Global cluster configuration Zone configuration Replication specs Cluster tier Test resilience. Pause and resume clusters. This role doesn't grant permissions to perform the following actions: Edit the following: Advanced cluster configurations Tags Major version Cloud backup setting Termination protection Grant access to MongoDB support.
`Project Cluster Manager`	`GROUP_CLUSTER_MANAGER`	Grants the privileges to perform the following actions: Grants access to edit, pause, and resume Atlas clusters. Test failover. The `Project Cluster Manager` role doesn't allow users to: Create and terminate Atlas clusters. Access the Data Explorer. Retrieve process and audit logs.
`Project Cluster Creator`	`GROUP_CLUSTER_CREATOR`	Grants the privileges to create clusters.
`Project Cluster Log Viewer`	`GROUP_CLUSTER_LOG_VIEWER`	Grants the privileges to perform the following actions: View and download system and audit logs. View and download database access history.
`Project Cluster Resilience Tester`	`GROUP_CLUSTER_RESILIENCE_TESTER`	Grants the privileges to test cluster resilience.
`Project Stream Processing Owner`	`GROUP_STREAM_PROCESSING_OWNER`	Grants the privileges to perform the following actions: Edit, pause, and resume Atlas clusters. Manage database access for clusters within the project. Test failover. Access the Data Explorer. Download stream processing workspace audit logs. Create, view, edit and delete stream processing workspaces Create, view, edit, and delete connections in connection registry Create, view, edit, and delete stream processors The `Project Stream Processing Owner` role doesn't allow users to: Create Atlas clusters. Retrieve process and database audit logs.
`Project Access Manager`	`GROUP_ACCESS_MANAGER`	Grants privileges to perform the following actions: Invite users to project. Create and update teams. Create and update API keys. Create and update service accounts.
`Project Data Access Admin`	`GROUP_DATA_ACCESS_ADMIN`	Grants access to the Data Explorer, with the privileges to perform the following actions through the Atlas UI: View, create, and drop databases, collections, and indexes, and hide indexes. UI only: View, modify, and delete documents. You can't read or write data using the Atlas Administration API. Retrieve process and audit logs for all clusters in the project. View the sample query field values in the Performance Advisor. View collection-level query latency with Namespace Insights. View collection-level query shape performance with Query Shape Insights. View query performance, including raw queries, in the Query Profiler. View real-time performance in the Real-Time Performance Panel. View documents using the Search Tester. Launch MongoDB Charts. Download stream processing workspace audit logs. Create, view, edit and delete stream processing workspaces View connections in the connection registry This role doesn't grant privileges to initiate backup or restore jobs.
`Project Data Access Read/Write`	`GROUP_DATA_ACCESS_READ_WRITE`	Grants access to the Data Explorer, with the privileges to perform the following actions through the Atlas UI: View and create databases and collections. UI only: View, modify, and delete documents. You can't read or write data using the Atlas Administration API. View indexes. Retrieve process and audit logs for all clusters in the project. View the sample query field values in the Performance Advisor. View collection-level query latency with Namespace Insights. View collection-level query shape performance with Query Shape Insights. View query performance, including raw queries, in the Query Profiler. View real-time performance in the Real-Time Performance Panel. View documents using the Search Tester. Launch MongoDB Charts. Download stream processing workspace audit logs. View stream processing workspaces View connections in the connection registry
`Project Data Access Read Only`	`GROUP_DATA_ACCESS_READ_ONLY`	Grants access to the Data Explorer, with the privileges to perform the following actions through the Atlas UI: View databases and collections. UI only: View documents. You can't read or write data using the Atlas Administration API. View indexes. Retrieve process and audit logs for all clusters in the project. View the sample query field values in the Performance Advisor. View collection-level query latency with Namespace Insights. View collection-level query shape performance with Query Shape Insights. View query performance in the Query Profiler. View real-time performance in the Real-Time Performance Panel. View documents using the Search Tester. Launch MongoDB Charts. Download stream processing workspace audit logs. View stream processing workspaces View connections in the connection registry
`Project Database Access Admin`	`GROUP_DATABASE_ACCESS_ADMIN`	Grants the privileges to perform the following actions: Manage database access for the clusters in a project. Manage custom database roles for the clusters in a project. Retrieve the database access logs for the clusters in a project. This role doesn't grant access to do the following tasks: Create Atlas clusters. Access the Data Explorer. Retrieve process and audit logs. This role doesn't grant privileges to export snapshots.
`Project Backup Manager`	`GROUP_BACKUP_MANAGER`	Grants the privileges to perform the following actions: Manage backups and restore data to all clusters in a project. Download and export backups. Manage cluster backup policies. This role doesn't grant access to do the following tasks: Create Atlas clusters. Access the Data Explorer. Retrieve process and audit logs. Edit a Backup Compliance Policy.
`Project Backup Creator`	`GROUP_BACKUP_CREATOR`	Grants privileges to perform the following actions on clusters that support backups: List backup snapshots. Create on demand snapshots.
`Project Backup Recovery Operator`	`GROUP_BACKUP_RECOVERY_OPERATOR`	Grants privileges to perform the following actions on clusters that support restoring from backups: List backup snapshots. Recover clusters from backup snapshots. This role doesn't grant privileges to download or export backups.
`Project Backup Export Operator`	`GROUP_BACKUP_EXPORT_OPERATOR`	Grants privileges to perform the following actions on clusters that support exporting backups: List backup snapshots. Download or export backups.
`Project Network Access Manager`	`GROUP_NETWORK_ACCESS_MANAGER`	Grants privileges to update project network settings for the following: Access lists VPC peering Private Link
`Project Observability Viewer`	`GROUP_OBSERVABILITY_VIEWER`	Grants the privileges to perform the following actions: View the sample query field values in the Performance Advisor. View collection-level query latency with Namespace Insights. View collection-level query shape performance with Query Shape Insights. View query performance, including raw queries, in the Query Profiler. View real-time performance in the Real-Time Performance Panel. This role doesn't grant access to do the following tasks: Create Atlas clusters. Access the Data Explorer. Retrieve process and audit logs.
`Project Trigger Manager`	`GROUP_TRIGGER_MANAGER`	Grants privileges to create, update, and delete triggers.
`Project Read Only`	`GROUP_READ_ONLY`	Grants view-only access to the project control plane metadata. The user can view all activity, operational data, users, and user roles. The user, however, cannot access the Data Explorer or retrieve process and audit logs. The user can view cluster metric charts. Grants access to view connection details for Stream Processing Workspaces. Grants access to MongoDB Charts only if invited to the project by a `Project Owner`. The user, however, cannot access data from Charts, unless the `Project Owner` also grants them data source access.
`Project Index Manager`	`GROUP_INDEX_MANAGER`	Grants privileges to perform the following actions: View Performance Advisor. Create rolling indexes using Performance Advisor. This role doesn't grant privileges to access data through Data Explorer or MongoDB Charts.
`Project Search Index Editor`	`GROUP_SEARCH_INDEX_EDITOR`	Grants the privileges to perform the following actions: Create Search Index. View Search Index. Edit Search Index. Delete Search Index.
`Project Real Time Performance Operator`	`GROUP_REAL_TIME_PERFORMANCE_OPERATOR`	Grants privileges to run the database `killop`. This role doesn't grant privilege to read or write data.
`Project Support Access Manager`	`GROUP_SUPPORT_ACCESS_MANAGER`	Grants users the ability to provide MongoDB support access to clusters and cluster logs. This doesn't include privileges to support access settings at the organization level.
`Project Alerts Manager`	`GROUP_ALERTS_MANAGER`	Grants privileges to perform the following actions: Create, view, update, and delete project alert settings. View and update project alerts.
`Project Model Owner`	`GROUP_MODEL_OWNER`	Grants privileges to create and delete Model API keys for the project.

Back

Atlas Users

Atlas Resource Policies