Create database users to provide clients access to the clusters in your project.
A database user's access is determined by the roles assigned to the user. When you create a database user, any of the built-in roles add the user to all clusters in your Atlas project. To specify which resources a database user can access in your project, you can select the option Restrict Access to Specific Clusters in the Atlas UI or set specific privileges and custom roles.
Database users are separate from Atlas users. Database users have access to MongoDB databases, while Atlas users have access to the Atlas application itself. Atlas supports creating temporary database users that automatically expire within a user-configurable 7-day period.
Atlas audits the creation, deletion, and updates of both temporary and non-temporary database users in the project's Activity Feed.
Note
Self-Managed Deployments
The information on this page applies only to deployments hosted in Atlas. To learn how to create database users on self-managed deployments, see Create a User on Self-Managed Deployments.
Limitations
The following limitations apply only to deployments hosted in MongoDB Atlas. If any of these limits present a problem for your organization, contact Atlas support.
You must use the Atlas CLI, Atlas Administration API, Atlas UI, or a supported integration to manage database users on Atlas clusters. Otherwise, Atlas rolls back any user modifications.
The available Atlas built-in roles and specific privileges support a subset of MongoDB commands. For more information, see Unsupported Commands in M10+ Clusters for more information.
You can create a maximum of 100 database users per Atlas project.
Database User Authentication Methods
Atlas offers the following forms of authentication for database users:
Password: SCRAM is MongoDB's default authentication method. SCRAM requires a password for each user.
The authentication database for SCRAM-authenticated users is the
admindatabase.Note
By default, Atlas supports SCRAM-SHA-256 authentication. If you created a user before MongoDB 4.0, you must update MongoDB 4.0, update their passwords to generate SCRAM-SHA-256 credentials. You may reuse existing passwords.
When to use SCRAM:
You can use SCRAM authentication for human users and application users. For lower environments, SCRAM is a suitable authentication method. For production and higher environments, follow security best practices to keep secrets secure and short-term, such as integrating with Privileged Access Management (PAM) solutions.
X.509 Certificates: X.509 Certificates, also known as mutual TLS or mTLS, allow passwordless authentication by using a trusted certificate.
The authentication database for X.509-authenticated users is the
$externaldatabase.If you enable LDAP authorization, you can't connect to your clusters with users that authenticate with an Atlas-managed X.509 certificate. To enable LDAP and connecting to your clusters with X.509 users, see Set Up Self-Managed X.509 Certificates.
When to use X.509:
X.509 authentication is suitable for secure workload access when workload identity federation (OIDC) or AWS IAM authentication is not feasible, or when mutual authentication is required.
OIDC: OpenID Connect (OIDC) authentication enables passwordless, secretless authentication using external identity providers. Atlas supports the following types of OIDC authentication:
Workforce Identity Federation for human principals such as employees, partners, and contractors.
Workload Identity Federation for applications using external programmatic identities such as Azure Service Principals, Azure Managed Identities, and Google Service Accounts.
The authentication database for OIDC-authenticated users is the
$externaldatabase.OIDC authentication is available only on clusters which use MongoDB version 7.0 and higher.
When to use OIDC:
For human users, we recommend that you use Workforce Identity Federation with OIDC.
For application users, we recommend that you use Workload Identity Federation with OIDC for applications that run on GCP or Azure.
AWS IAM: You can create a database user which uses an AWS IAM User or Role ARN for authentication.
The authentication database for AWS IAM-authenticated users is the
$externaldatabase.When to use AWS IAM:
We recommend that you use AWS IAM authentication with IAM roles for application users running on AWS.
Required Access
To add database users, you must have Organization Owner,
Organization Stream Processing Admin, Project Owner, Project Stream Processing Owner, or
Project Database Access Admin access to Atlas.