Docs Menu
Docs Home
/
Atlas
/
Configure Security Features
/
Authentication

Built-In Roles and Privileges

The available Atlas built-in roles and specific privileges support a subset of MongoDB commands. See Unsupported Commands in M10+ Clusters for more information.

Built-in Roles

The following table describes the Atlas built-in roles and the MongoDB Roles they represent. Refer to Built-In Roles for a full description of the privilege actions that each role includes.

Note

Protected MongoDB Database Namespaces

The following databases are read-only for all users, including those with the atlasAdmin or clusterMonitor role.

  • local

  • config

We discourage writing to the admin database. Atlas manages multiple collections in the admin database, and these collections are read-only for all users.

atlasAdmin has the update privilege on the config.settings collection to manage the balancer.

Atlas Built-in Role
MongoDB Role
Inherited Roles or Privilege Actions
Atlas admin
atlasAdmin

This role allows you to use setQuerySettings, removeQuerySettings, and $querySettings.

Read and write to any database

readWriteAnyDatabase

Only read any database

readAnyDatabase

backup

backup

clusterMonitor

clusterMonitor

dbAdmin

dbAdmin

dbAdminAnyDatabase

dbAdminAnyDatabase

enableSharding

enableSharding

read

read

readWrite

readWrite

readWriteAnyDatabase

readWriteAnyDatabase

readAnyDatabase

readAnyDatabase

To learn more about common commands that Atlas doesn't support with the current Atlas user privileges, see Unsupported Commands in M10+ Clusters

Specific Privileges

killOpSession is specific to Atlas and applies to any user-configured database.

It inherits the following privilege actions:

The autoCompact privilege action is specific to Atlas and allows database users with the atlasAdmin role to enable or disable background compaction. You can also create a custom database user with the autoCompact privilege enabled.

Back

Database Users

Next

Custom Database Roles