Docs Menu

Docs HomeMongoDB Ops Manager

Manage MongoDB Users

On this page

  • Considerations
  • Add One MongoDB User
  • Edit One MongoDB User Details
  • Manage or Unmanage MongoDB Users
  • Remove a MongoDB User

When you select an Authentication Mechanism for your Ops Manager project, this enables access control for all managed deployments in your Ops Manager project.

With access control enabled, clients must authenticate to the MongoDB process as MongoDB users. Once authenticated, these users only have privileges granted by their assigned roles. You can assign MongoDB's built-in roles to a user as well as custom roles.

You can create MongoDB users before or after enabling accessing control, but your MongoDB instances do not require user credentials if access control is not enabled.

Important

MongoDB users are separate from Ops Manager users. MongoDB users have access to MongoDB databases, while Ops Manager users access the Ops Manager application itself.

Any users or roles you choose to manage in an Ops Manager project have their Synced value set to Yes and are synced to all deployments in the project.

Any users or roles you do not choose to manage in an Ops Manager project have their Synced value set to No and exist only in their respective MongoDB deployments.

Note

If you toggle Synced to OFF after import, any users or roles you create are deleted.

If you enforce a consistent set of users and roles in your project, Ops Manager synchronizes these users and roles across all deployments in that project. Toggle Enforce Consistent Set to choose whether or not to manage one set of users and roles:

In a managed project, Ops Manager grants all of the users and roles access to all deployments. All deployments that the Ops Manager project manages have the same set of MongoDB users and roles.

Ops Manager limits the access to users and roles where you set Synced to Yes. Ops Manager deletes all users and roles that Ops Manager project doesn't manage from the deployments in your project.

In a managed project, Ops Manager allows each deployment to use its own set of MongoDB users and roles. Ops Manager doesn't need to manage these MongoDB users and roles. To manage these users and roles, you must connect direct to the MongoDB deployment.

Ops Manager grants managed MongoDB users and roles where you set Synced to Yes access to all managed deployments.

Ops Manager limits access of unmanaged MongoDB users and roles, where you set Synced to No, to those users' and roles' specific deployments.

Note

Enforce Consistent Set defaults to NO.

To learn how importing MongoDB deployments can affect managing users and roles, see Automation and Updated Security Settings Upon Import.

Note

Ops Manager Uses Default Hashing Iterations for User Credentials

When you create a MongoDB user via Ops Manager, it uses the default number of iterations for SCRAM-SHA-1 (10,000) and SCRAM-SHA-256 (15,000) to hash user credentials. If you want to use different values, create the user in MongoDB directly.

1
  1. If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.

  2. If it is not already displayed, select your desired project from the Projects menu in the navigation bar.

  3. If it is not already displayed, click Deployment in the sidebar.

  1. Click the Security tab.

  2. Click MongoDB Users.

2
3
Field
Description
Identifier
  • In the first field, enter the database on which the user authenticates.

  • In the second field, enter a username on that database.

Together, the database and username uniquely identify the user. Though the user has just one authentication database, the user can have privileges on other databases. You grant those privileges when assigning the user roles.

If you are authenticating with an external system, like Kerberos or an LDAP server, add users to the $external database.

Roles
Enter any available user-defined roles and built-in roles into this box. The combo box provides a list of existing roles when you click in it.
Password

Enter the user's password.

Important

If you specified $external as the database in the Identifier, you do not need to specify a password for the new user.

Authentication Restrictions
  1. Click Add Entry.

  2. Add one or more IP addresses and/or CIDR blocks in either the Client Source or Server Address boxes. Separate multiple addresses or blocks with commas.

    • Client Source restricts which addresses this user can authenticate and use the given roles.

    • Server Address restricts the addresses this user can authenticate and has the given roles.

  3. Click Save.

  4. To add another entry, click Add Entry.

4
5
6

Otherwise, click Cancel and you can make additional changes.

Note

Ops Manager Uses Default Hashing Iterations for User Credentials

When you edit a MongoDB user via Ops Manager, it uses the default number of iterations for SCRAM-SHA-1 (10,000) and SCRAM-SHA-256 (15,000) to hash user credentials. If you want to use different values, update the user in MongoDB directly.

1
  1. If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.

  2. If it is not already displayed, select your desired project from the Projects menu in the navigation bar.

  3. If it is not already displayed, click Deployment in the sidebar.

  1. Click the Security tab.

  2. Click MongoDB Users.

2
3
Field
Description
Identifier
These values cannot be edited.
Roles

Enter any available user-defined roles and built-in roles into this box. The combo box provides a list of existing roles when you click in it.

To remove a role, click the x to the left of that role.

Password

Enter the user's password.

Important

If you specified $external as the database in the Identifier, you do not need to change this value.

Authentication Restrictions

To add an authentication restriction:

  1. Click Add Entry.

  2. Add one or more IP addresses or CIDR blocks in either the Client Source or Server Address boxes. Separate multiple addresses or blocks with commas.

    • Client Source restricts which addresses this user can authenticate and use the given roles.

    • Server Address restricts the addresses this user can authenticate and has the given roles.

  3. Click Save.

  4. To add another entry, click Add Entry.

To remove an authentication restriction:

  1. Click the x to the right of the authentication restriction.

4
5
6

Otherwise, click Cancel and you can make additional changes.

1
  1. If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.

  2. If it is not already displayed, select your desired project from the Projects menu in the navigation bar.

  3. If it is not already displayed, click Deployment in the sidebar.

  1. Click the Security tab.

  2. Click MongoDB Users.

2

This shows all MongoDB users present in all managed deployments for the Ops Manager project and any potential conflicts.

3

Set the Sync switch to Yes for each MongoDB user you want Ops Manager to manage. To manage all MongoDB users for the Ops Manager project, click the Sync All link.

Set the Sync switch to No to unmanage the MongoDB user.

Current Sync State
New Sync State
What Changes
NO
YES

Ops Manager now manages the user.

Note

If there are any potential conflicts with other discovered users, you will be presented with the option to resolve conflicts.

YES
NO

Ops Manager no longer manages the user.

Warning

If Ensure Consistent Set is YES, the user is deleted from all MongoDB databases Ops Manager currently manages for this project.

Note

If Ensure Consistent Set is NO, Ops Manager no longer manages the users in that MongoDB database, but these users can be managed through a direct connection to that database.

4
5

Otherwise, click Cancel and you can make additional changes.

6

The following procedure deletes the MongoDB user from all the project's managed MongoDB deployments. See also Manage or Unmanage MongoDB Users.

1
  1. If it is not already displayed, select the organization that contains your desired project from the Organizations menu in the navigation bar.

  2. If it is not already displayed, select your desired project from the Projects menu in the navigation bar.

  3. If it is not already displayed, click Deployment in the sidebar.

  1. Click the Security tab.

  2. Click MongoDB Users.

2
3
4
5
6

Otherwise, click Cancel and you can make additional changes.

7
←  Manage MongoDB Users and RolesManage Custom Roles →