Navigation
This version of the documentation is archived and no longer supported. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.

Enable MongoDB Role-Based Access Control

On this page

Overview

MongoDB uses Role-Based Access Control (RBAC) to determine access to a MongoDB system. When run with access control, MongoDB requires users to authenticate themselves to determine their access. MongoDB limits each user to the resources and actions allowed by the user’s roles. If you leave access control disabled, any client can access any database in your deployments and perform any action.

When you enable MongoDB access control, you enable it for all the deployments in your Ops Manager group. The group shares one set of users for all deployments, but each user has permissions only for specific resources.

Access control applies to the Ops Manager agents as well as to clients. When you enable access control, Ops Manager creates the appropriate users for the agents.

Considerations

Once you enable access control, you must create MongoDB users so that clients can access your databases. Always use the Ops Manager interface to manage users and roles. Do not do so through direct connection to a MongoDB instance.

When you enable access control, Ops Manager creates a user with global privileges used only by the Automation Agent. Ops Manager also creates users for the Monitoring and Backup agents if they are managed by Ops Manager. The first user you create can be any type of user, as the Automation Agent guarantees you will always have access to user management.

For more information on MongoDB access control, see the Authentication and Authorization pages in the MongoDB manual.

Enable MongoDB Access Control

Ops Manager supports various authentication mechanisms. You can choose which mechanisms you wish to use when you enable access control / authentication.

1

Click the Deployment tab, then click the Deployment page.

2
3

Check the authentication mechanism, then click Next.

4

Configure SSL if desired, and click Continue.

If desired, enable SSL for the group.

Note

See Enable SSL for a Deployment for SSL setup instructions.

5

Configure the Authentication Mechanism for the Agents.

If you enable more than one authentication mechanism, you must specify which one of the authentication mechanisms the Ops Manager agents should use to connect to your deployment.

  1. Select the authentication mechanism from the Agent Auth Mechanism drop-down menu.

Ops Manager automatically generates the Agents’ usernames and passwords.

Ops Manager creates users for the agents with the required user roles in the admin database for each existing deployment in Ops Manager. When you add a new deployment, Ops Manager creates the required users in the new deployment.

You do not need to configure all of the agents, only the ones you installed.

Example

If you did not install the Backup agent, you do not need to configure the Backup agent.

6

Click Review & Deploy to review your changes.

7

Review and approve your changes.

Ops Manager displays your proposed changes.

  1. If they are acceptable, click Confirm & Deploy.
  2. If they are unacceptable, click Cancel and you can make additional changes.

MONGODB-CR/SCRAM-SHA-1 authentication is the only authentication mechanism available in Ops Manager when using the MongoDB Community version.

For detailed instructions for configuring the different authentication mechanisms, see: Enable Authentication for an Ops Manager Group

Next Steps

To create your users and assign privileges, see Manage MongoDB Users and Roles.

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.