Navigation
This version of the documentation is archived and no longer supported. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.

Manage MongoDB Users

Overview

When you select an Authentication Mechanism for your Ops Manager group, this enables access control for all managed deployments in your Ops Manager group.

With access control enabled, clients must authenticate to the MongoDB process as MongoDB users. Once authenticated, these users only have privileges granted by their assigned roles. You can assign MongoDB’s built-in roles to a user as well as custom roles.

You can create MongoDB users before or after enabling accessing control, but your MongoDB instances do not require user credentials if access control is not enabled.

Important

MongoDB users are separate from Ops Manager users. MongoDB users have access to MongoDB databases, while Ops Manager users access the Ops Manager application itself.

Considerations

Managed Users and Roles

Any users or roles you choose to manage in an Ops Manager group have their Synced value set to Yes and are synced to all deployments in the group.

Any users or roles you do not choose to manage in an Ops Manager group have their Synced value set to No and exist only in their respective MongoDB deployments.

Note

If you toggle Synced to OFF after import, any users or roles you create are deleted.

Consistent Users and Roles

Ops Manager has two modes of user and role management that depend upon the value of Enforce Consistent Set:

Enforce Consistent Set is YES

In this mode, all deployments that the Ops Manager group manages have the same set of MongoDB users and roles; specifically, all users and roles that the Ops Manager group manages.

Only the MongoDB users and roles that the Ops Manager group manages, that is Synced value set to Yes, can exist in the group’s managed deployments. Any users and roles that the Ops Manager group does not manage group are deleted from these deployments.

Enforce Consistent Set is NO

In this mode, deployments that the Ops Manager group manages can have different sets of MongoDB users and roles, including MongoDB users and roles not managed through the Ops Manager group. To manage these users and roles, you must connect directly to the MongoDB deployment.

Users and roles that the Ops Manager group manages, where Synced value set to Yes, are created in all deployments the Ops Manager group manages. Users and roles that the Ops Manager group does not manage, where Synced value set to No, exist only in the specific deployment.

Note

Enforce Consistent Set set to NO is the default setting.

To learn how importing MongoDB deployments can affect managing users and roles, see Automation and Updated Security Settings Upon Import.

Procedures

Add a MongoDB User

1

Click Deployment, then Security, then Users.

2

Click the Add New User button.

3

Complete the user account fields.

Field Description
Identifier
  • In the first field, enter the database on which the user authenticates.
  • In the second field, enter a username.

Together, the database and username uniquely identify the user. Though the user has just one authentication database, the user can have privileges on other databases. You grant those privileges when assigning the user roles.

If you are authenticating with an external system, like Kerberos or an LDAP server, add users to the $external database.

Roles Enter any available user-defined roles and built-in roles into the field. The field provides a drop-down list of existing roles when you click in this field.
Password

Enter the user’s password.

Important

If you specified $external as the database in the Identifier, you do not need to specify a password for the new user.

4

Click Add User.

5

Click Review & Deploy to review your changes.

6

Review and approve your changes.

Ops Manager displays your proposed changes.

  1. If you are satisfied, click Confirm & Deploy.
  2. Otherwise, click Cancel and you can make additional changes.

Edit a MongoDB User’s Password and Roles

1

Click Deployment, then Security, then Users.

2

On the line for the desired user, click Edit.

3

Edit the user’s information.

In the Roles field, you can both add and delete user-defined roles and built-in roles roles. The Roles field provides a drop-down list when you click in this field.

4

Click Save Changes.

5

Click Review & Deploy to review your changes.

6

Review and approve your changes.

Ops Manager displays your proposed changes.

  1. If you are satisfied, click Confirm & Deploy.
  2. Otherwise, click Cancel and you can make additional changes.

Manage or Unmanage MongoDB Users

1

Click Deployment, then Security, then Users.

2

Click Refresh to discover any unmanaged users in your deployments.

This shows all MongoDB users present in all managed deployments for the Ops Manager group and any potential conflicts.

3

Select users to manage or unmanage.

Set the Sync switch to Yes for each MongoDB user you want Ops Manager to manage. To manage all MongoDB users for the Ops Manager group, click the Sync All link.

Set the Sync switch to No to unmanage the MongoDB user.

Current Sync State New Sync State What Changes
NO YES

Ops Manager now manages the user.

Note

If there are any potential conflicts with other discovered users, you will be presented with the option to resolve conflicts.

YES NO

Ops Manager no longer manages the user.

Warning

If Ensure Consistent Set is YES, the user is deleted from all MongoDB databases Ops Manager currently manages for this group.

Note

If Ensure Consistent Set is NO, Ops Manager no longer manages the users in that MongoDB database, but these users can be managed through a direct connection to that database.

5

Click Review & Deploy to review your changes.

6

Review and approve your changes.

Ops Manager displays your proposed changes.

  1. If you are satisfied, click Confirm & Deploy.
  2. Otherwise, click Cancel and you can make additional changes.
7

Click Refresh to verify the desired users have been removed from your deployments.

Remove a MongoDB User

The following procedure deletes the MongoDB user from all the group’s managed MongoDB deployments. See also Manage or Unmanage MongoDB Users.

1

Click Deployment, then Security, then Users.

2

Set the Ensure Consistent Set toggle to YES.

3

Set the Sync setting for the users to be deleted to OFF.

4

Click Delete next to the user to delete.

5

Click Review & Deploy to review your changes.

6

Review and approve your changes.

Ops Manager displays your proposed changes.

  1. If you are satisfied, click Confirm & Deploy.
  2. Otherwise, click Cancel and you can make additional changes.
7

Click Refresh to verify the desired users have been removed from your deployments.