- Security >
- Enable Authentication for an Ops Manager Project >
- Manage MongoDB Users and Roles >
- Manage MongoDB Users
Manage MongoDB Users¶
On this page
When you select an Authentication Mechanism for your Ops Manager project, this enables access control for all managed deployments in your Ops Manager project.
With access control enabled, clients must authenticate to the MongoDB process as MongoDB users. Once authenticated, these users only have privileges granted by their assigned roles. You can assign MongoDB’s built-in roles to a user as well as custom roles.
You can create MongoDB users before or after enabling accessing control, but your MongoDB instances do not require user credentials if access control is not enabled.
Important
MongoDB users are separate from Ops Manager users. MongoDB users have access to MongoDB databases, while Ops Manager users access the Ops Manager application itself.
Considerations¶
Managed Users and Roles¶
Any users or roles you choose to manage in an Ops Manager project have their
Synced value set to Yes
and are synced to all deployments in
the project.
Any users or roles you do not choose to manage in an Ops Manager project have their
Synced value set to No
and exist only in their respective
MongoDB deployments.
Note
If you toggle Synced to OFF
after import, any users
or roles you create are deleted.
Consistent Users and Roles¶
Ops Manager has two modes of user and role management that depend upon the value of Enforce Consistent Set:
- Enforce Consistent Set is
YES
In this mode, all deployments that the Ops Manager project manages have the same set of MongoDB users and roles; specifically, all users and roles that the Ops Manager project manages.
Only the MongoDB users and roles that the Ops Manager project manages, that is Synced value set to
Yes
, can exist in the project’s managed deployments. Any users and roles that the Ops Manager project does not manage project are deleted from these deployments.- Enforce Consistent Set is
NO
In this mode, deployments that the Ops Manager project manages can have different sets of MongoDB users and roles, including MongoDB users and roles not managed through the Ops Manager project. To manage these users and roles, you must connect directly to the MongoDB deployment.
Users and roles that the Ops Manager project manages, where Synced value set to
Yes
, are created in all deployments the Ops Manager project manages. Users and roles that the Ops Manager project does not manage, where Synced value set toNo
, exist only in the specific deployment.Note
Enforce Consistent Set set to
NO
is the default setting.
To learn how importing MongoDB deployments can affect managing users and roles, see Automation and Updated Security Settings Upon Import.
Add One MongoDB User¶
Click Deployment, then Security, then Users.¶
Click the Add New User button.¶
Complete the user account fields.¶
Field | Description |
---|---|
Identifier |
Together, the database and username uniquely identify the user. Though the user has just one authentication database, the user can have privileges on other databases. You grant those privileges when assigning the user roles. If you are authenticating with an external system, like
Kerberos or an LDAP server, add users to the
|
Roles | Enter any available user-defined roles and built-in roles into this box. The combo box provides a list of existing roles when you click in it. |
Password | Enter the user’s password. Important If you specified |
Authentication Restrictions |
|
Click Add User.¶
Click Review & Deploy to review your changes.¶
Click Confirm & Deploy to deploy your changes.¶
Otherwise, click Cancel and you can make additional changes.
Edit One MongoDB User Details¶
Click Deployment, then Security, then Users.¶
On the line for the desired user, click Edit.¶
Edit the user’s information.¶
Field | Description |
---|---|
Identifier | These values cannot be edited. |
Roles | Enter any available user-defined roles and built-in roles into this box. The combo box provides a list of existing roles when you click in it. To remove a role, click the |
Password | Enter the user’s password. Important If you specified |
Authentication Restrictions | To add an authentication restriction:
To remove an authentication restriction:
|
Click Save Changes.¶
Click Review & Deploy to review your changes.¶
Click Confirm & Deploy to deploy your changes.¶
Otherwise, click Cancel and you can make additional changes.
Manage or Unmanage MongoDB Users¶
Click Deployment, then Security, then Users.¶
Click Refresh to discover any unmanaged users in your deployments.¶
This shows all MongoDB users present in all managed deployments for the Ops Manager project and any potential conflicts.
Select users to manage or unmanage.¶
Set the Sync switch to Yes
for each MongoDB user you
want Ops Manager to manage. To manage all MongoDB users for the Ops Manager project, click the
Sync All link.
Set the Sync switch to No
to unmanage the MongoDB
user.
Current Sync State | New Sync State | What Changes |
---|---|---|
NO |
YES |
Ops Manager now manages the user. Note If there are any potential conflicts with other discovered users, you will be presented with the option to resolve conflicts. |
YES |
NO |
Ops Manager no longer manages the user. Warning If Ensure Consistent Set is Note If Ensure Consistent Set is |
Click Review & Deploy to review your changes.¶
Click Confirm & Deploy to deploy your changes.¶
Otherwise, click Cancel and you can make additional changes.
Click Refresh to verify the desired users have been removed from your deployments.¶
Remove a MongoDB User¶
The following procedure deletes the MongoDB user from all the project’s managed MongoDB deployments. See also Manage or Unmanage MongoDB Users.
Click Deployment, then Security, then Users.¶
Set the Ensure Consistent Set toggle to YES
.¶
Set the Sync setting for the users to be deleted to OFF
.¶
Click Delete next to the user to delete.¶
Click Review & Deploy to review your changes.¶
Click Confirm & Deploy to deploy your changes.¶
Otherwise, click Cancel and you can make additional changes.