Atlas MongoDB Users Page has Confusing Role Assignment
There is currently some confusion that has been introduced in the UI regarding the “old” way of specifying namespace-level roles and the “new” way that is used when using custom roles in Atlas.
Let's say I create a user, hi
, with the readWrite
default role on funkydb
:
https://cl.ly/bf42cae9383b/Image%202019-02-27%20at%2010.21.46%20AM.png
And create a separate MongoDB user, hi_again
, assigned the funkydbreadwrite
custom role (which is defined the same way, with the readWrite
default role on funkydb
):
https://cl.ly/0b0b1ee50722/Image%202019-02-27%20at%2010.22.48%20AM.png
These two roles are essentially the same, but the UI in the MongoDB Users tab renders them differently:
https://cl.ly/5cc211e2c7d7/Image%202019-02-27%20at%2010.19.40%20AM.png
In the example described above, the @admin
and @funkydb
portions in the "MongoDB Roles" column seemingly have different definitions even though both are functionally the same.
A few suggestions for improving the UI:
- Have all user roles specified with
@admin
in the MongoDB Users tab, that way there is no confusion with regards to where these role definitions are stored (in theadmin
database). Any references to@namespace
other than@admin
should not be used in the MongoDB Users’ “MongoDB Roles” tab (https://cl.ly/a4a7fa3710f1/Image%202019-02-27%20at%204.28.31%20PM.png). The current UI implies that these users are stored on that database, which we know not to be the case. - Custom roles should be linked in the "MongoDB Users" tab to the actual Custom Roles that is is referring to (https://cl.ly/014f6e327dd0/Image%202019-02-27%20at%204.29.22%20PM.png), or at the very least to the "MongoDB Roles" tab. For extra clarity, the modal should actually pop up for that custom role to give the user the full picture of what that role does.
- I've always found calling out the namespace in the MongoDB Users tab if they were defined with a default role through the old UI (by clicking "Add Default Privileges" in the modal window) to be confusing, especially given that we now have custom roles that specify
@admin
by default. We should probably have an additional column in the MongoDB Users tab that notes which namespaces the role in question is scoped to, to make it more explicit. As in the prior suggestion, the "MongoDB Roles" column would still be changed to@admin
in all instances, and this would be a new column to indicate which namespaces the role is being applied to.
There may be some aspects of this that I overlooked, however the current implementation leaves a lot to be desired, and can be difficult to reason about from just looking at it from the customer side of things.