Atlas access management similar to Azure AD Privileged Identity Management (PMI)
Hello, we are looking for functionality that allows users to auto-promote or adjust their privileges based on the access needed.
For example: if user XYZ needs access to DB:123 he can elevate access himself to this db.
This would be similar to Azure Active Directory (Azure AD) Privileged Identity Management (PIM). A service offered by Microsoft as part of its Azure cloud platform. It helps organizations manage, control, and monitor access within their Azure AD environment, particularly for privileged accounts. These accounts have elevated permissions that can perform critical tasks, such as managing resources, configuring settings, or accessing sensitive data.
Will
shared this idea
-
AdminIsabelle
(Admin, MongoDB)
commented
Thanks Will, you raise an important point. I'll comment on how a customer can set this up using PIM today (with notable constraints) as well as how we want to solve this more holistically on our roadmap.
Today, Atlas customers can achieve role elevations via their IdP with constraints. For Microsoft Entra ID (formerly Azure AD) PIM specifically: Atlas customers can set up SSO to Atlas with Microsoft Entra ID as their IdP, setting up role mapping connecting their IdP groups to Atlas roles. In Microsoft Entra ID, customer can enable PIM for Groups on the groups they are using for Atlas access. Then, their users can elevate their access to those groups before they authenticate to Atlas, and thus get access to the Atlas roles provided by those groups. The notable constraint here is that Atlas SSO currently supports JIT provisioning, meaning that a user provisioned from SSO can only be updated on login (including the group assignments that user has). This means that if the user's IdP group elevation expires after X minutes, this won't be updated in Atlas until they re-auntheticate.
Looking forward, adding SCIM provisioning support to Atlas SSO is on our roadmap. SCIM provisioning means that any changes to users (including their group assignments) in their IdP gets automatically updated in Atlas. We'll make sure to consider assignment elevations in IdPs in our SCIM assessment.