Right now Mongo Atlas allows you to assign two types of roles to all the users: Organization and Project, and for each set it gives you some predefined roles.

The problem with this is you can't have any kind of granular control of what permission is assigned to each user. (e.g. to allow a user to create a trigger through Mongo Stitch it needs the Project Owner role).

This is a major setback as I'm giving my coworkers more access than needed.

A good solution would be to have something like the database access control in this part so we can create our own custom roles to assign to he users.

Hello,

I think it would be a good idea to have team management at project level.
We have many projects and members in our Atlas account.
I'm a organization owner. The people in my organization use the Altas service. I create
a project for them and give my colleagues the project owner authorizations.

Project owners can invite other members. This is good. But it's a little inconsistent that
they are not able to create groups or teams within their projects They have to manage the permissions for each member separately.

We can't use organization teams, because they are located at the organizational level. Therefore, only the owner of an organization can create teams.
And only the owner of an organization can add or remove members from a team.

Currently Atlas only uses a single (flat) user group which only allows for 1 type of authentication per Organization.

However if Federated Authentication is enabled, the authentication mechanism in Atlas is bypassed for the IdP based on the domain name of the user and the configuration of Atlas Authentication.

This causes a problem if there are multiple groups of users who all share a domain name, some of whom are registered in an IdP, and some of whom are not registered in an IdP (for example users in 2 divisions of the same company).

In this scenario, users who are not registered in the IdP are not able to log in.

Proposed Solution:
Implement User Groups in Atlas with separate configuration settings, so that if 1 group enables Federated Authentication, they will not impact any other groups, even if they all share the same domain name in the user accounts.

When signing up with Email/Pwd, one of the options is to have the confirmation run through a function.
In that function, a call to an external email provider has been set up to use a template with a logo.

However, the "token" & "tokenId" parameters provided in the link are only valid for 30'.

This makes it likely for people to be too late to confirm their email address.

When calling "resendConfirmationLink", an email with a new link will indeed be sent out, but this is the standard MongoDB email. This request is to have this "resend" use the same function as the original confirmation.

Or, if possible, instead of having only "token, tokenId, username", also include a 4th parameter that could be either 'confirm' or 'resend'. This parameter could be used to use different email templates to indicate to the user that this is a "resend-email" rather than an "initial confirmation" to welcome the user.

Much like built-in roles have the ability to target all databases/any database, it would be ideal if collection actions could also target any database. Similarly to how, when adding collection actions to a custom role, if you leave the "collection" field blank, it applies to all collections in the specified DB, it would be great if you could leave the "database" field blank too (or add an "any database" option) and have the actions associated with the role be allowed on any database.

This feature gap creates unnecessary maintenance overhead for clusters with large numbers of databases. This is particularly impactful if databases are added/removed/migrated frequently, creating the need for frequent manual maintenance or some kind of API-based automation to keep the role updated so that the actions can be performed on all databases that currently exist on the cluster.