The BI Connector facilitates large scale (1000s) of "personal data marts" by acting as a controlled go-between enduser tools like Tableau and a "main" data collection. It is not practical or even desirable to have pass-thru authentication of all these users to the backend mongodb database. Instead, the BI connector could use a special collection in a mongodb instance (not necessarily the target!) to hold SHA(password), name, and YAML equivalent. When started, the mongosqld would verify command line inputs of SHA(password) and name and context, etc. and if OK, would exec an appropriately password-protected endpoint at 3307 with the config already loaded from the special collection. Security is still end-to-end enabled, but now it becomes MUCH easier to manage many users because the capability scope has been both narrowed to read-only and expanded via the config. And the config should be stored as real MongoDB data, not YAML. In this way, the config itself is easily queryable. I can ask "what users are having customer ABC123 filtered out between date 1 and 2" or "when did user X have an initial setup" or "lock out users X and Y", etc. It is "almost" possible to do this now but too much information is exposed in getting configs and I do not think there is a practical way to expose an endpoint that is password protected for a single user. The passthru auth would force me to actually create that user on the target DB and that is what I want to avoid. If you're wondering, this whole thing would sit behind a self-service "warehouse data service" website. If entitled, the service would fire up a docker with mongosqld and the additional info required for it to hit the special collection as described above. After successful launch, the site would say "congrats; you now have a MySQL endpoint at machine:3307. Please connect using your name and password."