AdminIsabelle
(Admin, MongoDB)
My feedback
2 results found
-
473 votes
An error occurred while saving the comment -
5 votesAdminIsabelle
(Admin, MongoDB)
supported this idea
·
An error occurred while saving the comment AdminIsabelle
(Admin, MongoDB)
commented
Thanks Will, you raise an important point. I'll comment on how a customer can set this up using PIM today (with notable constraints) as well as how we want to solve this more holistically on our roadmap.
Today, Atlas customers can achieve role elevations via their IdP with constraints. For Microsoft Entra ID (formerly Azure AD) PIM specifically: Atlas customers can set up SSO to Atlas with Microsoft Entra ID as their IdP, setting up role mapping connecting their IdP groups to Atlas roles. In Microsoft Entra ID, customer can enable PIM for Groups on the groups they are using for Atlas access. Then, their users can elevate their access to those groups before they authenticate to Atlas, and thus get access to the Atlas roles provided by those groups. The notable constraint here is that Atlas SSO currently supports JIT provisioning, meaning that a user provisioned from SSO can only be updated on login (including the group assignments that user has). This means that if the user's IdP group elevation expires after X minutes, this won't be updated in Atlas until they re-auntheticate.
Looking forward, adding SCIM provisioning support to Atlas SSO is on our roadmap. SCIM provisioning means that any changes to users (including their group assignments) in their IdP gets automatically updated in Atlas. We'll make sure to consider assignment elevations in IdPs in our SCIM assessment.
Hi all, we’re happy to introduce three new Atlas Project roles:
Project Backup Manager: Manage database resiliency without being able to make broader infrastructure changes or access Data Explorer. https://www.mongodb.com/docs/atlas/reference/user-roles/#mongodb-authrole-Project-Backup-Manager
Project Observability Viewer: Utilize performance and ops monitoring tools without being able to manage infrastructure, configurations, or access data adhoc via the Data Explorer. https://www.mongodb.com/docs/atlas/reference/user-roles/#mongodb-authrole-Project-Observability-Viewer
Project Database Access Admin: Manage database access without being able to manage infrastructure, configurations, or access Data Explorer. https://www.mongodb.com/docs/atlas/reference/user-roles/#mongodb-authrole-Project-Database-Access-Admin
These three roles address some of the frequently-mentioned use cases in this thread that formerly required the Project Owner role. As we are still working towards continuously granulating our Atlas RBAC, including more built-in roles as well as ability to create custom roles with granular permissions, we’d also like to hear which use cases we still need to address. Feel free to keep adding your feedback to this feedback thread. Thank you!