AdminIsabelle
(Admin, MongoDB)
My feedback
1 result found
-
4 votesAdminIsabelle
(Admin, MongoDB)
supported this idea
·
An error occurred while saving the comment
Thanks Will, you raise an important point. I'll comment on how a customer can set this up using PIM today (with notable constraints) as well as how we want to solve this more holistically on our roadmap.
Today, Atlas customers can achieve role elevations via their IdP with constraints. For Microsoft Entra ID (formerly Azure AD) PIM specifically: Atlas customers can set up SSO to Atlas with Microsoft Entra ID as their IdP, setting up role mapping connecting their IdP groups to Atlas roles. In Microsoft Entra ID, customer can enable PIM for Groups on the groups they are using for Atlas access. Then, their users can elevate their access to those groups before they authenticate to Atlas, and thus get access to the Atlas roles provided by those groups. The notable constraint here is that Atlas SSO currently supports JIT provisioning, meaning that a user provisioned from SSO can only be updated on login (including the group assignments that user has). This means that if the user's IdP group elevation expires after X minutes, this won't be updated in Atlas until they re-auntheticate.
Looking forward, adding SCIM provisioning support to Atlas SSO is on our roadmap. SCIM provisioning means that any changes to users (including their group assignments) in their IdP gets automatically updated in Atlas. We'll make sure to consider assignment elevations in IdPs in our SCIM assessment.