Docs 菜单

Authorize Users

You can add a database user to MongoDB using Workload Identity Federation. This approach enables your organization’s identity provider to manage user access, ensuring secure, centralized authentication for database operations.

注意

Your oidcIdentityProviders configuration determines the approach you must take to authorize users:

  • If the useAuthorizationClaim field is set to false to enable internal authorization, authorize users with user IDs.

  • If the field is set to true, authorize users with identity provider groups.

1

In the admin database, use the db.createRole() method to create roles that map the identity provider group roles to MongoDB roles.

Use the following format to create roles:

<authNamePrefix>/<authorizationClaim>

The oidcIdentityProviders parameter provides the authNamePrefix field and the authorizationClaim field. For example:

db.createRole( {
role: "okta/Everyone",
privileges: [ ],
roles: [ "readWriteAnyDatabase" ]
} )
1

When you create a user, you must create it in the $external database. To switch to the $external database, run the following command:

use $external
2

To create users and add them to your MongoDB database, use the db.createUser() command.

Use the following format for the user field, where the authNamePrefix and authorizationClaim values come from the oidcIdentityProviders parameter:

<authNamePrefix>/<authorizationClaim>

To create a user in MongoDB with the authNamePrefix of okta and an authorizationClaim of jane.doe, run the following:

db.createUser( {
user: "okta/jane.doe",
roles: [
{
role: "readWriteAnyDatabase",
db: "admin"
}
]
} )

You can connect an application to MongoDB using Workload Identity Federation with the following supported drivers: