Read and Read/Write Privileges with Secondary Users on Azure Cosmos DB for MongoDB vCore (Preview)

Azure Cosmos DB for MongoDB vCore now supports secondary users with specialized read-write roles. This feature enables secondary users to access and modify data, making it easier to delegate responsibilities while enhancing data security. By allowing granular access control, teams can confidently extend data access to various stakeholders, such as developers and analysts, without compromising system integrity.

Configuring Secondary Users

Note

You can enable/disable this feature by using an ARM template or via Azure CLI during the preview phase.

Using Azure CLI

    az resource patch --ids "/subscriptions/{SubscriptionId}/resourceGroups/{ResourceGroup}/providers/Microsoft.DocumentDB/mongoClusters/{ClusterName}" --api-version 2024-10-01-preview --properties "{\"previewFeatures\": [\"GeoReplicas\", \"EnableReadOnlyUser\"]}"

Using ARM template

"previewFeatures": {
            "value": [
                "EnableReadOnlyUser"
            ]
        }

Supported commands and examples

The MongoDB vCore now supports Role-Based Access Control (RBAC) for secondary users with read and write privileges. This allows administrators to assign roles that grant access to secondary databases for essential read operations while protecting primary data integrity.

Note

You can use any of the MongoDB drivers or mongotools such as mongosh to perform these operations.

Authenticate and perform operations via Mongosh

mongosh mongodb+srv://<YOUR_USERNAME>:<YOUR_PASSWORD>@>YOUR_HOST>?tls=true&authMechanism=SCRAM-SHA-256&retrywrites=false&maxIdleTimeMS=120000

Note

Make sure you allowlist your client IP under the networking settings on Azure portal.

CreateUser

Creates a new user on the database where you run the command. The createUser command returns a duplicate user error if the user exists.

Data Admin Role

use admin
db.runCommand(
    {
        createUser:"yourUserName",
        pwd : "yourPassword",
        roles : [
            { role:"clusterAdmin",db:"admin" },
            { role:"readWriteAnyDatabase", db:"admin" }
        ]
    }
)

ReadOnly Role

use admin
db.runCommand(
    {
        createUser:"yourUserName",
        pwd : "yourPassword",
        roles : [
            { role:"readAnyDatabase",db:"admin" }
        ]
    }
)

Update User

Updates a user on the database where you run the command. The updateUser command supports only updating the password.

use admin
db.runCommand(
    {
        updateUser:"<username>",
        pwd : "<new cleartext password>"
    }
)

Drop User

Removes the user from the database on which you run the command.

use admin
db.runCommand(
    {
        dropUser:"<username>"
    }
)

List Users

Returns information about one or more users. It also supports passing in a single user to usersInfo. In that case it returns information about the user, its role etc.

use admin
db.runCommand(
    {
        usersInfo:1
    }
)

Limitations

  • You can create up to 10 users/roles per cluster. If you have a requirement to add more users, please open a support ticket.
  • The Updateuser command now only supports password updates and cannot modify other object fields.
  • The Roleinfo command is not supported in preview. Alternatively you can use usersInfo.
  • RBAC support for assigning roles to specific databases or collections is not yet supported.