Read and Read/Write Privileges with Secondary Users on Azure Cosmos DB for MongoDB vCore (Preview)
Azure Cosmos DB for MongoDB vCore now supports secondary users with specialized read-write roles. This feature enables secondary users to access and modify data, making it easier to delegate responsibilities while enhancing data security. By allowing granular access control, teams can confidently extend data access to various stakeholders, such as developers and analysts, without compromising system integrity.
Configuring Secondary Users
Note
You can enable/disable this feature by using an ARM template or via Azure CLI during the preview phase.
Using Azure CLI
az resource patch --ids "/subscriptions/{SubscriptionId}/resourceGroups/{ResourceGroup}/providers/Microsoft.DocumentDB/mongoClusters/{ClusterName}" --api-version 2024-10-01-preview --properties "{\"previewFeatures\": [\"GeoReplicas\", \"EnableReadOnlyUser\"]}"
Using ARM template
"previewFeatures": {
"value": [
"EnableReadOnlyUser"
]
}
Supported commands and examples
The MongoDB vCore now supports Role-Based Access Control (RBAC) for secondary users with read and write privileges. This allows administrators to assign roles that grant access to secondary databases for essential read operations while protecting primary data integrity.
Note
You can use any of the MongoDB drivers or mongotools such as mongosh to perform these operations.
Authenticate and perform operations via Mongosh
mongosh mongodb+srv://<YOUR_USERNAME>:<YOUR_PASSWORD>@>YOUR_HOST>?tls=true&authMechanism=SCRAM-SHA-256&retrywrites=false&maxIdleTimeMS=120000
Note
Make sure you allowlist your client IP under the networking settings on Azure portal.
CreateUser
Creates a new user on the database where you run the command. The createUser
command returns a duplicate user error if the user exists.
Data Admin Role
use admin
db.runCommand(
{
createUser:"yourUserName",
pwd : "yourPassword",
roles : [
{ role:"clusterAdmin",db:"admin" },
{ role:"readWriteAnyDatabase", db:"admin" }
]
}
)
ReadOnly Role
use admin
db.runCommand(
{
createUser:"yourUserName",
pwd : "yourPassword",
roles : [
{ role:"readAnyDatabase",db:"admin" }
]
}
)
Update User
Updates a user on the database where you run the command. The updateUser
command supports only updating the password.
use admin
db.runCommand(
{
updateUser:"<username>",
pwd : "<new cleartext password>"
}
)
Drop User
Removes the user from the database on which you run the command.
use admin
db.runCommand(
{
dropUser:"<username>"
}
)
List Users
Returns information about one or more users. It also supports passing in a single user to usersInfo. In that case it returns information about the user, its role etc.
use admin
db.runCommand(
{
usersInfo:1
}
)
Limitations
- You can create up to 10 users/roles per cluster. If you have a requirement to add more users, please open a support ticket.
- The
Updateuser
command now only supports password updates and cannot modify other object fields. - The
Roleinfo
command is not supported in preview. Alternatively you can useusersInfo
. - RBAC support for assigning roles to specific databases or collections is not yet supported.