Backports DOCSP-32346 to v4.4 (#4999)

erabil-mdb · web-flow · commit 2c6670423fc4 · 2023-10-11T13:42:28.000-04:00
* (DOCSP-32346) Revamps to include Atlas steps for Atlas Top 250 initiative. * Revises per copy review.
diff --git a/source/includes/steps-add-scram-user.yaml b/source/includes/steps-add-scram-user.yaml
@@ -0,0 +1,111 @@
+stepnum: 1
+title: Open the :guilabel:`Add New Database User` dialog.
+ref: go-users-view-manual
+content: |
+   a. In the :guilabel:`Security` section of the left navigation, click
+      :guilabel:`Database Access`. The :guilabel:`Database Users` tab
+      displays.
+
+   #. Click :icon-fa5:`plus` :guilabel:`Add New Database User`.
+---
+stepnum: 2
+title: Select :guilabel:`Password`.
+ref: scram-select-password-manual
+content: |
+  In the :guilabel:`Authentication Method` section of the :guilabel:`Add
+  New Database User` modal window, select the box labeled :guilabel:`Password`.
+---
+stepnum: 3
+title: Enter user information.
+ref: scram-enter-user-info-manual
+content: |
+  Under :guilabel:`Password Authentication`, there are two text fields.
+  
+  a. Enter a username for the new user in the top text field.
+
+  #. Enter a password for the new user in the lower text field.
+
+  To use a password auto-generated by {+atlas+},
+  click the :guilabel:`Autogenerate Secure Password` button.
+---
+stepnum: 4
+title: Assign privileges.
+ref: assign-user-privileges-manual
+content: |
+  Select the database user privileges. You can assign privileges to the new user
+  in one or more of the following ways:
+
+  - Select a :atlas:`built-in role </security-add-mongodb-users/#built-in-roles>` from the
+    :guilabel:`Built-in Role` dropdown menu. You can select one
+    built-in role per database user within the Atlas UI. If you delete the
+    default option, you can click :guilabel:`Add Built-in Role` to select a new built-in role.
+
+  - If you have any :atlas:`custom roles </security-add-mongodb-roles>` defined, you can expand
+    the :guilabel:`Custom Roles` section and select
+    one or more roles from the :guilabel:`Custom Roles` dropdown menu. Click
+    :guilabel:`Add Custom Role` to add more custom roles. You can also
+    click the :guilabel:`Custom Roles` link to see the custom
+    roles for your project.
+
+  - Expand the :guilabel:`Specific Privileges` section and select one or more
+    :atlas:`privileges </security-add-mongodb-users/#specific-privileges>` from the
+    :guilabel:`Specific Privileges` dropdown menu. Click
+    :guilabel:`Add Specific Privilege` to add more privileges. This assigns the
+    user specific privileges on individual databases and collections.
+
+  {+atlas+} can apply a built-in role, multiple custom roles, and multiple specific
+  privileges to a single database user. 
+  
+  To remove an applied role or privilege, click :icon-fa4:`trash-o`
+  :guilabel:`Delete` next to the role or privilege you wish to delete.
+
+  .. note::
+
+    {+atlas+} doesn't display the :icon-fa4:`trash-o` :guilabel:`Delete` icon
+    next to your :guilabel:`Built-in Role`, :guilabel:`Custom Role`, or
+    :guilabel:`Specific Privilege` selection if you selected only one option. You
+    can delete the selected role or privilege once you apply another role or privilege.
+     
+  For more information on authorization, see :ref:`Role-Based
+  Access Control <authorization>` and :ref:`Built-in
+  Roles <built-in-roles>`.
+---
+stepnum: 5
+title: Specify the resources in the project that the user can access.
+optional: true
+ref: restrict-resource-access-manual
+content: | 
+  By default, users can access all the clusters and 
+  :atlas:`federated database instances </data-federation/overview>` in the 
+  project. You can restrict access to specific clusters and federated database instances
+  by performing both of the following steps: 
+
+  a. Toggle :guilabel:`Restrict Access to Specific Clusters/Federated 
+     Database Instances` to :guilabel:`ON`.
+
+  #. Select the clusters and federated database instances to grant the user access to 
+     from the :guilabel:`Grant Access To` list.
+---
+stepnum: 6
+title: Save as temporary user.
+optional: true
+ref: save-temp-user-manual
+content: |
+  Toggle :guilabel:`Temporary User` to :guilabel:`On` and choose
+  a time after which {+atlas+} can delete the user from the
+  :guilabel:`Temporary User Duration` dropdown. You can select one of the
+  following time periods for the user to exist:
+
+  - 6 hours
+  - 1 day
+  - 1 week
+
+  In the :guilabel:`Database Users` tab, temporary users display
+  the time remaining until {+atlas+} will delete the user. Once
+  {+atlas+} deletes the user, any client or application that uses
+  the temporary user's credentials loses access to the cluster.
+---
+stepnum: 7
+title: Click :guilabel:`Add User`.
+ref: save-user-manual
+...
diff --git a/source/tutorial/create-users.txt b/source/tutorial/create-users.txt
@@ -17,6 +17,34 @@ Overview
 
 .. include:: /includes/intro-rbac.rst
 
+The user information on this page applies to deployments hosted in 
+all of the following environments unless specified otherwise:
+
+.. include:: /includes/fact-environments.rst
+
+{+atlas+} Limitations
+------------------------------
+
+The following limitations apply only to deployments hosted in
+{+atlas+}. If any of these limits present a problem for your organization, 
+contact :atlas:`Atlas support </support>`.
+
+* The available {+atlas+} :atlas:`built-in roles </security-add-mongodb-users/#std-label-atlas-user-privileges>` 
+  and :atlas:`specific privileges </security-add-mongodb-users/#std-label-atlas-specific-privileges>` 
+  support a subset of MongoDB commands. 
+  See :atlas:`Unsupported Commands in M10+ Clusters </unsupported-commands/#std-label-paid-tier-command-limitations>` 
+  for more information.
+
+* {+atlas+} supports a maximum of 100 database users per {+atlas+}
+  project. If you require more than 100 database users on a project,
+  contact :atlas:`Atlas support </support>`.
+
+* You must use the :atlas:`Atlas CLI </cli/stable/command/atlas-dbusers-create>`, 
+  :atlas:`Atlas Administration API </reference/api-resources-spec/v2/#tag/Database-Users>`, 
+  Atlas UI, or a supported :atlas:`integration </partner-integrations/#std-label-partner-integrations>` 
+  to add, modify, or delete database users on {+atlas+} database deployments.
+  Otherwise, {+atlas+} rolls back any user modifications.
+
 .. _add-user-prereq:
 
 Prerequisites
@@ -35,7 +63,75 @@ For routine user creation, you must possess the following permissions:
 
 .. include:: /includes/access-create-user.rst
 
+To create users for {+atlas+}, you must have
+:atlas:`Organization Owner </reference/user-roles/#mongodb-authrole-Organization-Owner>` 
+or :atlas:`Project Owner </reference/user-roles/#mongodb-authrole-Project-Owner>` 
+access to {+atlas+}. These roles are unique to {+atlas+} and are 
+separate from database users. 
+To learn more, see :atlas:`Atlas User Roles </reference/user-roles>`.
+
 .. _add-new-user:
+.. _create-user-procedure:
+
+Procedure
+---------
+
+.. note::
+
+   The following procedures use :ref:`authentication-scram`
+   authentication. For additional information on other authentication
+   mechanisms, see :ref:`create-users-examples`.
+
+Configure Database Users for {+atlas+}
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+A {+atlas+} project can have users with different authentication methods.
+
+You cannot change a user's authentication method after creating that
+user. To use an alternative authentication method, you must create a
+new user.
+
+Configure database users for your {+atlas+} deployment who 
+use :ref:`authentication-scram` authentication:
+
+.. tabs::
+
+   .. tab:: Atlas CLI
+      :tabid: cli   
+
+      The Atlas CLI uses the following commands to create new database users and 
+      X.509 certificates. The options you specify determine the authentication method.
+
+      To create a database user for your project using the Atlas CLI, 
+      run the following command:
+
+      .. code-block:: sh
+
+         atlas dbusers create [builtInRole]... [options]
+
+      To create a new Atlas-managed X.509 certificate for the specified 
+      database user using the Atlas CLI, run the following command:
+
+      .. code-block:: sh
+
+         atlas dbusers certs create [options]
+
+      To learn more about the syntax and parameters for the previous commands, 
+      see the Atlas CLI documentation for 
+      :atlas:`atlas dbusers create </cli/stable/command/atlas-dbusers-create>` and
+      :atlas:`atlas dbusers certs create </cli/stable/command/atlas-dbusers-certs-create>`.
+
+      .. see:: Related Links
+
+         - :atlas:`Install the Atlas CLI </cli/stable/install-atlas-cli>`
+         - :atlas:`Connect to the Atlas CLI </cli/stable/connect-atlas-cli>`
+
+   .. tab:: Atlas UI
+      :tabid: ui
+
+      .. include:: /includes/steps/add-scram-user.rst
+
+.. _create-users-examples:
 
 Examples
 --------
@@ -128,6 +224,10 @@ with read-only access to the ``records`` database.
 :doc:`/tutorial/configure-ldap-sasl-openldap` provide more detail about
 using authenticating using LDAP.
 
+To learn more about setting up LDAP authentication for {+atlas+},
+see :atlas:`Add Database Users</security-add-mongodb-users/#add-database-users>` 
+in the {+atlas+} documentation.
+
 x.509 Client Certificate Authentication
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -154,6 +254,25 @@ user with read-only access to the ``records`` database.
        }
    )
 
-:doc:`/tutorial/configure-x509-client-authentication` provides details
-about setting up x.509 Client Certificate authentication for your
-MongoDB deployment.
+.. seealso::
+
+   For more information about setting up x.509 Client Certificate
+   authentication for your MongoDB deployment, see the following
+   tutorials:
+
+   - :doc:`/tutorial/configure-x509-client-authentication`
+
+   To learn more about setting up x.509 Client Certificate authentication for {+atlas+},
+   see :atlas:`Add Database Users</security-add-mongodb-users/#add-database-users>` 
+   in the {+atlas+} documentation.
+
+Next Steps
+----------
+
+To manage users, assign roles, and create custom roles for your
+self-hosted MongoDB Enterprise or MongoDB Community deployment, 
+see :doc:`/tutorial/manage-users-and-roles`.
+
+You can also :atlas:`manage users, assign roles </security-add-mongodb-users>`, 
+and :atlas:`create custom roles </security-add-mongodb-roles>` 
+for your {+atlas+} deployment.
