Compose Access Controls

About Compose Access Controls

Compose has an access control system based on roles. These roles are assigned at an account-wide level and at a deployment-wide level. Users can also be gathered into teams and those teams can be given roles at the same level.

Account Owner

The Account Owner can perform all administrative tasks, add/remove users to their account, and assign/change users' roles. The Owner role implicitly includes all of the other roles.

Changing the Account Owner

  1. Log into Compose as the current account owner.
  2. If the new account owner is not already a user added to the account then add the new account owner as a user.
  3. On the Access page, tick the Owner box next to the new owner's name.
  4. Click the Save Changes button at the bottom of the page.

The new owner should then log-in and disable the old owner's access if appropriate.


The controls for the access control system can be found on the Account view. On the Account view, the Users option allows for the creation, and removal, of users for the account. New users are created without roles.


Example of Users view

Selecting Add User allows a new user to be added through this page:


Create User page

The email address will be sent an email with details on how to log in. Users are created without two-factor authentication (2FA) enabled and each user will have to enable it themselves. The state of 2FA is shown in the Users view.


The next menu item is Teams. This feature allows users to be gathered together so that they can be granted roles as a group. The account owner or admin can create a team and add users they have created to it. Users can belong to more than one team. Teams don't have roles when created.


Teams View

Selecting Add team brings up the following page:


Example Add Team page

Enter a team name and select the account users that are desired in the new team. Then click Create Team.

Managing Access and Roles

The next menu item is Access. Here you may grant teams and users different roles.


Account Roles

Users assigned a role will see different parts of your account based on that role's access level. A user or team may be assigned multiple roles. Likewise, the availability of certain functions, such as creating/destroying deployments, changing the credit card information, or adding/managing users will depend on the user's role.


Account Access, Deployment Access, and Database Access

These roles are applicable on the Compose Account level. There are other, more granular roles/permissions manageable at the deployment level as well as at the database/datastore level. More information for deployment access can be found on the Deployment Access Control page along with links to database-specific pages.

To adjust roles a user has to have the Owner role. This role allows them get to the Users, Teams and Access views. The Owner role can only be granted to a user, not to a team.

The access control system currently has five account-wide grantable roles: Owner(explained above), Enterprise Admin, Deployment Admin, Billing Manager, and Provisioner.

Enterprise Admin

An Enterprise Admin can create, update, and delete this account's Enterprise deployments. The role does not have permissions to view, create, or destroy standard Compose deployments, with the exception of MongoDB Classic deployments. It also cannot change, monitor, or see other user's access to the deployment. Nor can it manage any of the billing settings.

Deployment Admin

A Deployment Admin access to all of this account's deployments. The role allows permission to view and destroy existing deployments, but it cannot create new ones. It also cannot change, monitor, or see other user's access to the deployment. Nor can it manage any of the billing settings.

Billing Manager

A Billing Manager has access to invoices and can modify payment information. It cannot do anything else related to deployments on the account with the exception of MongoDB Classic deployments.


Can provision deployments on this account. They have full permissions over that new deployment. They do not have full permissions over deployments that they have not provisioned.


Owners can do everything on an account. Including setting the owner role to other users.

Still Need Help?

If this article didn't solve things, summon a human and get some help!