(DOCSP-32330) Adds Atlas built-in role info to server docs (#4711) (#4744)

sarahsimpers · web-flow · commit 9eaf157d30ef · 2023-09-21T13:06:53.000-07:00
* (DOCSP-32330) Adds Atlas built-in role info to server docs * Adds Atlas section and refines intro * Changes heading levels
diff --git a/source/core/security-user-defined-roles.txt b/source/core/security-user-defined-roles.txt
@@ -16,6 +16,13 @@ MongoDB provides a number of :doc:`built-in roles
 </reference/built-in-roles>`. However, if these roles cannot describe the
 desired set of privileges, you can create new roles.
 
+.. note::
+
+   You can configure custom database roles in the UI for deployments
+   hosted in {+atlas+}. To learn more, see 
+   :atlas:`Configure Custom Database Roles 
+   </security-add-mongodb-roles>`.
+
 Role Management Interface
 -------------------------
 
diff --git a/source/reference/built-in-roles.txt b/source/reference/built-in-roles.txt
@@ -9,7 +9,7 @@ Built-In Roles
 .. contents:: On this page
    :local:
    :backlinks: none
-   :depth: 1
+   :depth: 2
    :class: singlecol
 
 MongoDB grants access to data and commands through :ref:`role-based
@@ -26,20 +26,82 @@ Each of MongoDB's built-in roles defines access at the database level for all
 *non*-system collections in the role's database and at the collection level
 for all :doc:`system collections </reference/system-collections>`.
 
-MongoDB provides the built-in :ref:`database user <database-user-roles>` and
-:ref:`database administration <database-administration-roles>` roles on
-*every* database. MongoDB provides all other built-in roles only on the
-``admin`` database.
-
 This section describes the privileges for each built-in role. You can also
 view the privileges for a built-in role at any time by issuing the
 :dbcommand:`rolesInfo` command with the ``showPrivileges`` and
 ``showBuiltinRoles`` fields both set to ``true``.
 
+Compatibility 
+-------------
+
+.. |page-topic| replace:: use built-in roles
+
+.. include:: /includes/fact-atlas-compatible.rst
+
+{+atlas+} deployments have different built-in roles than self-hosted
+deployments. See the following resources to learn more:
+
+- :ref:`atlas-built-in-roles`
+- :ref:`self-hosted-built-in-roles`
+
+.. _atlas-built-in-roles:
+
+{+atlas+} Built-In Roles
+-----------------------------
+
+You can assign the following built-in database user roles for
+deployments hosted in {+atlas+}:
+
+.. list-table::
+   :header-rows: 1
+
+   * - MongoDB Role
+     - Role Name in the {+atlas+} UI
+     - Inherited Roles or Privilege Actions
+
+   * - ``atlasAdmin``
+     - :guilabel:`Atlas admin`
+     -
+       - :authrole:`readWriteAnyDatabase`
+       - :authrole:`readAnyDatabase`
+       - :authrole:`dbAdminAnyDatabase`
+       - :authrole:`clusterMonitor`
+       - :authaction:`cleanupOrphaned`
+       - :authaction:`enableSharding`
+       - :authaction:`flushRouterConfig`
+       - :authaction:`moveChunk`
+       - :authaction:`viewUser`
+
+   * - ``readWriteAnyDatabase``
+     - :guilabel:`Read and write to any database`
+     -
+       - :authrole:`readWriteAnyDatabase`
+
+   * - ``readAnyDatabase``
+     - :guilabel:`Only read any database`
+     -
+       - :authrole:`readAnyDatabase`
+
+You can create database users and assign built-in roles in the
+{+atlas+} UI. To learn more, see :atlas:`Add Database Users </security-add-mongodb-users/#add-database-users>`.
+
+.. _self-hosted-built-in-roles:
+
+Self-Hosted Deployment Built-In Roles
+-------------------------------------
+
+MongoDB provides the following built-in roles for self-hosted
+deployments:
+
+- :ref:`Database user <database-user-roles>` and 
+  :ref:`database administration <database-administration-roles>` roles
+  on *every* database
+- All other roles only on the ``admin`` database
+
 .. _database-user-roles:
 
 Database User Roles
--------------------
+~~~~~~~~~~~~~~~~~~~
 
 Every database includes the following client roles:
 
@@ -90,7 +152,7 @@ Every database includes the following client roles:
 .. _database-administration-roles:
 
 Database Administration Roles
------------------------------
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Every database includes the following database administration roles:
 
@@ -212,7 +274,7 @@ Every database includes the following database administration roles:
 .. _admin-roles:
 
 Cluster Administration Roles
-----------------------------
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 .. include:: /includes/extracts/built-in-roles-cluster-admin-roles.rst
 
@@ -554,7 +616,7 @@ Cluster Administration Roles
 .. _backup-and-restore-roles:
 
 Backup and Restoration Roles
-----------------------------
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 .. include:: /includes/extracts/built-in-roles-backup-roles.rst
 
@@ -720,7 +782,7 @@ Backup and Restoration Roles
 .. _auth-any-database-roles:
 
 All-Database Roles
-------------------
+~~~~~~~~~~~~~~~~~~
 
 .. include:: /includes/extracts/built-in-roles-all-database-roles.rst
 
@@ -783,7 +845,7 @@ All-Database Roles
 .. _superuser:
 
 Superuser Roles
----------------
+~~~~~~~~~~~~~~~
 
 Several roles provide either indirect or direct system-wide superuser access.
 
@@ -810,7 +872,7 @@ The following role provides full privileges on all resources:
       collection in the ``config`` database.
 
 Internal Role
--------------
+~~~~~~~~~~~~~
 
 .. authrole:: __system
 
