Docs Menu

Application Security

On this page

MongoDB Realm provides a variety of security features to protect your data and prevent unauthorized access to your application. This includes things like:

  • Built-in user management
  • Data access permissions
  • Network security features
  • The ability to store and substitute values and secrets

You can secure MongoDB Realm applications with built-in user management. With Realm's built-in user management, only authorized users can access your Realm app. You can delete or disable users, and revoke user sessions. Users can log in with:

You can enable one or more authentication providers in the Realm backend, and then implement them in your client code. You can also link user accounts with client SDKs.

Use MongoDB Realm data access rules to grant read and write access to data. Realm apps that use Realm Sync define data access permissions during the process of enabling Sync. Realm apps that do not use Sync can link an MongoDB Atlas data source, and define permissions to perform CRUD operations on that data source.

MongoDB data access rules prevent operations where users do not have appropriate permissions. Users who do not meet your data access rules cannot view or modify data.

When you enable Realm Sync, you specify the partition key that gives users access to data. You can define JSON expressions to give users read and write permissions for the partition.

When you access a synced Realm app from a client, you specify the partition value that the logged-in user can access. The user only has access to the partition key and value you define in your app. The user cannot read or write data whose partition key value does not match the conditions you specify when you configure Sync.

When you access MongoDB Atlas through MongoDB Realm, you can define roles that enable users to read and modify data. The MongoDB service uses a strict rules system that prevents all operations unless they are explicitly enabled.

When you define a role, you create a set of CRUD permissions that MongoDB Realm evaluates individually for each document associated with a query. You can set roles to have document-level or field-level access, and you can give roles read or read and write access. Realm blocks requests from roles that do not have permission to search or read data.

Note

When you access MongoDB Atlas through a Realm app with Realm Sync enabled, the permissions you defined for Sync apply. MongoDB does not apply role-based permissions when Realm Sync is enabled.

Every MongoDB Realm application is associated with a specific MongoDB Atlas organization and project. Realm determines the developer access permissions for a given MongoDB Cloud user based on their assigned project roles in the project that contains an app.

The following table describes the access permissions associated with a given project role:

Project Role
Access Permissions
Project Owner
Full read-write access for all Realm apps associated with the project.
All Other Roles
Read-only access for all Realm apps associated with the project.
Note

For more information about adding users and teams to Atlas, see Atlas Users and Teams.

MongoDB Realm utilizes a range of network security protocols to prevent unauthorized access to your data. This includes:

  • Using TLS to secure network requests to and from your application
  • Defining IP addreses from which all outbound requests originate
  • Letting you define URLs and IP addresses from which inbound requests may originate

MongoDB Realm uses TLS 1.3 to secure all network requests to and from your application, including:

The TLS certificate is pre-defined and cannot be customized or disabled.

MongoDB Realm only sends requests from the following IP addresses. You can copy this list to an allowlist on your firewall:

13.236.189.10
18.202.2.23
18.210.66.32
18.211.240.224
18.213.24.164
52.63.26.53
54.203.157.107
54.69.74.169
54.76.145.131
18.192.255.128
18.157.138.240
18.158.38.156
52.220.57.174
18.140.123.126
13.251.182.174
65.0.112.137
3.6.231.140
13.234.189.107

You can find this information in computer-friendly formats at these URLs:

JSON
https://docs.mongodb.com/realm-sdks/mongodb/RealmPublicIPs.json
CSV
https://docs.mongodb.com/realm-sdks/mongodb/RealmPublicIPs.csv

You can define this configuration option in the app-level realm_config.json file. This field accepts an array of URLs that incoming requests may originate from. If you define any allowed request origins, then Realm blocks any incoming request from an origin that is not listed.

MongoDB Realm allows client requests from the enabled entries in the app’s IP access list. Allowed requests will still use Realm's authentication and authorization rules. When you add IP access list entries, Realm blocks any request originating from an IP that is not on the access list.

Important

By default, any newly-created Realm app allows access from any client IP by adding an access list entry for 0.0.0.0/0. If you delete this entry, no client can access your Realm app from any IP address.

When you create an API key, you can specify IP addresses that can use this API key to access your project or organization. If you specify an IP address, Realm blocks any request originating from an IP address that is not on the access list.

MongoDB Realm enables you to define values and secrets that you can access or link to from your application. This enables you to remove deployment-specific configuration data and sensitive information from your app's business logic. Instead, you refer to it by name and Realm substitutes the value when executing your request.

  • Built-in user management handles authentication and ensures only logged-in users can access your Realm app.
  • Data access permissions enable you to specify read and write permissions for Realm Sync, linked MongoDB Atlas data sources, and developers building your apps.
  • Network security features enable you to guard against unauthorized access from unknown IP addresses or URLs.
  • Store values and secrets and refer to them by name to remove sensitive information from your business logic.
Give Feedback
MongoDB logo
© 2021 MongoDB, Inc.

About

  • Careers
  • Legal Notices
  • Privacy Notices
  • Security Information
  • Trust Center
© 2021 MongoDB, Inc.