PostgreSQL or MongoDB — pick one. Prisme.ai’s three structured-data stores (
users, permissions, collections) run on a single engine. The choice is per-deployment — you cannot mix Mongo and Postgres across these three.PostgreSQL is the recommended option for new deployments — cheaper managed offerings, broader ops know-how, and Entra ID / IAM passwordless auth on Azure. See PostgreSQL. MongoDB remains fully supported — pick it if you already run MongoDB at scale or have a strong team preference for it.Role in the platform
MongoDB holds three logical databases:users— user accounts and authentication metadata, plus all organization-level data: organizations themselves, memberships, groups, custom roles, API keys and service accounts. Used byprismeai-api-gateway.permissions— workspace-level access-control rules, roles and memberships (workspaces, pages, apps…). Used byprismeai-workspaces,prismeai-eventsandprismeai-runtime. Note: org-level RBAC lives inusers, not here.collections— workspace data, automation state and product collections. Used byprismeai-runtime.
Version compatibility
- Minimum: MongoDB 6+.
- 6.x and 7.x are supported and recommended for new deployments.
- Connection string format:
mongodb://user:password@host:port/databaseormongodb+srv://...for Atlas.
Recommended deployment
Topology: 3-node replica set. Multi-AZ for HA.
Minimum hardware: 2 vCPU, 2 GB RAM, 1000 IOPS.
Minimum disk: 10 GB per node, to grow with usage. By default, the three databases (
users, permissions, collections) live on a single shared cluster — keeps the initial deployment simple.
Under sustained high load, the auth path (
users + permissions, critical on every request) can be impacted by collections growth — these have very different access patterns. If a single cluster proves insufficient, split into two MongoDB clusters: one for users + permissions, one for collections. They can then be sized and backed up independently.Helm Configuration
Three Helm keys point to MongoDB in core helm values :prismeai-core-values.yml
url key with the MongoDB URI (ending with the database name, e.g. /permissions), and 2 optional fields user and password.
See Helm install for the full install context.
Least privileges
Prisme.ai needs two custom roles. See the MongoDB Atlas actions reference.Core role — for users and permissions
Required actions:
FIND,INSERT,REMOVE,UPDATECREATE_COLLECTION,CREATE_INDEX,RE_INDEX,LIST_INDEXES,DROP_INDEX,DROP_COLLECTIONRENAME_COLLECTION_SAME_DB,LIST_COLLECTIONSCOLL_STATS,COLL_MOD,COMPACT
Collections role — for collections
Same action list as Core role. Restrict the role to the collections database only.
Backup & restore
Backup with mongodump
mongodump.
Restore with mongorestore
Verify
Updates
- Required indexes are created automatically on service startup.
- Schema migrations run on backend startup — no manual step needed for minor upgrades.
- For major version jumps (e.g. 5 → 7), run the upgrade per-replica via the MongoDB / Atlas upgrade procedure. Snapshot first.
- Always back up before upgrading. See Operations / Updates.
Scaling
- Replica sets for read scaling: Prisme.ai backend uses primary writes; read preference is
primaryby default. To offload analytics queries, route them through a separate secondary. - Sharding: only for very large
collectionsdatasets. Adds operational complexity; engage Prisme.ai support before sharding. - Indexes: monitor slow queries (
db.collection.explain('executionStats')). The most common hotspots are user email lookups and per-workspace queries. - Resources: scale CPU and IOPS together — MongoDB is sensitive to disk latency.
MongoDB Atlas setup (AWS IRSA)
If you run MongoDB Atlas and want service accounts to authenticate via AWS IAM rather than password, follow this flow per environment. Three Atlas users are created — one per Prisme.ai backend role — each tied to its own IAM role via IRSA.1. Create two custom roles in Atlas
In Security → Database Access → Custom Roles:<tenant>—All collection actionson databases<tenant>-usersand<tenant>-permissions.<tenant>-collections—All collection actionson database<tenant>-collections.
2. Create three IRSA-backed Atlas users
In Database Access → Add new database user, choose AWS IAM → IAM Role and paste the role ARN for each backend:<tenant>-workspaces→ assign role<tenant>.<tenant>-events→ assign role<tenant>.<tenant>-api-gateway→ assign role<tenant>.
terraform output --raw workspaces_iam_role_arn (and the equivalent for events / api-gateway).
3. Store the connection URLs
In your secret manager (e.g. AWS Secrets Manager):<tenant>/permissions→url= cluster URL with thepermissionsdatabase name.<tenant>/api-gateway/users→url= cluster URL with theusersdatabase name.
4. Collections user (username/password)
The Collections app is hit byapps-prismeai-functions which is shared across tenants — IAM-per-pod isn’t an option. Create a standard user:
- Add new database user with username
<tenant>-collections, auto-generated password. - Assign the
<tenant>-collectionscustom role. - Restrict access to the collections cluster.
- Store the credentials in your secret manager (e.g.
<tenant>/appstore/collections.mongoURI) — full URL including username and password.