diff --git a/lib/web/ui/server.go b/lib/web/ui/server.go
index 7532deeba380d..666a411804f01 100644
--- a/lib/web/ui/server.go
+++ b/lib/web/ui/server.go
@@ -349,19 +349,14 @@ type DatabaseInteractiveChecker interface {
 // MakeDatabase creates database objects.
 func MakeDatabase(database types.Database, accessChecker services.AccessChecker, interactiveChecker DatabaseInteractiveChecker, requiresRequest bool) Database {
 	var (
-		dbUsers []string
-		dbRoles []string
+		autoUserEnabled bool
+		dbUsers         []string
+		dbRoles         []string
 	)
 	dbNamesResult := accessChecker.EnumerateDatabaseNames(database)
-	dbNames := dbNamesResult.Allowed()
-	if dbNamesResult.WildcardAllowed() {
-		dbNames = append(dbNames, types.Wildcard)
-	}
+	dbNames, _ := dbNamesResult.ToEntities()
 	if res, err := accessChecker.EnumerateDatabaseUsers(database); err == nil {
-		dbUsers = res.Allowed()
-		if res.WildcardAllowed() {
-			dbUsers = append(dbUsers, types.Wildcard)
-		}
+		dbUsers, _ = res.ToEntities()
 	}
 	if roles, err := accessChecker.CheckDatabaseRoles(database, nil); err == nil {
 		// Avoid assigning empty slice to keep the resulting roles nil.
@@ -369,6 +364,9 @@ func MakeDatabase(database types.Database, accessChecker services.AccessChecker,
 			dbRoles = roles
 		}
 	}
+	if autoUser, err := accessChecker.DatabaseAutoUserMode(database); err == nil {
+		autoUserEnabled = database.IsAutoUsersEnabled() && autoUser.IsEnabled()
+	}
 
 	uiLabels := ui.MakeLabelsWithoutInternalPrefixes(database.GetAllLabels())
 
@@ -386,7 +384,7 @@ func MakeDatabase(database types.Database, accessChecker services.AccessChecker,
 		URI:                 database.GetURI(),
 		RequiresRequest:     requiresRequest,
 		SupportsInteractive: interactiveChecker.IsSupported(database.GetProtocol()),
-		AutoUsersEnabled:    database.IsAutoUsersEnabled(),
+		AutoUsersEnabled:    autoUserEnabled,
 	}
 
 	if database.IsAWSHosted() {
diff --git a/lib/web/ui/server_test.go b/lib/web/ui/server_test.go
index 6618a55766154..d6acbebd1bd5d 100644
--- a/lib/web/ui/server_test.go
+++ b/lib/web/ui/server_test.go
@@ -622,6 +622,7 @@ func TestMakeDatabaseConnectOptions(t *testing.T) {
 		roles        services.RoleSet
 		db           *types.DatabaseV3
 		assertResult require.ValueAssertionFunc
+		username     string
 	}{
 		"names wildcard": {
 			db: makeTestDatabase(t, map[string]string{"env": "dev"}, false),
@@ -698,12 +699,14 @@ func TestMakeDatabaseConnectOptions(t *testing.T) {
 			},
 		},
 		"auto-user provisioning enabled": {
-			db: makeTestDatabase(t, map[string]string{"env": "dev"}, true),
+			db:       makeTestDatabase(t, map[string]string{"env": "dev"}, true),
+			username: "alice",
 			roles: services.NewRoleSet(&types.RoleV6{
 				Spec: types.RoleSpecV6{
 					Allow: types.RoleConditions{
 						Namespaces:     []string{apidefaults.Namespace},
 						DatabaseLabels: types.Labels{"*": []string{"*"}},
+						DatabaseUsers:  []string{"otheruser"},
 						DatabaseRoles:  []string{"myrole"},
 					},
 					Options: types.RoleOptions{
@@ -713,13 +716,35 @@ func TestMakeDatabaseConnectOptions(t *testing.T) {
 			}),
 			assertResult: func(t require.TestingT, v interface{}, _ ...interface{}) {
 				db, _ := v.(Database)
-				require.ElementsMatch(t, []string{"myrole"}, db.DatabaseRoles)
 				require.True(t, db.AutoUsersEnabled)
+				require.ElementsMatch(t, []string{"alice"}, db.DatabaseUsers)
+				require.ElementsMatch(t, []string{"myrole"}, db.DatabaseRoles)
+			},
+		},
+		"auto-user provisioning at database but disabled on role": {
+			db:       makeTestDatabase(t, map[string]string{"env": "dev"}, true),
+			username: "alice",
+			roles: services.NewRoleSet(&types.RoleV6{
+				Spec: types.RoleSpecV6{
+					Allow: types.RoleConditions{
+						Namespaces:     []string{apidefaults.Namespace},
+						DatabaseLabels: types.Labels{"*": []string{"*"}},
+						DatabaseUsers:  []string{"*", "myuser"},
+					},
+					Options: types.RoleOptions{
+						CreateDatabaseUserMode: types.CreateDatabaseUserMode_DB_USER_MODE_OFF,
+					},
+				},
+			}),
+			assertResult: func(t require.TestingT, v interface{}, _ ...interface{}) {
+				db, _ := v.(Database)
+				require.False(t, db.AutoUsersEnabled)
+				require.ElementsMatch(t, []string{"*", "myuser"}, db.DatabaseUsers)
 			},
 		},
 	} {
 		t.Run(name, func(t *testing.T) {
-			accessChecker := services.NewAccessCheckerWithRoleSet(&services.AccessInfo{}, "clusterName", tc.roles)
+			accessChecker := services.NewAccessCheckerWithRoleSet(&services.AccessInfo{Username: tc.username}, "clusterName", tc.roles)
 			single := MakeDatabase(tc.db, accessChecker, interactiveChecker, false)
 			tc.assertResult(t, single)