-
Notifications
You must be signed in to change notification settings - Fork 1.7k
/
createRole.txt
159 lines (102 loc) · 3.85 KB
/
createRole.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
==========
createRole
==========
.. default-domain:: mongodb
.. contents:: On this page
:local:
:backlinks: none
:depth: 1
:class: singlecol
Definition
----------
.. dbcommand:: createRole
Creates a role and specifies its :ref:`privileges <privileges>`.
The role applies to the
database on which you run the command. The :dbcommand:`createRole`
command returns a *duplicate role* error if the role already exists in
the database.
The :dbcommand:`createRole` command uses the following syntax:
.. code-block:: javascript
{ createRole: "<new role>",
privileges: [
{ resource: { <resource> }, actions: [ "<action>", ... ] },
...
],
roles: [
{ role: "<role>", db: "<database>" } | "<role>",
...
],
authenticationRestrictions: [
{
clientSource: ["<IP>" | "<CIDR range>", ...],
serverAddress: ["<IP>" | "<CIDR range>", ...]
},
...
],
writeConcern: <write concern document>
}
The :dbcommand:`createRole` command has the following fields:
.. list-table::
:header-rows: 1
:widths: 20 20 80
* - Field
- Type
- Description
* - ``createRole``
- string
- The name of the new role.
* - ``privileges``
- array
- The privileges to grant the role. A privilege consists of a resource
and permitted actions. For the syntax of a privilege, see the
:data:`~admin.system.roles.privileges` array.
You must include the ``privileges`` field. Use an
empty array to specify *no* privileges.
* - ``roles``
- array
- An array of roles from which this role inherits privileges.
You must include the ``roles`` field. Use an empty array to specify
*no* roles to inherit from.
* - ``authenticationRestrictions``
- array
- Optional.
.. include:: /includes/fact-auth-restrictions-role-desc.rst
* - ``writeConcern``
- document
- Optional. The level of :doc:`write concern </reference/write-concern>` to apply
to this operation. The ``writeConcern`` document uses the same fields
as the :dbcommand:`getLastError` command.
.. |local-cmd-name| replace:: :dbcommand:`createRole`
Roles
~~~~~
.. include:: /includes/fact-roles-array-contents.rst
Authentication Restrictions
~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. include:: /includes/fact-auth-restrictions-array-contents.rst
Behavior
--------
A role's privileges apply to the database where the role is created. The
role can inherit privileges from other roles in its database. A role
created on the ``admin`` database can include privileges that apply to all
databases or to the :ref:`cluster <resource-cluster>` and can inherit
privileges from roles in other databases.
Required Access
---------------
.. include:: /includes/access-create-role.rst
Example
-------
The following :dbcommand:`createRole` command creates the
``myClusterwideAdmin`` role on the ``admin`` database:
.. code-block:: javascript
db.adminCommand({ createRole: "myClusterwideAdmin",
privileges: [
{ resource: { cluster: true }, actions: [ "addShard" ] },
{ resource: { db: "config", collection: "" }, actions: [ "find", "update", "insert", "remove" ] },
{ resource: { db: "users", collection: "usersCollection" }, actions: [ "update", "insert", "remove" ] },
{ resource: { db: "", collection: "" }, actions: [ "find" ] }
],
roles: [
{ role: "read", db: "admin" }
],
writeConcern: { w: "majority" , wtimeout: 5000 }
})