-
Notifications
You must be signed in to change notification settings - Fork 1.7k
/
db.grantPrivilegesToRole.txt
148 lines (97 loc) · 3.65 KB
/
db.grantPrivilegesToRole.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
==========================
db.grantPrivilegesToRole()
==========================
.. default-domain:: mongodb
.. contents:: On this page
:local:
:backlinks: none
:depth: 1
:class: singlecol
Definition
----------
.. method:: db.grantPrivilegesToRole ( rolename, privileges, writeConcern )
Grants additional :ref:`privileges <privileges>` to a :ref:`user-defined
<user-defined-roles>` role.
The :method:`grantPrivilegesToRole()` method uses the following syntax:
.. code-block:: javascript
db.grantPrivilegesToRole(
"< rolename >",
[
{ resource: { <resource> }, actions: [ "<action>", ... ] },
...
],
{ < writeConcern > }
)
The :method:`grantPrivilegesToRole()` method takes the following arguments:
.. list-table::
:header-rows: 1
:widths: 20 20 80
* - Parameter
- Type
- Description
* - ``rolename``
- string
- The name of the role to grant privileges to.
* - ``privileges``
- array
- The privileges to add to the role. For the format of a privilege, see
:data:`~admin.system.roles.privileges`.
* - ``writeConcern``
- document
- Optional. The level of :doc:`write concern </reference/write-concern>` for the
modification. The ``writeConcern`` document takes the same
fields as the :dbcommand:`getLastError` command.
The :method:`grantPrivilegesToRole()` method can grant one or more
privileges. Each ``<privilege>`` has the following syntax:
.. code-block:: javascript
{ resource: { <resource> }, actions: [ "<action>", ... ] }
.. |local-cmd-name| replace:: :method:`db.grantPrivilegesToRole()`
The :method:`db.grantPrivilegesToRole()` method wraps the
:dbcommand:`grantPrivilegesToRole` command.
Behavior
--------
Replica set
~~~~~~~~~~~
.. |command| replace:: :method:`db.grantPrivilegesToRole()`
.. include:: /includes/fact-management-methods-write-concern.rst
Scope
~~~~~
Except for roles created in the ``admin`` database, a role can only
include privileges that apply to its database
A role created in the ``admin`` database can include privileges that
apply to the ``admin`` database, other databases or to the
:ref:`cluster <resource-cluster>` resource.
Required Access
---------------
.. include:: /includes/access-grant-privileges.rst
Example
-------
The following :method:`db.grantPrivilegesToRole()` operation grants two
additional privileges to the role ``inventoryCntrl01``, which exists on the
``products`` database. The operation is run on that database:
.. code-block:: javascript
use products
db.grantPrivilegesToRole(
"inventoryCntrl01",
[
{
resource: { db: "products", collection: "" },
actions: [ "insert" ]
},
{
resource: { db: "products", collection: "system.js" },
actions: [ "find" ]
}
],
{ w: "majority" }
)
The first privilege permits users with this role to perform the
``insert`` :ref:`action <security-user-actions>` on all collections of
the ``products`` database, except the :doc:`system collections
</reference/system-collections>`. To access a system collection, a
privilege must explicitly specify the system collection in the resource
document, as in the second privilege.
The second privilege permits users with this role to perform the
:authaction:`find` :ref:`action <security-user-actions>` on the
``product`` database's system collection named :data:`system.js
<<database>.system.js>`.