Updated on 2023-05-25 GMT+08:00

Creating and Managing Roles

Creating a Role

db.createRole(role, writeConcern)

  • role is mandatory and its type is document. The details are as follows:
    {
      role: "<name>",
      privileges: [
         { resource: { <resource> }, actions: [ "<action>", ... ] },
         ...
      ],
      roles: [
         { role: "<role>", db: "<database>" } | "<role>",
          ...
      ],
      authenticationRestrictions: [
        {
          clientSource: ["<IP>" | "<CIDR range>", ...],
          serverAddress: ["<IP>" | "<CIDR range>", ...]
        },
        ...
      ]
    }

    Parameter description

    Field

    Type

    Description

    role

    string

    Role name

    privileges

    Array

    This parameter is mandatory. The array elements indicate the permissions of a role.

    If this parameter is set to an empty collection, the role does not have any permission.

    resource

    Documents

    The database name or collection name.

    actions

    Array

    List of available operations. Common actions are as follows:

    • find
    • count
    • getMore
    • listDatabases
    • listCollections
    • listIndexes
    • insert
    • update
    • remove

    For more actions, see the official document.

    roles

    Array

    Array element. This parameter is mandatory. The array element is the name of a role inherited by the role.

    The role can be a preset role read or readWrite or a user-defined role.

    authenticationRestrictions

    Array

    Optional. This parameter specifies the IP address or IP address segment that can be accessed by the role.

  • writeConcern specifies the write concern level of a command.

Updating a Role

db.grantPrivilegesToRole(rolename,privileges,writeConcern)

db.revokePrivilegesFromRole(rolename,privileges,writeConcern)

The preceding commands are used to obtain or revoke specified permissions for a role.

  • rolename specifies the name of the role to be updated. This parameter is mandatory.
  • privileges indicates the permissions to be adjusted for the role.
    db.grantPrivilegesToRole(
        "< rolename >",
        [
            { resource: { <resource> }, actions: [ "<action>", ... ] },
            ...
        ],
        { < writeConcern > }
    )
    Table 1 privileges description

    Field

    Type

    Description

    resource

    Document

    The database name or collection name.

    actions

    Array

    For details, see description about createRole.

In addition to the preceding commands, updateRole can also be used to update role information.

db.updateRole(role, update, writeConcern)

Table 2 Parameter description

Field

Type

Description

role

string

Role name

update

Array

Mandatory. Its meaning is the same as that of privileges in the command for creating a role. It is used to replace all permission information of a role.

writeConcern

Document

writeConcern specifies the write concern level of a command.

Deleting a Role

db.dropRole(rolename, writeConcern)

  • rolename specifies the name of the role to be deleted. This parameter is mandatory.
  • writeConcern specifies the write concern level of a command.