DOCSP-28029 Note on Role Prevelance (#2746) (#3104)

kennethdyer · web-flow · commit 07c5b5a0caac · 2023-05-09T17:03:23.000-04:00
* DOCSP-28029 Adds note on role prevalence * Fixes note * Fixes per Jeff * Fixes per Jeff * Fixes per Spencer Jackson * Fixes per Spencer Jackson * Fixes per Spencer Jackson * Fixes per Ashley
diff --git a/source/core/authorization.txt b/source/core/authorization.txt
@@ -39,6 +39,28 @@ A role grants privileges to perform the specified :ref:`actions
 </reference/resource-document>`. Each privilege is either specified
 explicitly in the role or inherited from another role or both.
 
+Access
+~~~~~~
+
+Roles never limit privileges.  If a user has two roles, the role with the
+greater access takes precedence.  
+
+For example, if you grant the :authrole:`read` role on a database to 
+a user that already has the :authrole:`readWriteAnyDatabase` role, the
+``read`` grant does **not** revoke write access on the database.
+
+To revoke a role from a user, use the :dbcommand:`revokeRolesFromUser` 
+command.
+
+Authentication Restrictions
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Roles can impose authentication restrictions on users, requiring them to
+connect from specified source and destination IP address ranges.
+
+For more information, see :ref:`create-role-auth-restrictions`.
+
+
 .. _privileges:
 
 Privileges
