1- =============
2- Create a Role
3- =============
1+ ===========================
2+ Define MongoDB Access Roles
3+ ===========================
44
55.. default-domain:: mongodb
66
77.. todo:: Link 'role' below to the conceptual doc, when written
88
9- Roles grant users access to MongoDB resources. Create roles to define
10- access to resources according to your operational needs.
9+ Overview
10+ --------
1111
12- MongoDB scopes each role to the database in which it is created and
13- uniquely identifies each role by the pairing of its name and its database.
12+ Roles grant users access to MongoDB resources. By default, MongoDB
13+ provides a number of roles that administrators may use to control
14+ access to a MongoDB system. However, if these roles cannot describe
15+ the proper limited subset of access that a user might require in a
16+ deployment, you can define a unique role to provide these access.
17+
18+ Create new roles to define access to resources according to the
19+ operational needs of a deployment.
20+
21+ MongoDB limits the scope of each role to the database where the role
22+ was created. The combination of database name and name of role
23+ uniquely defines a role in MongoDB.
1424
1525Prerequisites
1626-------------
@@ -30,39 +40,37 @@ When creating the role, enter these resource-action pairings in
3040:ref:`resource documents <resource-document>` in the
3141:data:`~admin.system.roles.privileges` array.
3242
33- Identify Privileges from Other Roles
34- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
43+ Identify Privileges from Existing Roles
44+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3545
36- If this role is to include all the privileges of an existing role, then instead
37- of re-creating those privileges, you can add the existing role to this role.
38- The contained role provides all its privileges to the new role.
46+ If this role must include *all* the privileges of an existing role,
47+ you can add the existing role to this role, rather than adding
48+ privileges individually. The member role provides all its privileges
49+ to the containing role.
3950
4051When creating the new role, specify each contained role in its own
4152document in the :data:`~admin.system.roles.roles` array.
4253
4354Create the Role
4455~~~~~~~~~~~~~~~
4556
46- To create the role, use the :dbcommand:`createRole` command.
47-
48- .. example::
49-
50- The following command from the :program:`mongo` shell creates the
51- ``myClusterwideAdmin`` role with privileges defined in four
52- :ref:`resource documents <resource-document>` and privileges inherited
53- from the ``read`` role on the ``admin`` database.
54-
55- .. code-block:: javascript
56-
57- db.runCommand( { createRole: "myClusterwideAdmin",
58- privileges: [
59- { resource: { cluster: true }, actions: [ "addShard" ] },
60- { resource: { db: "config", collection: "" }, actions: [ "find", "update", "insert", "remove" ] },
61- { resource: { db: "users", collection: "usersCollection" }, actions: [ "update", "insert", "remove" ] },
62- { resource: { db: "", collection: "" }, actions: [ "find" ] }
63- ],
64- roles: [
65- { role: "read", db: "admin" }
66- ],
67- writeConcern: { w: "majority" , wtimeout: 5000 }
68- } )
57+ To create the role, use the :dbcommand:`createRole` command. Consider
58+ the following example that creates the ``myClusterwideAdmin`` role
59+ with privileges defined in four :ref:`resource documents
60+ <resource-document>` and privileges inherited from the ``read`` role
61+ on the ``admin`` database.
62+
63+ .. code-block:: javascript
64+
65+ db.runCommand( { createRole: "myClusterwideAdmin",
66+ privileges: [
67+ { resource: { cluster: true }, actions: [ "addShard" ] },
68+ { resource: { db: "config", collection: "" }, actions: [ "find", "update", "insert", "remove" ] },
69+ { resource: { db: "users", collection: "usersCollection" }, actions: [ "update", "insert", "remove" ] },
70+ { resource: { db: "", collection: "" }, actions: [ "find" ] }
71+ ],
72+ roles: [
73+ { role: "read", db: "admin" }
74+ ],
75+ writeConcern: { w: "majority" , wtimeout: 5000 }
76+ } )
0 commit comments