mongodb · bgrabar · Dec 13, 2013
diff --git a/bin/builddata/htaccess-next.yaml b/bin/builddata/htaccess-next.yaml
@@ -696,6 +696,13 @@ redirect-path: '/tutorial/copy-databases-between-instances'
 url-base: '/reference/command/copydb'
 type: 'redirect'
 code: 303
+outputs:
+  - 'after-v2.4'
+---
+redirect-path: '/tutorial/assign-role-to-user'
+url-base: '/core/access-control'
+type: 'redirect'
+code: 303
 outputs:
   - 'after-v2.4'
 ...
diff --git a/source/includes/steps-assign-role-to-user.yaml b/source/includes/steps-assign-role-to-user.yaml
@@ -0,0 +1,91 @@
+title: Connect with the Privilege to Grant Roles
+stepnum: 1
+ref: connect-with-grant-role-privileges
+pre: |
+  Connect to the :program:`mongod` or :program:`mongos` as a user with the
+  :authaction:`grantRole` actions on the role's database. One option for doing
+  so is to connect using the :ref:`localhost exception <localhost-exception>`.
+action:
+  pre: |
+    The following example operation connects to the MongoDB instance as a user
+    named ``roleManager``:
+  language: javascript
+  code: |
+    mongo --port 27017 -u roleManager -p 12345678 --authenticationDatabase admin
+---
+title: Verify Your Privileges
+stepnum: 2
+ref: verify-grant-role-privileges
+pre: |
+  Verify that the user you are connected as has the :authaction:`grantRole`
+  actions on the ``admin`` database.
+action:
+  pre: |
+    The following example operation checks privileges for the user connected
+    as ``roleManager``:
+  language: javascript
+  code: |
+    db.runCommand(
+      {
+        usersInfo:"roleManager",
+        showPrivileges:true
+      }
+    )
+  post: |
+    The resulting ``users`` document displays the privileges granted to the user.
+---
+title: Identify the User's Roles and Privileges
+stepnum: 3
+ref: identify-privileges
+pre: |
+  To display the roles and privileges of the user to be modified, use the
+  :method:`db.getUser()` and :method:`db.getRole()` methods, as described in
+  :doc:`/tutorial/verify-user-privileges`.
+action:
+  pre: |
+    For example, to view roles for ``accountUser01`` on the current database, issue:
+  code: |
+    db.getUser("accountUser01")
+  language: javascript
+action:
+  pre: |
+    To display the privileges granted by ``siteRole01`` on the current database, issue:
+  code: |
+    db.getRole( "siteRole01", { showPrivileges: true } )
+  language: javascript
+---
+title: Identify the Privileges to Grant or Revoke
+stepnum: 4
+ref: select-roles-to-modify
+pre: |
+  Determine which role contains the privileges *and only those privileges*. If
+  such a role does not exist, then to grant the privileges will require
+  :doc:`creating a new role </tutorial/define-roles>` with the specific set of
+  privileges. To revoke a subset of privileges provided by an existing role:
+  revoke the original role, :doc:`create a new role </tutorial/define-roles>`
+  that contains the privileges *to keep*, and then grant that role to the
+  user.
+---
+title: Grant a Role to a User
+stepnum: 5
+ref: grant-role-to-user
+pre: |
+  Grant the user the role using the :method:`db.grantRolesToUser()` method.
+action:
+  pre: |
+    For example:
+  language: javascript
+  code: |
+    use admin
+    db.grantRolesToUser(
+      "accountAdmin01",
+      [
+        { 
+          role: "readWrite", db: "products"
+        },
+        {
+          role: "readAnyDatabase", db:"admin"
+        }
+      ]
+    )
+...
diff --git a/source/includes/toc-security-tutorials-access-control.yaml b/source/includes/toc-security-tutorials-access-control.yaml
@@ -18,6 +18,11 @@ file: /tutorial/define-roles
 description: |
   Create custom role.
 ---
+file: /tutorial/assign-role-to-user
+description: |
+  Assign a user a role. A role grants the user a defined set of privileges.
+  A user can have multiple roles.
+---
 file: /tutorial/change-user-privileges
 description: |
   Modify the actions available to a user on specific database resources.

diff --git a/source/tutorial/assign-role-to-user.txt b/source/tutorial/assign-role-to-user.txt
@@ -0,0 +1,33 @@
+====================
+Assign a User a Role
+====================
+
+.. default-domain:: mongodb
+
+Overview
+--------
+
+A role provides a user privileges to perform a set of :ref:`actions
+<security-user-actions>` on a :ref:`resource <resource-document>`. A
+user can have multiple roles.
+
+In MongoDB systems where :setting:`auth` is enabled, you must grant a user a
+role for the user to access a database resource. To assign a role, first
+determine the privileges the user needs and then determine the role that
+grants those privileges.
+
+For an overview of roles and privileges, see :ref:`authorization`.
+For descriptions of the access each system role provides, see
+:ref:`system-defined roles <system-user-roles>.`
+
+Prerequisites
+-------------
+
+.. include:: /includes/access-grant-roles.rst
+
+.. include:: /includes/access-roles-info.rst
+
+Procedure
+---------
+
+.. include:: /includes/steps/assign-role-to-user.rst