DOCS-2309 revoke access from a user

bin/builddata/htaccess-next.yaml

@@ -696,6 +696,13 @@ redirect-path: '/tutorial/copy-databases-between-instances'
 url-base: '/reference/command/copydb'
 type: 'redirect'
 code: 303
+outputs:
+  - 'after-v2.4'
+---
+redirect-path: '/tutorial/revoke-access-from-user'
+url-base: '/core/access-control'
+type: 'redirect'
+code: 303
 outputs:
   - 'after-v2.4'
 ...

source/includes/steps-revoke-access-from-user.yaml

@@ -0,0 +1,67 @@
+title: Connect with the Privilege to Revoke Roles
+stepnum: 1
+ref: connect-with-revoke-role-privileges
+pre: |
+  Connect to the :program:`mongod` or :program:`mongos` as a user with the
+  :authaction:`revokeRole` action on the role's database.
+action:
+  pre: |
+    The following example operation connects to the MongoDB instance as a user
+    named ``roleManager``:
+  language: javascript
+  code: |
+    mongo --port 27017 -u roleManager -p 12345678 --authenticationDatabase products
+---
+title: Verify Your Privileges
+stepnum: 2
+ref: verify-revoke-role-privileges
+pre: |
+  Verify that the user you are connected as has the :authaction:`revokeRole`
+  actions on the role's database.
+action:
+  pre: |
+    The following example operation checks privileges for the user connected
+    as ``roleManager``:
+  language: javascript
+  code: |
+    db.runCommand(
+      {
+        usersInfo:"roleManager",
+        showPrivileges:true
+      }
+    )
+  post: |
+    The resulting ``users`` document displays the privileges granted to the user.
+---
+source:
+  file: steps-change-user-privileges.yaml
+  ref: collect-roles
+---
+source:
+  file: steps-change-user-privileges.yaml
+  ref: identify-privileges
+---
+source:
+  file: steps-change-user-privileges.yaml
+  ref: select-roles-to-modify
+---
+title: Revoke a Role from a User
+stepnum: 6
+ref: revoke-role-from-user
+pre: |
+  Revoke the role from the user using the :method:`db.revokeRolesFromUser` method.
+action:
+  pre: |
+    For example:
+  language: javascript
+  code: |
+    use products
+    db.revokeRolesFromUser(
+      "purchaseAgent",
+      [
+        {
+          role: "readAnyDatabase", db:"admin"
+        }
+      ]
+    )
+...

source/includes/toc-security-tutorials-access-control.yaml

@@ -22,6 +22,10 @@ file: /tutorial/change-user-privileges
 description: |
   Modify the actions available to a user on specific database resources.
 ---
+file: /tutorial/revoke-access-from-user
+description: |
+  Remove a role and its privileges from a user.
+---
 file: /tutorial/view-roles
 description: |
   View a role's privileges.

source/reference/glossary.txt

@@ -368,6 +368,10 @@ Glossary
       :term:`JSON` with Padding. Refers to a method of injecting JSON
       into applications. **Presents potential security concerns**.
 
+   least privilege
+      An authorization policy that gives a user only the amount of access
+      that is essential to that user's work and no more.
+
    legacy coordinate pairs
       The format used for :term:`geospatial` data prior to MongoDB
       version 2.4. This format stores geospatial data as points on a

source/tutorial/revoke-access-from-user.txt

@@ -0,0 +1,32 @@
+=========================
+Revoke Access from a User
+=========================
+
+.. default-domain:: mongodb
+
+Overview
+--------
+
+When a user no longer requires access to certain resources and operations,
+remove access by revoking the role that grants it. Revoking a role a user no
+longer needs follows the policy of :term:`least privilege`, which gives a user
+permissions only for the tasks the user performs.
+
+To revoke privileges, first determine the role that grants the privileges.
+Then remove the role with the :method:`db.revokeRolesFromUser` method.
+
+For an overview of roles and privileges, see :ref:`authorization`.
+For descriptions of the access each system role provides, see
+:ref:`system-defined roles <system-user-roles>.
+
+Prerequisites
+-------------
+
+.. include:: /includes/access-revoke-roles.rst
+
+.. include:: /includes/access-roles-info.rst
+
+Procedure
+---------
+
+.. include:: /includes/steps/revoke-access-from-user.rst