DOCS-2309 tutorial: verify user privileges

bin/builddata/htaccess-next.yaml

@@ -696,6 +696,13 @@ redirect-path: '/tutorial/copy-databases-between-instances'
 url-base: '/reference/command/copydb'
 type: 'redirect'
 code: 303
+outputs:
+  - 'after-v2.4'
+---
+redirect-path: '/tutorial/verify-user-privileges'
+url-base: '/reference/security'
+type: 'redirect'
+code: 303
 outputs:
   - 'after-v2.4'
 ...

source/includes/steps-verify-user-privileges.yaml

@@ -0,0 +1,76 @@
+title: Identify the User's Roles
+stepnum: 1
+ref: collect-roles
+pre: |
+  Use the :dbcommand:`usersInfo` command or :method:`db.getUser()` method to
+  display user information. The :data:`~admin.system.users.roles` array
+  specifies the user's roles.
+action:
+  - pre: |
+      For example, to view roles for ``accountUser01`` on the
+      ``accounts`` database, issue the following:
+    code: |
+      use accounts
+      db.getUser("accountUser01")
+    language: javascript
+  - pre: |
+      The :data:`~admin.system.users.roles` array displays all roles
+      for ``accountUser01``:
+    language: javascript
+    code: |
+      "roles" : [
+         {
+           "role" : "readWrite",
+           "db" : "accounts"
+         },
+         {
+           "role" : "siteRole01",
+           "db" : "records"
+          }
+      ]
+---
+title: Identify the Privileges Granted by the Roles
+ref: identify-privileges
+stepnum: 2
+pre: |
+  For a given role, use the :dbcommand:`rolesInfo` command or
+  :method:`db.getRole()` method, and include the ``showPrivileges`` parameter.
+  The resulting role document displays both privileges granted directly and
+  roles from which this role inherits privileges.
+action:
+  - pre: |
+      For example, to view the privileges granted by ``siteRole01`` on the ``records`` database, use the
+      following operation, which returns a document with a
+      :data:`~admin.system.roles.privileges` array:
+    language: javascript
+    code: |
+      use records
+      db.getRole( "siteRole01", { showPrivileges: true } )
+  - pre: |
+      The returned document includes the :data:`~admin.system.roles.roles` and
+      :data:`~admin.system.roles.privileges` arrays:
+    language: javascript
+    code: |
+         "roles" : [
+            {
+                "role" : "read",
+                "db" : "corporate"
+            }
+         ],
+         "privileges" : [
+            {
+                "resource" : {
+                    "db" : "records",
+                    "collection" : ""
+                },
+                "actions" : [
+                    "find",
+                    "insert",
+                    "update"
+                ]
+            }
+         ]
+post: |
+  To view the privileges granted by the :authrole:`read` role, use
+  :method:`db.getRole()` again with the appropriate parameters.
+...

source/includes/toc-security-tutorials-access-control.yaml

@@ -18,6 +18,10 @@ file: /tutorial/define-roles
 description: |
   Create custom role.
 ---
+file: /tutorial/verify-user-privileges
+description: |
+  View a user's current privileges.
+---
 file: /tutorial/change-user-privileges
 description: |
   Modify the actions available to a user on specific database resources.

source/tutorial/verify-user-privileges.txt

@@ -0,0 +1,26 @@
+======================
+Verify User Privileges
+======================
+
+.. default-domain:: mongodb
+
+Overview
+--------
+
+A user's privileges determine the access the user has to database
+:ref:`resources <resource-document>` and the :ref:`actions
+<security-user-actions>`. the user can perform. Users receive privileges
+through role assignments. A user can have multiple roles, and each role
+can have multiple privileges.
+
+For an overview of roles and privileges, see :ref:`authorization`.
+
+Prerequisites
+-------------
+
+.. include:: /includes/access-roles-info.rst
+
+Procedure
+---------
+
+.. include:: /includes/steps/verify-user-privileges.rst