mongodb · schmalliso · May 11, 2016 · Aug 17, 2016
diff --git a/source/includes/extracts-privilege-actions-base.yaml b/source/includes/extracts-privilege-actions-base.yaml
@@ -0,0 +1,8 @@
+ref: _action-list
+content: |
+  The user executing the {{type}} requires either :authaction:`find`
+  privileges on the {{collection}} collection or the
+  {{listAction}} privilege action. At a minimum, the
+  :authrole:`read` :doc:`built-in role </reference/built-in-roles>` provide
+  the requisite permissions.
+...
diff --git a/source/includes/extracts-privilege-actions.yaml b/source/includes/extracts-privilege-actions.yaml
@@ -0,0 +1,36 @@
+ref: actions-listIndexes
+inherit:
+  file: extracts-privilege-actions-base.yaml
+  ref: _action-list  
+replacement:
+  type: "command"
+  collection: ":data:`system.indexes <<database>.system.indexes>`"
+  listAction: ":authaction:`listIndexes`"
+---
+ref: actions-db.collection.getIndexes
+inherit:
+  file: extracts-privilege-actions-base.yaml
+  ref: _action-list  
+replacement:
+  type: "method"
+  collection: ":data:`system.indexes <<database>.system.indexes>`"
+  listAction: ":authaction:`listIndexes`"
+---
+ref: actions-listCollections
+inherit:
+  file: extracts-privilege-actions-base.yaml
+  ref: _action-list  
+replacement:
+  type: "command"
+  collection: ":data:`system.namespaces <<database>.system.namespaces>`"
+  listAction: ":authaction:`listCollections`"
+---
+ref: actions-db.getCollectionNames
+inherit:
+  file: extracts-privilege-actions-base.yaml
+  ref: _action-list  
+replacement:
+  type: "method"
+  collection: ":data:`system.namespaces <<database>.system.namespaces>`"
+  listAction: ":authaction:`listCollections`"
+...
diff --git a/source/reference/command/listCollections.txt b/source/reference/command/listCollections.txt
@@ -77,6 +77,12 @@ Output
    The return value for the command. A value of ``1`` indicates
    success.
 
+Required Access
+---------------
+
+.. include:: /includes/extracts/actions-listCollections.rst
+
+
 Example
 -------
 

diff --git a/source/reference/command/listIndexes.txt b/source/reference/command/listIndexes.txt
@@ -32,6 +32,11 @@ Definition
 
    .. include:: /includes/apiargs/dbcommand-listIndexes-field.rst
 
+Required Access
+---------------
+
+.. include:: /includes/extracts/actions-listIndexes.rst
+
 Output
 ------
 

diff --git a/source/reference/command/mapReduce.txt b/source/reference/command/mapReduce.txt
@@ -93,6 +93,30 @@ mapReduce
    :start-after: start-out
    :end-before: end-out
 
+Required Access
+---------------
+
+If your MongoDB deployment enforces authentication, the user executing
+the :dbcommand:`mapReduce` command must possess the following
+privilege actions:
+
+Map-reduce with ``{out : inline}`` output option:
+   - :authaction:`find`
+
+Map-reduce with the ``replace`` action when :ref:`outputting to a
+collection <mapreduce-out-mtd>`:
+   - :authaction:`find`,
+   - :authaction:`insert`,
+   - :authaction:`replace`
+
+Map-reduce with the ``merge`` or ``reduce`` actions when
+:ref:`outputting to a collection <mapreduce-out-mtd>`:
+   - :authaction:`find`,
+   - :authaction:`insert`,
+   - :authaction:`update`
+
+The :authrole:`readWrite` built-in role provides the necessary
+permissions to perform map-reduce aggregation.
 
 Map-Reduce Examples
 -------------------

diff --git a/source/reference/method/db.collection.getIndexes.txt b/source/reference/method/db.collection.getIndexes.txt
@@ -36,6 +36,11 @@ Considerations
 
 .. include:: /includes/fact-wiredtiger-compatibility-with-old-shells.rst
 
+Required Access
+---------------
+
+.. include:: /includes/extracts/actions-db.collection.getIndexes.rst
+
 Output
 ------
 

diff --git a/source/reference/method/db.getCollectionNames.txt b/source/reference/method/db.getCollectionNames.txt
@@ -28,6 +28,11 @@ Considerations
 
 .. include:: /includes/fact-wiredtiger-compatibility-with-old-shells.rst
 
+Required Access
+---------------
+
+.. include:: /includes/extracts/actions-db.getCollectionNames.rst
+
 Example
 -------
 

diff --git a/source/reference/privilege-actions.txt b/source/reference/privilege-actions.txt
@@ -28,34 +28,129 @@ Query and Write Actions
 -----------------------
 
 .. authaction:: find
+
+   User can perform the following commands, and their equivalent helper methods:
+
+   - :dbcommand:`aggregate` for all :doc:`pipeline operations
+     </reference/operator/aggregation>` **except** :pipeline:`$out` and
+     :pipeline:`$indexStats`.
+   - :dbcommand:`checkShardingIndex`
+   - :dbcommand:`count`
+   - :dbcommand:`dataSize`
+   - :dbcommand:`distinct`
+   - :dbcommand:`filemd5`
+   - :dbcommand:`find`
+   - :dbcommand:`geoNear`
+   - :dbcommand:`geoSearch`
+   - :dbcommand:`getLastError`
+   - :dbcommand:`getMore`
+   - :dbcommand:`getPrevError`
+   - :dbcommand:`group`
+   - :dbcommand:`killCursors`
+   - :dbcommand:`listCollections`
+   - :dbcommand:`listIndexes`
+   - :dbcommand:`mapReduce` with the ``{out: inline}`` option.
+   - :dbcommand:`parallelCollectionScan`
+   - :dbcommand:`repairCursor`
+   - :dbcommand:`resetError`
+
+   Required for the query portion of the :dbcommand:`mapReduce` command and
+   :method:`db.collection.mapReduce` helper method when :ref:`outputting
+   to a collection <mapreduce-out-mtd>`.
+
+   Required for the query portion of the :dbcommand:`findAndModify` command
+   and :method:`db.collection.findAndModify` helper method.
 
-   User can perform the :method:`db.collection.find()` method. Apply this
-   action to database or collection resources.
+   Required on the *source* collection for the :dbcommand:`cloneCollectionAsCapped`
+   and :dbcommand:`renameCollection` commands and the 
+   :method:`db.collection.renameCollection()` helper method.
+
+   Apply this action to database or collection resources.
 
 .. authaction:: insert
 
-   User can perform the :dbcommand:`insert` command. Apply this action to
-   database or collection resources.
+   User can perform the following commands and their equivalent methods:
+
+   - :dbcommand:`insert`
+   - :dbcommand:`create`
+
+   Required for the output portion of the :dbcommand:`mapReduce`
+   command and :method:`db.collection.mapReduce()` helper method when
+   :ref:`outputting to a collection <mapreduce-out-mtd>`.
+
+   Required for the :dbcommand:`aggregate` command and
+   :method:`db.collection.aggregate()` helper method when using the
+   :pipeline:`$out` pipeline operator.
+
+   Required for the :dbcommand:`update` and :dbcommand:`findAndModify`
+   commands and equivalent helper methods when used with the ``upsert``
+   option.
+
+   Required on the *destination* collection for the following
+   commands and their helper methods:
+
+   - :dbcommand:`clone`
+   - :dbcommand:`cloneCollection`
+   - :dbcommand:`cloneCollectionAsCapped`
+   - :dbcommand:`copydb`
+   - :dbcommand:`renameCollection`
+
+   Apply this action to database or collection resources.
 
 .. authaction:: remove
 
-   User can perform the :method:`db.collection.remove()` method. Apply this
-   action to database or collection resources.
+   User can perform the :dbcommand:`delete` command and equivalent
+   helper method.
+
+   Required for the write portion of the :dbcommand:`findAndModify`
+   command and :method:`db.collection.findAndModify()` method.
+
+   Required for the :dbcommand:`mapReduce` command and
+   :method:`db.collection.mapReduce()` helper method when you specify
+   the ``replace`` action when :ref:`outputting to a collection
+   <mapreduce-out-mtd>`.
+
+   Required for the :dbcommand:`aggregate` command and
+   :method:`db.collection.aggregate()` helper method when using the
+   :pipeline:`$out` pipeline operator.
+
+   Apply this action to database or collection resources.
 
 .. authaction:: update
 
-   User can perform the :dbcommand:`update` command. Apply this action to
-   database or collection resources.
+   User can perform the :dbcommand:`update` command and equivalent
+   helper methods.
+
+   Required for the
+   :dbcommand:`mapReduce` command and :method:`db.collection.mapReduce()`
+   helper method when :ref:`outputting to a collection <mapreduce-out-mtd>`
+   without specifying the ``replace`` action.
+
+   Required for the :dbcommand:`findAndModify` command and
+   :method:`db.collection.findAndModify()` helper method.
+
+   Apply this action to database or collection resources.
 
 .. authaction:: bypassDocumentValidation
 
    .. versionadded:: 3.2
 
-   User can bypass document validation on commands that support the
-   ``bypassDocumentValidation`` option. For a list of commands that
-   support the ``bypassDocumentValidation`` option, see
-   :ref:`3.2-rel-notes-document-validation`. Apply this action to
-   database or collection resources.
+   Users can bypass :doc:`document validation
+   </core/document-validation>` on commands and methods that support
+   the ``bypassDocumentValidation`` option. The following commands and
+   their equivalent methods support bypassing document validation:
+
+   - :dbcommand:`aggregate`
+   - :dbcommand:`applyOps`
+   - :dbcommand:`cloneCollection` on the *destination* collection
+   - :dbcommand:`clone` on the *destination*
+   - :dbcommand:`copydb` on the *destination*
+   - :dbcommand:`findAndModify`
+   - :dbcommand:`insert`
+   - :dbcommand:`mapReduce`
+   - :dbcommand:`update`
+
+   Apply this action to database or collection resources.
 
 Database Management Actions
 ---------------------------
-Original file line number
+Diff line change
@@ Expand Up / @@ -32,6 +32,11 @@ Definition @@
        .. include:: /includes/apiargs/dbcommand-listIndexes-field.rst
+    Required Access
+    ---------------
+    .. include:: /includes/extracts/actions-listIndexes.rst
     Output
     ------
@@ Expand Down @@