DOCS-12098: Clarify change stream permissions, document changeStream privilege action

source/changeStreams.txt

@@ -585,9 +585,7 @@ collaboration functionality, and notification services.
 Access Control
 --------------
 
-For deployments enforcing :ref:`authentication` and :ref:`authorization
-<authorization>`, applications can only open change streams against
-collections they have read access to.
+.. include:: /includes/extracts/changestream-access-control-collection.rst
 
 Event Notification
 ------------------

source/includes/extracts-changestream.yaml

@@ -78,6 +78,39 @@ content: |
    - The connection to the MongoDB deployment is closed.
 
    - .. include:: /includes/extracts/changestream-remove-shard.rst
+---
+ref: _changestream-access-control-core
+content: |
+
+  For deployments enforcing :ref:`authentication <authentication>` and 
+  :ref:`authorization <authorization>`, authenticate as a user
+  with the :authaction:`changeStream` and :authaction:`find`
+  privilege actions on the collection against which you want to 
+  open a change stream.
+
+  The :authrole:`read` :ref:`built-in role <built-in-roles>` includes
+  the required privileges to support opening a change stream
+  against a collection. Any built-in role or 
+  :ref:`user-defined role <user-defined-roles>` that
+  inherits the :authrole:`read` role can also support opening
+  change streams against a collection.
+
+  Alternatively, use :method:`db.createRole` to create a user-defined
+  role that grants the :authaction:`changeStream` and :authaction:`find` 
+  privilege actions on the
+  :ref:`target collection <resource-specific-db-collection>`.
+  See :ref:`user-defined-roles` for more complete documentation.
+
+  To associate a built-in role or user-defined role to an existing user, 
+  use the :method:`db.grantRolesToUser()` or
+  :method:`db.updateUser()` methods. You can also specify 
+  the role when creating a new user using :method:`db.createUser()`.
+
+---
+ref: changestream-access-control-collection
+source:
+  file: extracts-changestream.yaml
+  ref: _changestream-access-control-core
 ...
 
 

source/reference/method/db.collection.watch.txt

@@ -72,19 +72,7 @@ Full Document Lookup of Update Operations
 Access Control
 --------------
 
-When running with access control, the user must have the
-:authaction:`find` and :authaction:`changeStream` privilege actions on
-the :ref:`collection resource <resource-document>`. That is, a user must
-have a :ref:`role <roles>` that grants the following :ref:`privilege
-<privileges>`:
-
-.. code-block:: javascript
-
-   { resource: { db: <dbname>, collection: <collection> }, actions: [ "find", "changeStream" ] }
-
-
-The built-in :authrole:`read` role provides the appropriate
-privileges.
+.. include:: /includes/extracts/changestream-access-control-collection.rst
 
 Examples
 --------

source/reference/privilege-actions.txt

@@ -381,6 +381,15 @@ Deployment Management Actions
    User can perform the :dbcommand:`storageDetails` command. Apply this
    action to database or collection resources.
 
+Change Stream Actions
+---------------------
+
+.. authaction:: changeStream
+
+   User with :authaction:`changeStream` and :authaction:`find` on the
+   specific collection can open a 
+   :doc:`change stream cursor </changeStreams>` for that resource.
+
 Replication Actions
 -------------------