db.revokePrivilegesFromRole()

Definition

  • db.revokePrivilegesFromRole(rolename, privileges, writeConcern)
  • Removes the specified privileges from the user-defined role on the database where the method runs. TherevokePrivilegesFromRole method has the following syntax:
  1. db.revokePrivilegesFromRole(
  2.     "<rolename>",
  3.     [
  4.         { resource: { <resource> }, actions: [ "<action>", ... ] },
  5.         ...
  6.     ],
  7.     { <writeConcern> }
  8. )

The revokePrivilegesFromRole method takes the following arguments:

ParameterTypeDescriptionrolenamestringThe name of the user-defined role fromwhich to revoke privileges.privilegesarrayAn array of privileges to remove from the role. Seeprivileges for more information on theformat of the privileges.writeConcerndocumentOptional. The level of write concern for themodification. The writeConcern document takes the samefields as the getLastError command.

The db.revokePrivilegesFromRole() method wraps therevokePrivilegesFromRole command.

Behavior

Replica set

If run on a replica set, db.revokePrivilegesFromRole() is executed using majority write concern by default.

Scope

To revoke a privilege, the resource document pattern must match exactly theresource field of that privilege. The actions field can be asubset or match exactly.

For example, given the role accountRole in the productsdatabase with the following privilege that specifies the productsdatabase as the resource:

  1. {
  2.   "resource" : {
  3.       "db" : "products",
  4.       "collection" : ""
  5.   },
  6.   "actions" : [
  7.       "find",
  8.       "update"
  9.   ]
  10. }

You cannot revoke find and/or update from just _one_collection in the products database. The following operationsresult in no change to the role:

  1. use products
  2. db.revokePrivilegesFromRole(
  3.    "accountRole",
  4.    [
  5.      {
  6.        resource : {
  7.           db : "products",
  8.           collection : "gadgets"
  9.        },
  10.        actions : [
  11.           "find",
  12.           "update"
  13.        ]
  14.      }
  15.    ]
  16. )
  17.  
  18. db.revokePrivilegesFromRole(
  19.    "accountRole",
  20.    [
  21.      {
  22.        resource : {
  23.           db : "products",
  24.           collection : "gadgets"
  25.        },
  26.        actions : [
  27.           "find"
  28.        ]
  29.      }
  30.    ]
  31. )

To revoke the "find" and/or the "update" action from the roleaccountRole, you must match the resource document exactly. Forexample, the following operation revokes just the "find" actionfrom the existing privilege.

  1. use products
  2. db.revokePrivilegesFromRole(
  3.    "accountRole",
  4.    [
  5.      {
  6.        resource : {
  7.           db : "products",
  8.           collection : ""
  9.        },
  10.        actions : [
  11.           "find"
  12.        ]
  13.      }
  14.    ]
  15. )

Required Access

You must have the revokeRoleaction on the database a privilege targets in order torevoke that privilege. If the privilege targets multiple databases or thecluster resource, you must have the revokeRole actionon the admin database.

Example

The following operation removes multiple privileges from theassociates role:

  1. db.revokePrivilegesFromRole(
  2.    "associate",
  3.    [
  4.      {
  5.        resource: { db: "products", collection: "" },
  6.        actions: [ "createCollection", "createIndex", "find" ]
  7.      },
  8.      {
  9.        resource: { db: "products", collection: "orders" },
  10.        actions: [ "insert" ]
  11.      }
  12.    ],
  13.    { w: "majority" }
  14. )