revokeRolesFromUser
Definition
revokeRolesFromUser
- Removes a one or more roles from a user on the database where theroles exist. The
revokeRolesFromUser
command uses thefollowing syntax:
- { revokeRolesFromUser: "<user>",
- roles: [
- { role: "<role>", db: "<database>" } | "<role>",
- ...
- ],
- writeConcern: { <write concern> }
- }
The command has the following fields:
FieldTypeDescriptionrevokeRolesFromUser
stringThe user to remove roles from.roles
arrayThe roles to remove from the user.writeConcern
documentOptional. The level of write concern for themodification. The writeConcern
document takes the samefields as the getLastError
command.
In the roles
field, you can specify bothbuilt-in roles and user-definedroles.
To specify a role that exists in the same database whererevokeRolesFromUser
runs, you can either specify the role with the name ofthe role:
- "readWrite"
Or you can specify the role with a document, as in:
- { role: "<role>", db: "<database>" }
To specify a role that exists in a different database, specify the rolewith a document.
Required Access
You must have the revokeRole
action on a database to revoke a role on that database.
Example
The accountUser01
user in the products
database has the followingroles:
- "roles" : [
- { "role" : "assetsReader",
- "db" : "assets"
- },
- { "role" : "read",
- "db" : "stock"
- },
- { "role" : "readWrite",
- "db" : "products"
- }
- ]
The following revokeRolesFromUser
command removes the two ofthe user’s roles: the read
role on the stock
database andthe readWrite
role on the products
database, which is alsothe database on which the command runs:
- use products
- db.runCommand( { revokeRolesFromUser: "accountUser01",
- roles: [
- { role: "read", db: "stock" },
- "readWrite"
- ],
- writeConcern: { w: "majority" }
- } )
The user accountUser01
in the products
database now has only oneremaining role:
- "roles" : [
- { "role" : "assetsReader",
- "db" : "assets"
- }
- ]