我的书签
添加书签
移除书签revokeRolesFromUser
Definition
revokeRolesFromUser- Removes a one or more roles from a user on the database where theroles exist. The
revokeRolesFromUsercommand uses thefollowing syntax:
- { revokeRolesFromUser: "<user>",
- roles: [
- { role: "<role>", db: "<database>" } | "<role>",
- ...
- ],
- writeConcern: { <write concern> }
- }
The command has the following fields:
FieldTypeDescriptionrevokeRolesFromUserstringThe user to remove roles from.rolesarrayThe roles to remove from the user.writeConcerndocumentOptional. The level of write concern for themodification. The writeConcern document takes the samefields as the getLastError command.
In the roles field, you can specify bothbuilt-in roles and user-definedroles.
To specify a role that exists in the same database whererevokeRolesFromUser runs, you can either specify the role with the name ofthe role:
- "readWrite"
Or you can specify the role with a document, as in:
- { role: "<role>", db: "<database>" }
To specify a role that exists in a different database, specify the rolewith a document.
Required Access
You must have the revokeRoleaction on a database to revoke a role on that database.
Example
The accountUser01 user in the products database has the followingroles:
- "roles" : [
- { "role" : "assetsReader",
- "db" : "assets"
- },
- { "role" : "read",
- "db" : "stock"
- },
- { "role" : "readWrite",
- "db" : "products"
- }
- ]
The following revokeRolesFromUser command removes the two ofthe user’s roles: the read role on the stock database andthe readWrite role on the products database, which is alsothe database on which the command runs:
- use products
- db.runCommand( { revokeRolesFromUser: "accountUser01",
- roles: [
- { role: "read", db: "stock" },
- "readWrite"
- ],
- writeConcern: { w: "majority" }
- } )
The user accountUser01 in the products database now has only oneremaining role:
- "roles" : [
- { "role" : "assetsReader",
- "db" : "assets"
- }
- ]
