revokePrivilegesFromRole

Definition

  • revokePrivilegesFromRole
  • Removes the specified privileges from the user-defined role on the database where thecommand is run. The revokePrivilegesFromRole commandhas the following syntax:
  1. {
  2.   revokePrivilegesFromRole: "<role>",
  3.   privileges:
  4.       [
  5.         { resource: { <resource> }, actions: [ "<action>", ... ] },
  6.         ...
  7.       ],
  8.   writeConcern: <write concern document>
  9. }

The revokePrivilegesFromRole command has the following fields:

FieldTypeDescriptionrevokePrivilegesFromRolestringThe user-defined role to revokeprivileges from.privilegesarrayAn array of privileges to remove from the role. Seeprivileges for more information on theformat of the privileges.writeConcerndocumentOptional. The level of write concern for themodification. The writeConcern document takes the samefields as the getLastError command.

Behavior

To revoke a privilege, the resource document pattern must match exactly theresource field of that privilege. The actions field can be asubset or match exactly.

For example, consider the role accountRole in the productsdatabase with the following privilege that specifies the productsdatabase as the resource:

  1. {
  2.   "resource" : {
  3.       "db" : "products",
  4.       "collection" : ""
  5.   },
  6.   "actions" : [
  7.       "find",
  8.       "update"
  9.   ]
  10. }

You cannot revoke find and/or update from just _one_collection in the products database. The following operationsresult in no change to the role:

  1. use products
  2. db.runCommand(
  3.     {
  4.       revokePrivilegesFromRole: "accountRole",
  5.       privileges:
  6.         [
  7.           {
  8.             resource : {
  9.                 db : "products",
  10.                 collection : "gadgets"
  11.             },
  12.             actions : [
  13.                 "find",
  14.                 "update"
  15.             ]
  16.           }
  17.         ]
  18.     }
  19. )
  20.  
  21. db.runCommand(
  22.     {
  23.       revokePrivilegesFromRole: "accountRole",
  24.       privileges:
  25.         [
  26.           {
  27.             resource : {
  28.                 db : "products",
  29.                 collection : "gadgets"
  30.             },
  31.             actions : [
  32.                 "find"
  33.             ]
  34.           }
  35.         ]
  36.     }
  37. )

To revoke the "find" and/or the "update" action from the roleaccountRole, you must match the resource document exactly. Forexample, the following operation revokes just the "find" actionfrom the existing privilege.

  1. use products
  2. db.runCommand(
  3.     {
  4.       revokePrivilegesFromRole: "accountRole",
  5.       privileges:
  6.         [
  7.           {
  8.             resource : {
  9.                 db : "products",
  10.                 collection : ""
  11.             },
  12.             actions : [
  13.                 "find"
  14.             ]
  15.           }
  16.         ]
  17.     }
  18. )

Required Access

You must have the revokeRoleaction on the database a privilege targets in order torevoke that privilege. If the privilege targets multiple databases or thecluster resource, you must have the revokeRole actionon the admin database.

Example

The following operation removes multiple privileges from theassociates role in the products database:

  1. use products
  2. db.runCommand(
  3.    {
  4.      revokePrivilegesFromRole: "associate",
  5.      privileges:
  6.       [
  7.         {
  8.           resource: { db: "products", collection: "" },
  9.           actions: [ "createCollection", "createIndex", "find" ]
  10.         },
  11.         {
  12.           resource: { db: "products", collection: "orders" },
  13.           actions: [ "insert" ]
  14.         }
  15.       ],
  16.      writeConcern: { w: "majority" }
  17.    }
  18. )