revokePrivilegesFromRole
Definition
revokePrivilegesFromRole
- Removes the specified privileges from the user-defined role on the database where thecommand is run. The
revokePrivilegesFromRole
commandhas the following syntax:
- {
- revokePrivilegesFromRole: "<role>",
- privileges:
- [
- { resource: { <resource> }, actions: [ "<action>", ... ] },
- ...
- ],
- writeConcern: <write concern document>
- }
The revokePrivilegesFromRole
command has the following fields:
FieldTypeDescriptionrevokePrivilegesFromRole
stringThe user-defined role to revokeprivileges from.privileges
arrayAn array of privileges to remove from the role. Seeprivileges
for more information on theformat of the privileges.writeConcern
documentOptional. The level of write concern for themodification. The writeConcern
document takes the samefields as the getLastError
command.
Behavior
To revoke a privilege, the resource document pattern must match exactly theresource
field of that privilege. The actions
field can be asubset or match exactly.
For example, consider the role accountRole
in the products
database with the following privilege that specifies the products
database as the resource:
- {
- "resource" : {
- "db" : "products",
- "collection" : ""
- },
- "actions" : [
- "find",
- "update"
- ]
- }
You cannot revoke find
and/or update
from just _one_collection in the products
database. The following operationsresult in no change to the role:
- use products
- db.runCommand(
- {
- revokePrivilegesFromRole: "accountRole",
- privileges:
- [
- {
- resource : {
- db : "products",
- collection : "gadgets"
- },
- actions : [
- "find",
- "update"
- ]
- }
- ]
- }
- )
- db.runCommand(
- {
- revokePrivilegesFromRole: "accountRole",
- privileges:
- [
- {
- resource : {
- db : "products",
- collection : "gadgets"
- },
- actions : [
- "find"
- ]
- }
- ]
- }
- )
To revoke the "find"
and/or the "update"
action from the roleaccountRole
, you must match the resource document exactly. Forexample, the following operation revokes just the "find"
actionfrom the existing privilege.
- use products
- db.runCommand(
- {
- revokePrivilegesFromRole: "accountRole",
- privileges:
- [
- {
- resource : {
- db : "products",
- collection : ""
- },
- actions : [
- "find"
- ]
- }
- ]
- }
- )
Required Access
You must have the revokeRole
action on the database a privilege targets in order torevoke that privilege. If the privilege targets multiple databases or thecluster
resource, you must have the revokeRole
actionon the admin
database.
Example
The following operation removes multiple privileges from theassociates
role in the products
database:
- use products
- db.runCommand(
- {
- revokePrivilegesFromRole: "associate",
- privileges:
- [
- {
- resource: { db: "products", collection: "" },
- actions: [ "createCollection", "createIndex", "find" ]
- },
- {
- resource: { db: "products", collection: "orders" },
- actions: [ "insert" ]
- }
- ],
- writeConcern: { w: "majority" }
- }
- )