grantRolesToRole

Definition

The grantRolesToRole command affects roles on thedatabase where the command runs. grantRolesToRole hasthe following syntax:

  1. { grantRolesToRole: "<role>",
  2.   roles: [
  3.              { role: "<role>", db: "<database>" },
  4.              ...
  5.          ],
  6.   writeConcern: { <write concern> }
  7. }

The grantRolesToRole command has the following fields:

FieldTypeDescriptiongrantRolesToRolestringThe name of a role to add subsidiary roles.rolesarrayAn array of roles from which to inherit.writeConcerndocumentOptional. The level of write concern for themodification. The writeConcern document takes the samefields as the getLastError command.

In the roles field, you can specify bothbuilt-in roles and user-definedroles.

To specify a role that exists in the same database wheregrantRolesToRole runs, you can either specify the role with the name ofthe role:

  1. "readWrite"

Or you can specify the role with a document, as in:

  1. { role: "<role>", db: "<database>" }

To specify a role that exists in a different database, specify the rolewith a document.

Behavior

A role can inherit privileges from other roles in its database. A rolecreated on the admin database can inherit privileges from roles inany database.

Required Access

You must have the grantRoleaction on a database to grant a role on that database.

Example

The following grantRolesToRole command updates theproductsReaderWriter role in the products database to inherit the privileges of the productsReaderrole in the products database:

  1. use products
  2. db.runCommand(
  3.    { grantRolesToRole: "productsReaderWriter",
  4.      roles: [
  5.               "productsReader"
  6.      ],
  7.      writeConcern: { w: "majority" , wtimeout: 5000 }
  8.    }
  9. )