Role Management Methods

The role management commands are used to manage the role of the users. The following are the methods that are used for different purposes.

#1. db.createRole(role, writeConcern)

The createRole method is used to assign a role under the database. Using this method, we can specify privileges for the role by explicitly listing the privileges. You may also perform it by getting the role to inherit privileges from some different roles or both. The role always applies to the database on which we are running the method.

Syntax:

{
  role: "<role_name>",
  privileges: [
     { resource: { <resource> }, actions: [ "<action>", ... ] },
     ...
  ],
  roles: [
     { role: "<role_name>", db: "<database_name>" } | "<role>",
  ],
  authenticationRestrictions: [
    {
      clientSource: ["<IP>" | "<CIDR range>", ...],
      serverAddress: ["<IP>" | "<CIDR range>", ...]
    }, ]}

Example:

The JTPAdmin role on the admin database will be created using the cerate role method:

use admin
db.createRole(
   {
     role: "JTPAdmin",
     privileges: [
       { resource: { cluster: true }, actions: [ "addShard" ] },
       { resource: { db: "config", collection: "" }, actions: [ "find", "update", "insert", "remove" ] },
       { resource: { db: "users", collection: "usersCollection" }, actions: [ "update", "insert", "remove" ] },
       { resource: { db: "", collection: "" }, actions: [ "find" ] }
     ],
     roles: [
       { role: "read", db: "admin" }
     ]
   },
   { w: "majority" , wtimeout: 5000 }
)

Output:

#2. db.dropRole(rolename, writeConcern)

The drop role method is used to remove the specified user-defined role from the database on which we are running the method.

Example

The following example deletes the readsubject role from the tutorial database:

use test
db.dropRole( "testrole", { w: "majority" } )

Output:

#3. db.dropAllRoles(writeConcern)

The drop all role method is used to remove all the specified user-defined roles from the database on which we are running the method.

Example

The following example uses a write concern of majority and drops all the user-defined roles from the tutorials database.

use tutorials
db.dropAllRoles( { w: "majority" } )

Output:

#4. db.getRole(rolename, args)

In MongoDB, a role inherits the instance of some other role. This method is used to get the parent roles from which this role inherits privileges. Also, all the role's privileges can be returned using this method.

When we run the db.getRole() method from the database that contains both the user-defined roles and built-in roles, then the specified command can retrieve the information.

Examples:

use tutorials
db.getRole( "Admin" )

For the role, Admin defined on the tutorials database return role inheritance information and privileges.

use tutorials
db.getRole( "Admin", { showPrivileges: true } )

#5. db.getRoles()

Returns information for all the roles in the database on which the command runs. We can use this method with or without an argument. If we run this method without an argument, the method returns the inheritance information for the user-defined roles of the database.

Example

The following query will return the documents for all the existing roles on the tutorials database and also includes role privilege and built-in role:

db.getRoles(
    {
      rolesInfo: 1,
      showPrivileges:true,
      showBuiltinRoles: true
    }
)

Output:

#6. db.updateRole(<rolename>, <update>, <writeConcern>)

The update role method is used to update a user-defined role. To update a user-defined role, it must run on the specified role's database. When we update a field, it will completely replace the old field's values.

In the case, we need to add or remove roles/privileges without replacing each value, we have to use one or more of the listed methods:

grantRolesToRole()
grantPrivilegesToRole()
revokeRolesFromRole()
revokePrivilegesFromRole()

Example

The example below will replace the privileges and the roles for the librarian role that exists in the tutorial database. The method runs on the database that contains librarian:

use tutorial
db.updateRole(
    "librarian",
    {
      privileges:
          [
            {
              resource: { db:"tutorials", collection:"books" },
              actions: [ "update", "createCollection", "createIndex"]
            }
          ],
      roles:
          [
            {
              role: "read",
              db: "products"
            }
          ]
    },
    { w:"majority" }
)

Shell Output and example: