Docs Menu

Docs HomeMongoDB Manual

db.grantPrivilegesToRole()

On this page

  • Definition
  • Behavior
  • Required Access
  • Example
db.grantPrivilegesToRole(rolename, privileges, writeConcern)

Grants additional privileges to a user-defined role.

The db.grantPrivilegesToRole() method uses the following syntax:

db.grantPrivilegesToRole(
"< rolename >",
[
{ resource: { <resource> }, actions: [ "<action>", ... ] },
...
],
{ < writeConcern > }
)

The db.grantPrivilegesToRole() method takes the following arguments:

Parameter
Type
Description
rolename
string
The name of the role to grant privileges to.
privileges
array
The privileges to add to the role. For the format of a privilege, see privileges
writeConcern
document

Optional. The level of write concern for the operation. See Write Concern Specification.

The db.grantPrivilegesToRole() method can grant one or more privileges. Each <privilege> has the following syntax:

{ resource: { <resource> }, actions: [ "<action>", ... ] }

The db.grantPrivilegesToRole() method wraps the grantPrivilegesToRole command.

If run on a replica set, db.grantPrivilegesToRole() is executed using "majority" write concern by default.

Except for roles created in the admin database, a role can only include privileges that apply to its database

A role created in the admin database can include privileges that apply to the admin database, other databases or to the cluster resource.

You must have the grantRoleaction on the database a privilege targets in order to grant the privilege. To grant a privilege on multiple databases or on the cluster resource, you must have the grantRole action on the admin database.

The following db.grantPrivilegesToRole() operation grants two additional privileges to the role inventoryCntrl01, which exists on the products database. The operation is run on that database:

use products
db.grantPrivilegesToRole(
"inventoryCntrl01",
[
{
resource: { db: "products", collection: "" },
actions: [ "insert" ]
},
{
resource: { db: "products", collection: "system.js" },
actions: [ "find" ]
}
],
{ w: "majority" }
)

The first privilege permits users with this role to perform the insert action on all collections of the products database, except the system collections. To access a system collection, a privilege must explicitly specify the system collection in the resource document, as in the second privilege.

The second privilege permits users with this role to perform the findaction on the product database's system collection named system.js

←  db.getRoles()db.revokePrivilegesFromRole() →
Give Feedback
© 2022 MongoDB, Inc.

About

  • Careers
  • Investor Relations
  • Legal Notices
  • Privacy Notices
  • Security Information
  • Trust Center
© 2022 MongoDB, Inc.