revokeRolesFromUser
On this page
Definition
revokeRolesFromUser
Removes a one or more roles from a user on the database where the roles exist. The
revokeRolesFromUser
command uses the following syntax:{ revokeRolesFromUser: "<user>", roles: [ { role: "<role>", db: "<database>" } | "<role>", ... ], writeConcern: { <write concern> }, comment: <any> } The command has the following fields:
FieldTypeDescriptionrevokeRolesFromUser
stringThe user to remove roles from.roles
arrayThe roles to remove from the user.writeConcern
documentOptional. The level of write concern for the operation. See Write Concern Specification.
comment
anyOptional. A user-provided comment to attach to this command. Once set, this comment appears alongside records of this command in the following locations:
mongod log messages, in the
attr.command.cursor.comment
field.Database profiler output, in the
command.comment
field.currentOp
output, in thecommand.comment
field.
A comment can be any valid BSON type (string, integer, object, array, etc).
New in version 4.4.
In the
roles
field, you can specify both built-in roles and user-defined roles.To specify a role that exists in the same database where
revokeRolesFromUser
runs, you can either specify the role with the name of the role:"readWrite" Or you can specify the role with a document, as in:
{ role: "<role>", db: "<database>" } To specify a role that exists in a different database, specify the role with a document.
Required Access
You must have the revokeRole
action on a database to revoke a role on that database.
Example
The accountUser01
user in the products
database has the following
roles:
"roles" : [ { "role" : "assetsReader", "db" : "assets" }, { "role" : "read", "db" : "stock" }, { "role" : "readWrite", "db" : "products" } ]
The following revokeRolesFromUser
command removes the two of
the user's roles: the read
role on the stock
database and
the readWrite
role on the products
database, which is also
the database on which the command runs:
use products db.runCommand( { revokeRolesFromUser: "accountUser01", roles: [ { role: "read", db: "stock" }, "readWrite" ], writeConcern: { w: "majority" } } )
The user accountUser01
in the products
database now has only one
remaining role:
"roles" : [ { "role" : "assetsReader", "db" : "assets" } ]