Docs Menu
Docs Home
/ /
Role Management

rolesInfo (database command)

rolesInfo

Returns inheritance and privilege information for specified roles, including both user-defined roles and built-in roles.

The rolesInfo command can also retrieve all roles scoped to a database.

This command is available in deployments hosted in the following environments:

  • MongoDB Atlas: The fully managed service for MongoDB deployments in the cloud

Note

This command is supported in all MongoDB Atlas clusters. For information on Atlas support for all commands, see Unsupported Commands.

The command has the following syntax:

db.runCommand(
{
rolesInfo: { role: <name>, db: <db> },
showAuthenticationRestrictions: <Boolean>,
showBuiltinRoles: <Boolean>,
showPrivileges: <Boolean>,
comment: <any>
}
)

The command takes the following fields:

Field
Type
Description

rolesInfo

string, document, array, or integer

The role(s) to return information about. For the syntax for specifying roles, see Behavior.

showAuthenticationRestrictions

boolean

Optional. Set this field to true to include authentication restrictions in the output. Authentication restrictions indicate the IP addresses that users with this role can connect to and from.

By default, this field is false, meaning that the rolesInfo output does not include authentication restrictions.

showBuiltinRoles

boolean

Optional. When the rolesInfo field is set to 1, set showBuiltinRoles to true to include built-in roles in the output. By default, this field is set to false, and the output for rolesInfo: 1 displays only user-defined roles.

showPrivileges

boolean

Optional. Set the field to true to show role privileges, including both privileges inherited from other roles and privileges defined directly. By default, the command returns only the roles from which this role inherits privileges and does not return specific privileges.

comment

any

Optional. A user-provided comment to attach to this command. Once set, this comment appears alongside records of this command in the following locations:

A comment can be any valid BSON type (string, integer, object, array, etc).

To specify a role from the current database, specify the role by its name:

{ rolesInfo: "<rolename>" }

To specify a role from another database, specify the role by a document that specifies the role and database:

{ rolesInfo: { role: "<rolename>", db: "<database>" } }

To specify multiple roles, use an array. Specify each role in the array as a document or string. Use a string only if the role exists on the database on which the command runs:

{
rolesInfo: [
"<rolename>",
{ role: "<rolename>", db: "<database>" },
...
]
}

To specify all roles in the database on which the command runs, specify rolesInfo: 1. By default MongoDB displays all the user-defined roles in the database. To include built-in roles as well, include the parameter-value pair showBuiltinRoles: true:

{ rolesInfo: 1, showBuiltinRoles: true }

To view a role's information, you must be either explicitly granted the role or must have the viewRole action on the role's database.

rolesInfo.role

The name of the role.

rolesInfo.db

The database on which the role is defined. Every database has built-in roles. A database might also have user-defined roles.

rolesInfo.isBuiltin

A value of true indicates the role is a built-in role. A value of false indicates the role is a user-defined role.

rolesInfo.roles

The roles that directly provide privileges to this role and the databases on which the roles are defined.

rolesInfo.inheritedRoles

All roles from which this role inherits privileges. This includes the roles in the rolesInfo.roles array as well as the roles from which the roles in the rolesInfo.roles array inherit privileges. All privileges apply to the current role. The documents in this field list the roles and the databases on which they are defined.

rolesInfo.privileges

The privileges directly specified by this role; i.e. the array excludes privileges inherited from other roles. By default the output does not include the privileges field. To include the field, specify showPrivileges: true when running the rolesInfo command.

Each privilege document specifies the resources and the actions allowed on the resources.

rolesInfo.inheritedPrivileges

All privileges granted by this role, including those inherited from other roles. By default the output does not include the inheritedPrivileges field. To include the field, specify showPrivileges: true when running the rolesInfo command.

Each privilege document specifies the resources and the actions allowed on the resources.

The examples in this section show how to use the rolesInfo command to:

The following command returns the role inheritance information for the role associate defined in the products database:

db.runCommand(
{
rolesInfo: { role: "associate", db: "products" }
}
)

The following command returns the role inheritance information for the role siteManager on the database on which the command runs:

db.runCommand(
{
rolesInfo: "siteManager"
}
)

The following command returns both the role inheritance and the privileges for the role associate defined on the products database:

db.runCommand(
{
rolesInfo: { role: "associate", db: "products" },
showPrivileges: true
}
)

The following command returns information for two roles on two different databases:

db.runCommand(
{
rolesInfo: [
{ role: "associate", db: "products" },
{ role: "manager", db: "resources" }
]
}
)

The following returns both the role inheritance and the privileges:

db.runCommand(
{
rolesInfo: [
{ role: "associate", db: "products" },
{ role: "manager", db: "resources" }
],
showPrivileges: true
}
)

The following operation returns all user-defined roles on the database on which the command runs and includes privileges:

db.runCommand(
{
rolesInfo: 1,
showPrivileges: true
}
)

Example output (shortened for readability):

{
roles: [
{
_id: 'products.associate',
role: 'associate',
db: 'products',
privileges: [
{
resource: { db: 'products', collection: '' },
actions: [ 'bypassDocumentValidation' ]
}
],
roles: [ { role: 'readWrite', db: 'products' } ],
isBuiltin: false,
inheritedRoles: [ { role: 'readWrite', db: 'products' } ],
inheritedPrivileges: [
{
resource: { db: 'products', collection: '' },
actions: [ 'bypassDocumentValidation' ]
},
{
resource: { db: 'products', collection: '' },
actions: [
'changeStream',
'collStats',
'compactStructuredEncryptionData',
...
]
},
...
]
}
],
ok: 1
}

The following operation returns all roles on the database on which the command runs, including both built-in and user-defined roles:

db.runCommand(
{
rolesInfo: 1,
showBuiltinRoles: true
}
)

Example output (shortened for readability):

{
roles: [
{
role: 'enableSharding',
db: 'products',
isBuiltin: true,
roles: [],
inheritedRoles: []
},
{
role: 'userAdmin',
db: 'products',
isBuiltin: true,
roles: [],
inheritedRoles: []
},
{
role: 'read',
db: 'products',
isBuiltin: true,
roles: [],
inheritedRoles: []
},
...
],
ok: 1
}

The following operation returns all user-defined roles on the products database and includes authentication restrictions:

db.runCommand(
{
rolesInfo: 1,
showAuthenticationRestrictions: true
}
)

Example output:

{
roles: [
{
_id: 'products.associate',
role: 'associate',
db: 'products',
roles: [ { role: 'readWrite', db: 'products' } ],
authenticationRestrictions: [
[ { clientSource: [ '198.51.100.0' ] } ]
],
isBuiltin: false,
inheritedRoles: [ { role: 'readWrite', db: 'products' } ],
inheritedAuthenticationRestrictions: [
[ { clientSource: [ '198.51.100.0' ] } ]
]
}
],
ok: 1
}

Back

revokeRolesFromRole