revokeRolesFromUser

This version of the documentation is archived and no longer supported. View the current documentation to learn how to upgrade your version of MongoDB.

Definition

revokeRolesFromUser

Removes a one or more roles from a user on the database where the roles exist. The revokeRolesFromUser command uses the following syntax:

{ revokeRolesFromUser: "<user>",
  roles: [
    { role: "<role>", db: "<database>" } | "<role>",
    ...
  ],
  writeConcern: { <write concern> },
  comment: <any>
}

The command has the following fields:

Field	Type	Description
`revokeRolesFromUser`	string	The user to remove roles from.
`roles`	array	The roles to remove from the user.
`writeConcern`	document	Optional. The level of write concern for the modification. The `writeConcern` document takes the same fields as the `getLastError` command.
`comment`	any	Optional. A user-provided comment to attach to this command. Once set, this comment appears alongside records of this command in the following locations: mongod log messages, in the `attr.command.cursor.comment` field. Database profiler output, in the `command.comment` field. `currentOp` output, in the `command.comment` field. A comment can be any valid BSON type (string, integer, object, array, etc). New in version 4.4.

In the roles field, you can specify both built-in roles and user-defined roles.

To specify a role that exists in the same database where revokeRolesFromUser runs, you can either specify the role with the name of the role:

"readWrite"

Or you can specify the role with a document, as in:

{ role: "<role>", db: "<database>" }

To specify a role that exists in a different database, specify the role with a document.

Required Access

You must have the revokeRole action on a database to revoke a role on that database.

Example

The accountUser01 user in the products database has the following roles:

"roles" : [
    { "role" : "assetsReader",
      "db" : "assets"
    },
    { "role" : "read",
      "db" : "stock"
    },
    { "role" : "readWrite",
      "db" : "products"
    }
]

The following revokeRolesFromUser command removes the two of the user's roles: the read role on the stock database and the readWrite role on the products database, which is also the database on which the command runs:

use products
db.runCommand( { revokeRolesFromUser: "accountUser01",
                 roles: [
                          { role: "read", db: "stock" },
                          "readWrite"
                 ],
                 writeConcern: { w: "majority" }
             } )

The user accountUser01 in the products database now has only one remaining role:

"roles" : [
    { "role" : "assetsReader",
      "db" : "assets"
    }
]

Back

grantRolesToUser

updateUser