OPTIONS

db.grantPrivilegesToRole()

Definition

db.grantPrivilegesToRole(rolename, privileges, writeConcern)

Grants additional privileges to a user-defined role.

The grantPrivilegesToRole() method uses the following syntax:

db.grantPrivilegesToRole(
    "< rolename >",
    [
        { resource: { <resource> }, actions: [ "<action>", ... ] },
        ...
    ],
    { < writeConcern > }
)

The grantPrivilegesToRole() method takes the following arguments:

Parameter Type Description
rolename string The name of the role to grant privileges to.
privileges array The privileges to add to the role. For the format of a privilege, see privileges.
writeConcern document Optional. The level of write concern for the modification. The writeConcern document takes the same fields as the getLastError command.

The grantPrivilegesToRole() method can grant one or more privileges. Each <privilege> has the following syntax:

{ resource: { <resource> }, actions: [ "<action>", ... ] }

The db.grantPrivilegesToRole() method wraps the grantPrivilegesToRole command.

Behavior

A role’s privileges apply to the database where the role is created. A role created on the admin database can include privileges that apply to all databases or to the cluster.

Required Access

You must have the grantRole action on the database a privilege targets in order to grant the privilege. To grant a privilege on multiple databases or on the cluster resource, you must have the grantRole action on the admin database.

Example

The following db.grantPrivilegesToRole() operation grants two additional privileges to the role inventoryCntrl01, which exists on the products database. The operation is run on that database:

use products
db.grantPrivilegesToRole(
  "inventoryCntrl01",
  [
    {
      resource: { db: "products", collection: "" },
      actions: [ "insert" ]
    },
    {
      resource: { db: "products", collection: "system.indexes" },
      actions: [ "find" ]
    }
  ],
  { w: "majority" }
)

The first privilege permits users with this role to perform the insert action on all collections of the products database, except the system collections. To access a system collection, a privilege must explicitly specify the system collection in the resource document, as in the second privilege.

The second privilege permits users with this role to perform the find action on the product database’s system collection named system.indexes.