OPTIONS

Modify a User’s Access

Overview

When a user’s responsibilities change, modify the user’s access to include only those roles the user requires. This follows the policy of least privilege.

To change a user’s access, first determine the privileges the user needs and then determine the roles that grants those privileges. Grant and revoke roles using the method:db.grantRolesToUser() and db.revokeRolesFromUser methods.

For an overview of roles and privileges, see Authorization. For descriptions of the access each built-in role provides, see the section on built-in roles.

Prerequisites

You must have the grantRole action on a database to grant a role on that database.

You must have the revokeRole action on a database to revoke a role on that database.

To view a role’s information, you must be explicitly granted the role or must have the viewRole action on the role’s database.

Procedure

1

Connect to MongoDB with the appropriate privileges.

Connect to the mongod or mongos either through the localhost exception or as a user with the privileges required in the Prerequisites section.

The following example operation connects to MongoDB as an authenticated user named manager:

mongo --port 27017 -u manager -p 12345678 --authenticationDatabase admin
2

Verify your privileges.

Use the usersInfo command with the showPrivileges option.

The following example operation checks privileges for a user connected as manager:

db.runCommand(
  {
    usersInfo:"manager",
    showPrivileges:true
  }
)

The resulting users document displays the privileges granted to manager.

3

Identify the user’s roles and privileges.

To display the roles and privileges of the user to be modified, use the db.getUser() and db.getRole() methods, as described in Verify User Privileges.

To display the privileges granted by siteRole01 on the current database, issue:

db.getRole( "siteRole01", { showPrivileges: true } )
4

Identify the privileges to grant or revoke.

Determine which role contains the privileges and only those privileges. If such a role does not exist, then to grant the privileges will require creating a new role with the specific set of privileges. To revoke a subset of privileges provided by an existing role: revoke the original role, create a new role that contains the privileges to keep, and then grant that role to the user.

5

Modify the user’s access.

Revoke a Role

Revoke a role with the db.revokeRolesFromUser() method. Access revocations apply as soon as the user tries to run a command. On a mongos revocations are instant on the mongos on which the command ran, but there is up to a 10-minute delay before the user cache is updated on the other mongos instances in the cluster. The following example operation removes the readWrite role on the accounts database from the accountUser01 user’s existing roles:

use accounts
db.revokeRolesFromUser(
    "accountUser01",
    [
      { role: "readWrite", db: "accounts" }
    ]
)

Grant a Role

Grant a role using the db.grantRolesToUser() method. For example, the following operation grants the accountUser01 user the read role on the records database:

use accounts
db.grantRolesToUser(
    "accountUser01",
    [
      { role: "read", db: "records" }
    ]
)