- Security >
- Security Tutorials >
- User and Role Management Tutorials >
- Modify a User’s Access
Modify a User’s Access¶
On this page
Overview¶
When a user’s responsibilities change, modify the user’s access to include only those roles the user requires. This follows the policy of least privilege.
To change a user’s access, first determine the privileges the user
needs and then determine the roles that grants those privileges. Grant
and revoke roles using the db.grantRolesToUser()
and
db.revokeRolesFromUser()
methods.
For an overview of roles and privileges, see Authorization. For descriptions of the access each built-in role provides, see the section on built-in roles.
Prerequisites¶
You must have the grantRole
action on a database to grant a role on that database.
You must have the revokeRole
action on a database to revoke a role on that database.
To view a role’s information, you must be explicitly granted the
role or must have the viewRole
action on the role’s database.
Procedure¶
Connect to MongoDB with the appropriate privileges.¶
Connect to mongod
or mongos
as a user with
the privileges specified in the prerequisite section.
The following procedure uses the siteUserAdmin
created in
Create a User Administrator.
Identify the user’s roles and privileges.¶
To display the roles and privileges of the user to be modified, use the
db.getUser()
and db.getRole()
methods.
For example, to view roles for reportsUser
created in
Add a User to a Database, issue:
To display the privileges granted to the user by the
readWrite
role on the "accounts"
database, issue:
Identify the privileges to grant or revoke.¶
If the user requires additional privileges, grant to the user the role, or roles, with the required set of privileges. If such a role does not exist, create a new role with the appropriate set of privileges.
To revoke a subset of privileges provided by an existing role: revoke the original role and grant a role that contains only the required privileges. You may need to create a new role if a role does not exist.
Modify the user’s access.¶
Revoke a Role¶
Revoke a role with the db.revokeRolesFromUser()
method.
The following example operation removes the readWrite
role on the accounts
database from the reportsUser
:
Grant a Role¶
Grant a role using the db.grantRolesToUser()
method. For example, the following operation grants the
reportsUser
user the read
role on the
accounts
database:
For sharded clusters, the changes to the user are instant on the
mongos
on which the command runs. However, for other
mongos
instances in the cluster, the user cache may wait
up to 10 minutes to refresh. See
userCacheInvalidationIntervalSecs
.