revokeRolesFromRole

Definition

  • revokeRolesFromRole
  • Removes the specified inherited roles from a role. TherevokeRolesFromRole command has the following syntax:
  1. { revokeRolesFromRole: "<role>",
  2.   roles: [
  3.     { role: "<role>", db: "<database>" } | "<role>",
  4.     ...
  5.   ],
  6.   writeConcern: { <write concern> }
  7. }

The command has the following fields:

FieldTypeDescriptionrevokeRolesFromRolestringThe role from which to remove inherited roles.rolesarrayThe inherited roles to remove.writeConcerndocumentOptional. The level of write concern to applyto this operation. The writeConcern document uses the same fieldsas the getLastError command.

In the roles field, you can specify bothbuilt-in roles and user-definedroles.

To specify a role that exists in the same database whererevokeRolesFromRole runs, you can either specify the role with the name ofthe role:

  1. "readWrite"

Or you can specify the role with a document, as in:

  1. { role: "<role>", db: "<database>" }

To specify a role that exists in a different database, specify the rolewith a document.

Required Access

You must have the revokeRoleaction on a database to revoke a role on that database.

Example

The purchaseAgents role in the emea database inherits privilegesfrom several other roles, as listed in the roles array:

  1. {
  2.    "_id" : "emea.purchaseAgents",
  3.    "role" : "purchaseAgents",
  4.    "db" : "emea",
  5.    "privileges" : [],
  6.    "roles" : [
  7.       {
  8.          "role" : "readOrdersCollection",
  9.          "db" : "emea"
  10.       },
  11.       {
  12.          "role" : "readAccountsCollection",
  13.          "db" : "emea"
  14.       },
  15.       {
  16.          "role" : "writeOrdersCollection",
  17.          "db" : "emea"
  18.       }
  19.    ]
  20. }

The following revokeRolesFromRole operation on the emeadatabase removes two roles from the purchaseAgents role:

  1. use emea
  2. db.runCommand( { revokeRolesFromRole: "purchaseAgents",
  3.                  roles: [
  4.                           "writeOrdersCollection",
  5.                           "readOrdersCollection"
  6.                         ],
  7.                   writeConcern: { w: "majority" , wtimeout: 5000 }
  8.              } )

The purchaseAgents role now contains just one role:

  1. {
  2.    "_id" : "emea.purchaseAgents",
  3.    "role" : "purchaseAgents",
  4.    "db" : "emea",
  5.    "privileges" : [],
  6.    "roles" : [
  7.       {
  8.          "role" : "readAccountsCollection",
  9.          "db" : "emea"
  10.       }
  11.    ]
  12. }