Navigation
This version has reached end of life on October 2016. Learn more about upgrading your version of MongoDB.

Modify a User’s Access

Overview

When a user’s responsibilities change, modify the user’s access to include only those roles the user requires. This follows the policy of least privilege.

To change a user’s access, first determine the privileges the user needs and then determine the roles that grants those privileges. Grant and revoke roles using the db.grantRolesToUser() and db.revokeRolesFromUser() methods.

For an overview of roles and privileges, see Authorization. For descriptions of the access each built-in role provides, see the section on built-in roles.

Prerequisites

You must have the grantRole action on a database to grant a role on that database.

You must have the revokeRole action on a database to revoke a role on that database.

To view a role’s information, you must be explicitly granted the role or must have the viewRole action on the role’s database.

Procedure

1

Connect to MongoDB with the appropriate privileges.

Connect to mongod or mongos as a user with the privileges specified in the prerequisite section.

The following procedure uses the siteUserAdmin created in Create a User Administrator.

mongo --port 27017 -u siteUserAdmin -p password --authenticationDatabase admin
2

Identify the user’s roles and privileges.

To display the roles and privileges of the user to be modified, use the db.getUser() and db.getRole() methods.

For example, to view roles for reportsUser created in Add a User to a Database, issue:

use reporting
db.getUser("reportsUser")

To display the privileges granted to the user by the readWrite role on the "accounts" database, issue:

use accounts
db.getRole( "readWrite", { showPrivileges: true } )
3

Identify the privileges to grant or revoke.

If the user requires additional privileges, grant to the user the role, or roles, with the required set of privileges. If such a role does not exist, create a new role with the appropriate set of privileges.

To revoke a subset of privileges provided by an existing role: revoke the original role and grant a role that contains only the required privileges. You may need to create a new role if a role does not exist.

4

Modify the user’s access.

Revoke a Role

Revoke a role with the db.revokeRolesFromUser() method. The following example operation removes the readWrite role on the accounts database from the reportsUser:

use reporting
db.revokeRolesFromUser(
    "reportsUser",
    [
      { role: "readWrite", db: "accounts" }
    ]
)

Grant a Role

Grant a role using the db.grantRolesToUser() method. For example, the following operation grants the reportsUser user the read role on the accounts database:

use reporting
db.grantRolesToUser(
    "reportsUser",
    [
      { role: "read", db: "accounts" }
    ]
)

For sharded clusters, the changes to the user are instant on the mongos on which the command runs. However, for other mongos instances in the cluster, the user cache may wait up to 10 minutes to refresh. See userCacheInvalidationIntervalSecs.