rolesInfo
On this page
- Definition
- Syntax
- Command Fields
- Behavior
- Return Information for a Single Role
- Return Information for Multiple Roles
- Return Information for All Roles in the Database
- Required Access
- Output
- Examples
- View Information for a Single Role
- View Information for Multiple Roles
- View All User-Defined Roles for a Database
- View All User-Defined and Built-In Roles for a Database
- View Authentication Restrictions for Roles
Definition
rolesInfo
Returns inheritance and privilege information for specified roles, including both user-defined roles and built-in roles.
The
rolesInfo
command can also retrieve all roles scoped to a database.
Syntax
The command has the following syntax:
db.runCommand( { rolesInfo: { role: <name>, db: <db> }, showAuthenticationRestrictions: <Boolean>, showBuiltinRoles: <Boolean>, showPrivileges: <Boolean>, comment: <any> } )
Command Fields
The command takes the following fields:
Field | Type | Description |
---|---|---|
rolesInfo | string, document, array, or integer | The role(s) to return information about. For the syntax for specifying
roles, see Behavior. |
showAuthenticationRestrictions | boolean | Optional. Set this field to By default, this field is |
showBuiltinRoles | boolean | Optional. When the rolesInfo field is set to 1 , set
showBuiltinRoles to true to include built-in roles in the output. By default, this field is set to
false , and the output for rolesInfo: 1 displays only
user-defined roles. |
showPrivileges | boolean | Optional. Set the field to true to show role privileges,
including both privileges inherited from other roles and
privileges defined directly. By default, the command returns only
the roles from which this role inherits privileges and does not
return specific privileges. |
comment | any | Optional. A user-provided comment to attach to this command. Once set, this comment appears alongside records of this command in the following locations:
A comment can be any valid BSON type (string, integer, object, array, etc). New in version 4.4. |
Behavior
Return Information for a Single Role
To specify a role from the current database, specify the role by its name:
{ rolesInfo: "<rolename>" }
To specify a role from another database, specify the role by a document that specifies the role and database:
{ rolesInfo: { role: "<rolename>", db: "<database>" } }
Return Information for Multiple Roles
To specify multiple roles, use an array. Specify each role in the array as a document or string. Use a string only if the role exists on the database on which the command runs:
{ rolesInfo: [ "<rolename>", { role: "<rolename>", db: "<database>" }, ... ] }
Return Information for All Roles in the Database
To specify all roles in the database on which the command runs, specify
rolesInfo: 1
. By default MongoDB displays all the user-defined roles in the database. To include built-in roles as well, include the parameter-value pair
showBuiltinRoles: true
:
{ rolesInfo: 1, showBuiltinRoles: true }
Required Access
To view a role's information, you must be either explicitly granted the
role or must have the viewRole
action on the role's database.
Output
rolesInfo.db
The database on which the role is defined. Every database has built-in roles. A database might also have user-defined roles.
rolesInfo.isBuiltin
A value of
true
indicates the role is a built-in role. A value offalse
indicates the role is a user-defined role.
rolesInfo.roles
The roles that directly provide privileges to this role and the databases on which the roles are defined.
rolesInfo.inheritedRoles
All roles from which this role inherits privileges. This includes the roles in the
rolesInfo.roles
array as well as the roles from which the roles in therolesInfo.roles
array inherit privileges. All privileges apply to the current role. The documents in this field list the roles and the databases on which they are defined.
rolesInfo.privileges
The privileges directly specified by this role; i.e. the array excludes privileges inherited from other roles. By default the output does not include the
privileges
field. To include the field, specifyshowPrivileges: true
when running therolesInfo
command.Each privilege document specifies the resources and the actions allowed on the resources.
rolesInfo.inheritedPrivileges
All privileges granted by this role, including those inherited from other roles. By default the output does not include the
inheritedPrivileges
field. To include the field, specifyshowPrivileges: true
when running therolesInfo
command.Each privilege document specifies the resources and the actions allowed on the resources.
Examples
The examples in this section show how to use the rolesInfo
command
to:
View Information for a Single Role
The following command returns the role inheritance information for the
role associate
defined in the products
database:
db.runCommand( { rolesInfo: { role: "associate", db: "products" } } )
The following command returns the role inheritance information for the role
siteManager
on the database on which the command runs:
db.runCommand( { rolesInfo: "siteManager" } )
The following command returns both the role inheritance and the privileges
for the role associate
defined on the products
database:
db.runCommand( { rolesInfo: { role: "associate", db: "products" }, showPrivileges: true } )
View Information for Multiple Roles
The following command returns information for two roles on two different databases:
db.runCommand( { rolesInfo: [ { role: "associate", db: "products" }, { role: "manager", db: "resources" } ] } )
The following returns both the role inheritance and the privileges:
db.runCommand( { rolesInfo: [ { role: "associate", db: "products" }, { role: "manager", db: "resources" } ], showPrivileges: true } )
View All User-Defined Roles for a Database
The following operation returns all user-defined roles on the database on which the command runs and includes privileges:
db.runCommand( { rolesInfo: 1, showPrivileges: true } )
Example output (shortened for readability):
{ roles: [ { _id: 'products.associate', role: 'associate', db: 'products', privileges: [ { resource: { db: 'products', collection: '' }, actions: [ 'bypassDocumentValidation' ] } ], roles: [ { role: 'readWrite', db: 'products' } ], isBuiltin: false, inheritedRoles: [ { role: 'readWrite', db: 'products' } ], inheritedPrivileges: [ { resource: { db: 'products', collection: '' }, actions: [ 'bypassDocumentValidation' ] }, { resource: { db: 'products', collection: '' }, actions: [ 'changeStream', 'collStats', 'compactStructuredEncryptionData', ... ] }, ... ] } ], ok: 1 }
View All User-Defined and Built-In Roles for a Database
The following operation returns all roles on the database on which the command runs, including both built-in and user-defined roles:
db.runCommand( { rolesInfo: 1, showBuiltinRoles: true } )
Example output (shortened for readability):
{ roles: [ { role: 'enableSharding', db: 'products', isBuiltin: true, roles: [], inheritedRoles: [] }, { role: 'userAdmin', db: 'products', isBuiltin: true, roles: [], inheritedRoles: [] }, { role: 'read', db: 'products', isBuiltin: true, roles: [], inheritedRoles: [] }, ... ], ok: 1 }
View Authentication Restrictions for Roles
The following operation returns all user-defined roles on the
products
database and includes authentication restrictions:
db.runCommand( { rolesInfo: 1, showAuthenticationRestrictions: true } )
Example output:
{ roles: [ { _id: 'products.associate', role: 'associate', db: 'products', roles: [ { role: 'readWrite', db: 'products' } ], authenticationRestrictions: [ [ { clientSource: [ '198.51.100.0' ] } ] ], isBuiltin: false, inheritedRoles: [ { role: 'readWrite', db: 'products' } ], inheritedAuthenticationRestrictions: [ [ { clientSource: [ '198.51.100.0' ] } ] ] } ], ok: 1 }