db.revokeRolesFromUser()
On this page
Definition
db.revokeRolesFromUser()Removes a one or more roles from a user on the current database. The
db.revokeRolesFromUser()method uses the following syntax:db.revokeRolesFromUser( "<username>", [ <roles> ], { <writeConcern> } ) The
db.revokeRolesFromUser()method takes the following arguments:ParameterTypeDescriptionuserstringThe name of the user from whom to revoke roles.rolesarrayThe roles to remove from the user.writeConcerndocumentOptional. The level of write concern for the modification. ThewriteConcerndocument takes the same fields as thegetLastErrorcommand.In the
rolesfield, you can specify both built-in roles and user-defined roles.To specify a role that exists in the same database where
db.revokeRolesFromUser()runs, you can either specify the role with the name of the role:"readWrite" Or you can specify the role with a document, as in:
{ role: "<role>", db: "<database>" } To specify a role that exists in a different database, specify the role with a document.
The
db.revokeRolesFromUser()method wraps therevokeRolesFromUsercommand.
Behavior
Replica set
If run on a replica set, db.revokeRolesFromUser() is executed using
"majority" write concern by default.
Required Access
You must have the revokeRole action on a database to revoke a role on that database.
Example
The accountUser01 user in the products database has the following
roles:
"roles" : [ { "role" : "assetsReader", "db" : "assets" }, { "role" : "read", "db" : "stock" }, { "role" : "readWrite", "db" : "products" } ]
The following db.revokeRolesFromUser() method removes the two of
the user's roles: the read role on the stock database and
the readWrite role on the products database, which is also
the database on which the method runs:
use products db.revokeRolesFromUser( "accountUser01", [ { role: "read", db: "stock" }, "readWrite" ], { w: "majority" } )
The user accountUser01 user in the products database now has only
one remaining role:
"roles" : [ { "role" : "assetsReader", "db" : "assets" } ]