DOCSP-28090 user-roles-in-aggregations (#3235)

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

* DOCSP-28090-user-roles-in-aggregations

---------

Co-authored-by: jason-price-mongodb <[email protected]>

Author: jason-price-mongodb

source/core/views/create-view.txt

@@ -76,11 +76,11 @@ Some operations are not available with views:
 
 For more information, see :ref:`views-supported-operations`.
 
-Example
--------
+Examples
+--------
 
-This example populates a collection with student data and creates a view
-to query the data.
+The first example populates a collection with student data and creates a
+view to query the data.
 
 Populate the Collection
 ~~~~~~~~~~~~~~~~~~~~~~~
@@ -202,6 +202,129 @@ lowercase letters.
      { sID: 17301, name: 'harley', year: 6, score: 3.1 }
    ]
 
+.. _create-view-user-roles-system-variable-example:
+
+Retrieve Documents for Roles Granted to the Current User
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/user-roles-system-variable-introduction.rst
+
+Perform the following steps to create a view and retrieve the documents
+accessible to ``John``:
+
+.. procedure::
+   :style: normal
+
+   .. step:: Create the view
+
+      .. include:: /includes/user-roles-system-variable-example-description-start.rst
+
+      Run:
+
+      .. code-block:: javascript
+         :emphasize-lines: 7
+
+         db.createView(
+            "budgetView", "budget",
+            [ {
+               $match: {
+                  $expr: {
+                     $not: {
+                        $eq: [ { $setIntersection: [ "$allowedRoles", "$$USER_ROLES.role" ] }, [] ]
+                     }
+                  }
+               }
+            } ]
+         )
+
+      If you cannot create the view, ensure you log in as a user with
+      the privilege to create a view.
+
+      .. include:: /includes/user-roles-system-variable-example-description.rst
+
+   .. step:: Log in as John
+
+      .. include:: /includes/user-roles-system-variable-example-login-john.rst
+
+   .. step:: Retrieve the documents
+
+      Run:
+
+      .. code-block:: javascript
+
+         db.budgetView.find()
+
+   .. step:: Examine the documents
+
+      .. include:: /includes/user-roles-system-variable-example-output-john.rst
+
+Perform the following steps to retrieve the documents accessible to
+Jane:
+
+.. procedure::
+   :style: normal
+
+   .. step:: Log in as ``Jane``
+
+      .. include:: /includes/user-roles-system-variable-example-login-jane.rst
+
+   .. step:: Retrieve the documents
+
+      Run:
+
+      .. code-block:: javascript
+
+         db.budgetView.find()
+
+   .. step:: Examine the documents
+
+      .. include:: /includes/user-roles-system-variable-example-output-jane.rst
+
+Roles with the Same Name in Multiple Databases
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Multiple databases can have roles with the same name. If you create a
+view and reference a specific role in the view, you should either
+specify both the ``db`` database name field and the ``role`` field, or
+specify the ``_id`` field that contains the database name and the role.
+
+The following example returns the roles assigned to ``Jane``, who has
+roles with different names. The example returns the ``_id``, ``role``,
+and ``db`` database name:
+
+.. procedure::
+   :style: normal
+
+   .. step:: Log in as ``Jane``
+
+      .. include:: /includes/user-roles-system-variable-example-login-jane.rst
+
+   .. step:: Retrieve the documents
+
+      Run:
+
+      .. code-block:: javascript
+
+         db.budget.findOne( {}, { myRoles: "$$USER_ROLES" } )
+
+   .. step:: Examine the documents
+
+      Example output, which shows the ``_id``, ``role``, and ``db``
+      database name in the ``myRoles`` array:
+
+      .. code-block:: javascript
+         :copyable: false
+         :emphasize-lines: 3-6
+
+         {
+            _id: 0,
+            myRoles: [
+               { _id: 'test.Operations', role: 'Operations', db: 'test' },
+               { _id: 'test.Sales', role: 'Sales', db: 'test' },
+               { _id: 'test.read', role: 'read', db: 'test' }
+            ]
+         }
+
 Behavior
 --------
 

source/includes/user-roles-system-variable-example-description-start.rst

@@ -0,0 +1,3 @@
+To use a system variable, add ``$$`` to the start of the variable name.
+The ``USER_ROLES`` system variable is specified as ``$$USER_ROLES`` as
+shown in the following example.

source/includes/user-roles-system-variable-example-description.rst

@@ -0,0 +1,6 @@
+The previous example returns the documents from the ``budget``
+collection that match at least one of the roles that the user who runs
+the example has. To do that, the example uses
+:expression:`$setIntersection` to return documents where the
+intersection between the ``budget`` document ``allowedRoles`` field and
+the set of user roles from ``$$USER_ROLES`` is not empty.

source/includes/user-roles-system-variable-example-find.rst

@@ -0,0 +1,12 @@
+Run:
+
+.. code-block:: javascript
+   :emphasize-lines: 4
+
+   db.budget.find( {
+      $expr: {
+         $not: {
+            $eq: [ { $setIntersection: [ "$allowedRoles", "$$USER_ROLES.role" ] }, [] ]
+         }
+      }
+   } )

source/includes/user-roles-system-variable-example-login-jane.rst

@@ -0,0 +1,5 @@
+Run:
+
+.. code-block:: javascript
+
+   db.auth( "Jane", "je009" )

source/includes/user-roles-system-variable-example-login-john.rst

@@ -0,0 +1,5 @@
+Run:
+
+.. code-block:: javascript
+
+   db.auth( "John", "jn008" )

source/includes/user-roles-system-variable-example-output-jane.rst

@@ -0,0 +1,22 @@
+``Jane`` has the ``Sales`` and ``Operations`` roles, and sees these
+documents:
+
+.. code-block:: javascript
+   :copyable: false
+
+   [
+      {
+         _id: 1,
+         allowedRoles: [ 'Sales' ],
+         comment: 'For sales team',
+         yearlyBudget: 17000,
+         salesEventsBudget: 1000
+      },
+      {
+         _id: 2,
+         allowedRoles: [ 'Operations' ],
+         comment: 'For operations team',
+         yearlyBudget: 19000,
+         cloudBudget: 12000
+      }
+   ]

source/includes/user-roles-system-variable-example-output-john.rst

@@ -0,0 +1,27 @@
+``John`` has the ``Marketing``, ``Operations``, and ``Development``
+roles, and sees these documents:
+
+.. code-block:: javascript
+   :copyable: false
+
+   [
+      {
+         _id: 0,
+         allowedRoles: [ 'Marketing' ],
+         comment: 'For marketing team',
+         yearlyBudget: 15000
+      },
+      {
+         _id: 2,
+         allowedRoles: [ 'Operations' ],
+         comment: 'For operations team',
+         yearlyBudget: 19000,
+         cloudBudget: 12000
+      },
+      {
+         _id: 3,
+         allowedRoles: [ 'Development' ],
+         comment: 'For development team',
+         yearlyBudget: 27000
+      }
+   ]

source/includes/user-roles-system-variable-example-pipeline.rst

@@ -0,0 +1,14 @@
+Run:
+
+.. code-block:: javascript
+   :emphasize-lines: 5
+
+   db.budget.aggregate( [ {
+      $match: {
+         $expr: {
+            $not: {
+               $eq: [ { $setIntersection: [ "$allowedRoles", "$$USER_ROLES.role" ] }, [] ]
+            }
+         }
+      }
+   } ] )

source/includes/user-roles-system-variable-examples-list.rst

@@ -0,0 +1,4 @@
+For examples that include ``USER_ROLES``, see the :ref:`find example
+<find-user-roles-system-variable-example>`, :ref:`aggregation example
+<setIntersection-user-roles-system-variable-example>`, and the
+:ref:`view example <create-view-user-roles-system-variable-example>`.