DOCS-11008: single-sourced built-in roles, updated April 30 2018

Author: steveren

source/core/security-built-in-roles.txt

@@ -36,18 +36,13 @@ Every database includes the following roles:
 
    * - :authrole:`read`
 
-     - Provides the ability to read data on all *non*-system collections and on the
-       following system collections: :data:`system.indexes <<database>.system.indexes>`,
-       :data:`system.js <<database>.system.js>`, and :data:`system.namespaces
-       <<database>.system.namespaces>` collections.
+     - .. include:: /includes/extracts/built-in-roles-read.rst
 
        For the specific privileges granted by the role, see :authrole:`read`.
 
    * - :authrole:`readWrite`
 
-     - Provides all the privileges of the :authrole:`read` role and the ability to modify
-       data on all *non*-system collections and the :data:`system.js
-       <<database>.system.js>` collection.
+     - .. include:: /includes/extracts/built-in-roles-read-write.rst
 
        For the specific privileges granted by the role, see
        :authrole:`readWrite`.
@@ -66,39 +61,26 @@ Every database includes the following database administration roles:
 
    * - :authrole:`dbAdmin`
 
-     - Provides the ability to perform administrative tasks such as
-       schema-related tasks, indexing, gathering statistics. This role
-       does not grant privileges for user and role management.
+     - .. include:: /includes/extracts/built-in-roles-dbAdmin.rst
 
        For the specific privileges granted by the role, see
        :authrole:`dbAdmin`.
 
    * - :authrole:`dbOwner`
 
-     - Provides the ability to perform any administrative action on the
-       database. This role combines the privileges granted by the
-       :authrole:`readWrite`, :authrole:`dbAdmin` and
-       :authrole:`userAdmin` roles.
+     - .. include:: /includes/extracts/built-in-roles-dbOwner.rst
 
    * - :authrole:`userAdmin`
 
-     - Provides the ability to create and modify roles and users on the
-       current database. Since the :authrole:`userAdmin` role allows
-       users to grant any privilege to any user, including themselves,
-       the role also indirectly provides :ref:`superuser <superuser>`
-       access to either the database or, if scoped to the ``admin``
-       database, the cluster.
+     - .. include:: /includes/extracts/built-in-roles-userAdmin.rst
 
        For the specific privileges granted by the role, see
        :authrole:`userAdmin`.
 
 Cluster Administration Roles
 ----------------------------
 
-The ``admin`` database includes the following roles for administering the
-whole system rather than a specific database. These roles include but are
-not limited to :term:`replica set` and :term:`sharded cluster`
-administrative functions.
+.. include:: /includes/extracts/built-in-roles-cluster-admin-roles.rst
 
 .. list-table::
    :header-rows: 1
@@ -109,41 +91,33 @@ administrative functions.
 
    * - :authrole:`clusterAdmin`
 
-     - Provides the greatest cluster-management access. This role combines the
-       privileges granted by the :authrole:`clusterManager`,
-       :authrole:`clusterMonitor`, and :authrole:`hostManager` roles.
-       Additionally, the role provides the :authaction:`dropDatabase` action.
+     - .. include:: /includes/extracts/built-in-roles-clusterAdmin.rst
 
    * - :authrole:`clusterManager`
 
-     - Provides management and monitoring actions on the cluster. A
-       user with this role can access the ``config`` and ``local``
-       databases, which are used in sharding and replication,
-       respectively.
+     - .. include:: /includes/extracts/built-in-roles-clusterManager.rst
 
        For the specific privileges granted by the role, see
        :authrole:`clusterManager`.
 
    * - :authrole:`clusterMonitor`
 
-     - Provides read-only access to monitoring tools, such as the |mms-home|
-       and :opsmgr:`Ops Manager </>` monitoring agent.
+     - .. include:: /includes/extracts/built-in-roles-clusterMonitor.rst
 
        For the specific privileges granted by the role, see
        :authrole:`clusterMonitor`.
 
    * - :authrole:`hostManager`
 
-     - Provides the ability to monitor and manage servers.
+     - .. include:: /includes/extracts/built-in-roles-hostMonitor.rst
 
        For the specific privileges granted by the role, see
        :authrole:`hostManager`.
 
 Backup and Restoration Roles
 ----------------------------
 
-The ``admin`` database includes the following roles for backing up and
-restoring data:
+.. include:: /includes/extracts/built-in-roles-backup-roles.rst
 
 .. list-table::
    :header-rows: 1
@@ -154,19 +128,14 @@ restoring data:
 
    * - :authrole:`backup`
 
-     - Provides privileges needed to back up data. This role provides
-       sufficient privileges to use the |mms-home| backup agent,
-       :opsmgr:`Ops Manager </>` backup agent, or to use
-       :binary:`~bin.mongodump`.
+     - .. include:: /includes/extracts/built-in-roles-backup.rst
 
        For the specific privileges granted by the role, see
        :authrole:`backup`.
 
    * - :authrole:`restore`
 
-     - Provides privileges needed to restore data with
-       :binary:`~bin.mongorestore` without the :option:`--oplogReplay <mongorestore --oplogReplay>`
-       option or without ``system.profile`` collection data.
+     - .. include:: /includes/extracts/built-in-roles-restore.rst
 
        For the specific privileges granted by the role, see
        :authrole:`restore`.
@@ -176,10 +145,7 @@ restoring data:
 All-Database Roles
 ------------------
 
-.. versionchanged:: 3.4
-
-These roles in the ``admin`` database apply to all but the ``local``
-and ``config`` databases in a :binary:`~bin.mongod` instance:
+.. include:: /includes/extracts/built-in-roles-all-database-roles.rst
 
 .. list-table::
    :header-rows: 1
@@ -190,53 +156,34 @@ and ``config`` databases in a :binary:`~bin.mongod` instance:
 
    * - :authrole:`readAnyDatabase`
 
-     - Provides the same read-only permissions as :authrole:`read`,
-       except it applies to all but the ``local`` and ``config``
-       databases in the cluster. The role also provides the
-       :authaction:`listDatabases` action on the cluster as a whole.
+     - .. include:: /includes/extracts/built-in-roles-readAnyDatabase.rst
 
        For the specific privileges granted by the role, see
        :authrole:`readAnyDatabase`.
 
        .. versionchanged:: 3.4
 
-          Prior to 3.4, :authrole:`readAnyDatabase` includes ``local``
-          and ``config`` databases. To provide ``read`` privileges on
-          the ``local`` database, create a user in the ``admin``
-          database with :authrole:`read` role in the ``local``
-          database. See also :authrole:`clusterManager` role for access
-          to the ``config`` and ``local`` databases.
+          .. include:: /includes/extracts/built-in-roles-readAnyDatabase-prior.rst
 
    * - :authrole:`readWriteAnyDatabase`
 
-     - Provides the same read and write permissions as
-       :authrole:`readWrite`, except it applies to all but the
-       ``local`` and ``config`` databases in the cluster. The role also
-       provides the :authaction:`listDatabases` action on the cluster
-       as a whole.
+     - .. include:: /includes/extracts/built-in-roles-readWriteAnyDatabase.rst
 
        For the specific privileges granted by the role, see
        :authrole:`readWriteAnyDatabase`.
 
        .. versionchanged:: 3.4
 
-          Prior to 3.4, :authrole:`readWriteAnyDatabase` includes
-          ``local`` and ``config`` databases. To provide ``readWrite``
-          privileges on the ``local`` database, create a user in the
-          ``admin`` database with :authrole:`readWrite` role in the
-          ``local`` database. See also :authrole:`clusterManager` role
-          for access to the ``config`` and ``local`` databases.
+          .. include:: /includes/extracts/built-in-roles-readWriteAnyDatabase-prior.rst
 
    * - :authrole:`userAdminAnyDatabase`
 
-     - Provides the same access to user administration operations as
-       :authrole:`userAdmin`, except it applies to all but the
-       ``local`` and ``config`` databases in the cluster.
+     - .. include:: /includes/extracts/built-in-roles-userAdminAnyDatabase.rst
 
        Since the :authrole:`userAdminAnyDatabase` role allows users to
        grant any privilege to any user, including themselves, the role
        also indirectly provides :ref:`superuser <superuser>` access.
-       
+
        For the specific privileges granted by the role, see
        :authrole:`userAdminAnyDatabase`.
 
@@ -247,23 +194,14 @@ and ``config`` databases in a :binary:`~bin.mongod` instance:
 
    * - :authrole:`dbAdminAnyDatabase`
 
-     - Provides the same access to database administration operations
-       as :authrole:`dbAdmin`, except it applies to all but the
-       ``local`` and ``config`` databases in the cluster. The role also
-       provides the :authaction:`listDatabases` action on the cluster
-       as a whole.
+     - .. include:: /includes/extracts/built-in-roles-dbAdminAnyDatabase.rst
 
        For the specific privileges granted by the role, see
        :authrole:`dbAdminAnyDatabase`.
 
        .. versionchanged:: 3.4
 
-          Prior to 3.4, :authrole:`dbAdminAnyDatabase` includes
-          ``local`` and ``config`` databases. To provide ``dbAdmin``
-          privileges on the ``local`` database, create a user in the
-          ``admin`` database with :authrole:`dbAdmin` role in the
-          ``local`` database. See also :authrole:`clusterManager` role
-          for access to the ``config`` and ``local`` databases.
+          .. include:: /includes/extracts/built-in-roles-dbAdminAnyDatabase-prior.rst
 
 Superuser Roles
 ---------------
@@ -279,11 +217,7 @@ The following role provides full privileges on all resources:
 
    * - :authrole:`root`
 
-     - Provides access to the operations and all the resources of the
-       :authrole:`readWriteAnyDatabase`,
-       :authrole:`dbAdminAnyDatabase`, :authrole:`userAdminAnyDatabase`,
-       :authrole:`clusterAdmin`, :authrole:`restore`, and
-       :authrole:`backup` *combined*.
+     - .. include:: /includes/extracts/built-in-roles-root.rst
 
        For the specific privileges granted by the role, see
        :authrole:`root`.
@@ -306,6 +240,6 @@ Internal Role
        **Do not** assign this role to user objects representing applications or
        human administrators, other than in exceptional circumstances.
 
-       For more information, see :authrole:`root`.
+       For more information, see :authrole:`__system`.
 
 .. seealso:: :doc:`/reference/built-in-roles`