(DOCSP-32350): Revamped Users and Roles tutorial. (#4874)

corryroot · web-flow · commit b35359457ed4 · 2023-10-10T13:03:58.000-04:00
* (DOCSP-32350): Revamped Users and Roles tutorial. * (DOCSP-32350): Incorporated Sarah's feedback. * (DOCSP-32350): Incorporated Jack's feedback. * (DOCSP-32350): Incorporated Jack's feedback.
diff --git a/snooty.toml b/snooty.toml
@@ -241,7 +241,13 @@ sbe-title = "Slot-Based Query Execution Engine"
 version = "{+version+}"
 version-last = "{+version-last+}"
 year = "2022"
+ui-org-menu = ":icon-mms:`office` :guilabel:`Organizations` menu"
+
 [constants]
+atlas-admin-api = "Atlas Administration API"
+atlas-cli = "Atlas CLI"
+atlas-ui = "Atlas UI"
+mongosh = ":binary:`~bin.mongosh`"
 package-branch = "testing" # testing for dev rc releases
 windows-dir-version = "6.0" # wizard
 package-name-org = "mongodb-org"
diff --git a/source/includes/atlas-user-defined-roles.rst b/source/includes/atlas-user-defined-roles.rst
@@ -0,0 +1,126 @@
+.. _add-custom-role-atlas:
+
+Add a Custom User-Defined Role in {+atlas+}
+-----------------------------------------------
+
+You can create custom user-defined roles in {+atlas+} when the 
+:ref:`built-in roles <atlas-user-privileges>` don't include your
+desired set of privileges. To learn more see, 
+:atlas:`Add Custom Roles 
+</security-add-mongodb-roles/#add-custom-roles>` in the {+atlas+} 
+documentation.
+
+.. See https://www.mongodb.com/docs/atlas/security-add-mongodb-roles/#add-custom-roles for source material.
+
+.. tabs::
+
+   .. tab:: {+atlas-cli+}
+      :tabid: atlascli
+
+      To create a custom database role for your project using the 
+      {+atlas-cli+}, run the following command:
+
+      .. code-block:: sh
+         
+         atlas customDbRoles create <roleName> [options]
+      
+      To learn more about the command syntax and parameters, see 
+      the {+atlas-cli+} documentation for 
+      :atlascli:`atlas customDbRoles create 
+      </command/atlas-customDbRoles-create/>`.
+
+   .. tab:: {+atlas-admin-api+}
+      :tabid: api
+
+      To create custom roles through the {+atlas-admin-api+}, 
+      see :oas-atlas-op:`Create One Custom Role 
+      </createCustomDatabaseRole>`.
+
+   .. tab:: {+atlas-ui+}
+      :tabid: ui
+
+      Follow these steps to create a custom role through the 
+      {+atlas-ui+}: 
+
+      .. procedure::
+         :style: normal
+
+         .. step:: Open the :guilabel:`Add Custom Role` dialog
+
+            a. In the :guilabel:`Security` section of the left 
+               navigation, click :guilabel:`Database Access`. 
+      
+            #. Click the :guilabel:`Custom Roles` tab.
+
+            #. Click :icon-fa5:`plus` 
+               :guilabel:`Add New Custom Role`.
+         
+         .. step:: Enter the information for the custom role
+
+            .. list-table::
+               :widths: 20 80
+               :header-rows: 1
+
+               * - Field
+
+                 - Description
+
+               * - :guilabel:`Custom Role Name`
+
+                 - Name of your custom role.
+
+               * - :guilabel:`Action or Role`
+
+                 - Privileges granted by the role. Click the 
+                   drop-down menu to view the list of available 
+                   :manual:`privilege actions 
+                   </reference/privilege-actions/>` and 
+                   :manual:`roles </reference/built-in-roles/>`.
+
+                   {+atlas+} groups the actions and roles into 
+                   the following categories:
+
+                   - ``Collection Actions``
+                   - ``Database Actions and Roles``
+                   - ``Global Actions and Roles``
+                   - ``Custom Roles`` (if any)
+
+                   Select the action or role from a single 
+                   category. Once you select an action or role, 
+                   {+atlas+} disables the other categories with 
+                   the following exception. If you select an 
+                   action or role from the 
+                   :guilabel:`Global Actions and Roles`, you can 
+                   still select actions/roles from 
+                   :guilabel:`Custom Roles`.
+
+                   To grant actions and roles from a different 
+                   category, click :guilabel:`Add an action or role` to 
+                   add a new row.
+
+               * - :guilabel:`Database`
+
+                 - Database on which the selected actions and 
+                   roles are granted, if applicable.
+
+                   {+atlas+} requires this field for all roles 
+                   and actions under the 
+                   :guilabel:`Collection Actions` and
+                   :guilabel:`Database Actions and Roles` 
+                   categories.
+
+               * - :guilabel:`Collection`
+
+                 - Collection within the specified database on 
+                   which the actions and roles are granted, if 
+                   applicable.
+
+                   {+atlas+} requires this field for all roles 
+                   and actions under 
+                   :guilabel:`Collection Actions`.
+
+                   To grant the same set of privileges on 
+                   multiple databases and collections, click 
+                   :guilabel:`Add a database or collection`.
+
+         .. step:: Click :guilabel:`Add Custom Role`
diff --git a/source/includes/self-managed-user-defined-roles.rst b/source/includes/self-managed-user-defined-roles.rst
@@ -0,0 +1,65 @@
+.. _define-roles-prereq:
+
+Prerequisites
+-------------
+
+.. include:: /includes/access-create-role.rst
+
+To add custom user-defined roles with {+mongosh+}, see the 
+following examples:
+
+- :ref:`create-role-to-manage-ops`.
+- :ref:`create-role-for-mongostat`.
+- :ref:`create-role-for-system-views`.
+
+.. _create-role-to-manage-ops:
+
+Create a Role to Manage Current Operations
+------------------------------------------
+
+The following example creates a role named ``manageOpRole`` which
+provides only the privileges to run both :method:`db.currentOp()` 
+and :method:`db.killOp()`. [#built-in-roles1]_
+
+.. note::
+
+   Starting in MongoDB 3.2.9, users do not need any specific 
+   privileges to view or kill their own operations on 
+   :binary:`~bin.mongod` instances. See :method:`db.currentOp()` 
+   and :method:`db.killOp()` for details.
+
+.. include:: /includes/steps/create-role-manage-ops.rst
+
+.. [#built-in-roles1] 
+   The built-in role :authrole:`clusterMonitor` also provides the
+   privilege to run :method:`db.currentOp()` along with other
+   privileges, and the built-in role :authrole:`hostManager` 
+   provides the privilege to run :method:`db.killOp()` along with 
+   other privileges.
+
+.. _create-role-for-mongostat:
+
+Create a Role to Run ``mongostat``
+----------------------------------
+
+The following example creates a role named ``mongostatRole`` that 
+provides only the privileges to run :binary:`~bin.mongostat`.
+[#built-in-roles2]_
+
+.. include:: /includes/steps/create-role-mongostat.rst
+
+.. [#built-in-roles2] The built-in role
+   :authrole:`clusterMonitor` also provides the privilege to run
+   :binary:`~bin.mongostat` along with other
+   privileges.
+
+.. _create-role-for-system-views:
+
+Create a Role to Drop ``system.views`` Collection across Databases
+------------------------------------------------------------------
+
+The following example creates a role named
+``dropSystemViewsAnyDatabase`` that provides the privileges to 
+drop the ``system.views`` collection in any database.
+
+.. include:: /includes/steps/create-role-dropSystemViews.rst
diff --git a/source/tutorial/manage-users-and-roles.txt b/source/tutorial/manage-users-and-roles.txt
