diff --git a/source/core/security-built-in-roles.txt b/source/core/security-built-in-roles.txt index b3c35995e6a..3b72ad6d2f4 100644 --- a/source/core/security-built-in-roles.txt +++ b/source/core/security-built-in-roles.txt @@ -36,18 +36,13 @@ Every database includes the following roles: * - :authrole:`read` - - Provides the ability to read data on all *non*-system collections and on the - following system collections: :data:`system.indexes <.system.indexes>`, - :data:`system.js <.system.js>`, and :data:`system.namespaces - <.system.namespaces>` collections. + - .. include:: /includes/extracts/built-in-roles-read.rst For the specific privileges granted by the role, see :authrole:`read`. * - :authrole:`readWrite` - - Provides all the privileges of the :authrole:`read` role and the ability to modify - data on all *non*-system collections and the :data:`system.js - <.system.js>` collection. + - .. include:: /includes/extracts/built-in-roles-read-write.rst For the specific privileges granted by the role, see :authrole:`readWrite`. @@ -66,28 +61,18 @@ Every database includes the following database administration roles: * - :authrole:`dbAdmin` - - Provides the ability to perform administrative tasks such as - schema-related tasks, indexing, gathering statistics. This role - does not grant privileges for user and role management. + - .. include:: /includes/extracts/built-in-roles-dbAdmin.rst For the specific privileges granted by the role, see :authrole:`dbAdmin`. * - :authrole:`dbOwner` - - Provides the ability to perform any administrative action on the - database. This role combines the privileges granted by the - :authrole:`readWrite`, :authrole:`dbAdmin` and - :authrole:`userAdmin` roles. + - .. include:: /includes/extracts/built-in-roles-dbOwner.rst * - :authrole:`userAdmin` - - Provides the ability to create and modify roles and users on the - current database. Since the :authrole:`userAdmin` role allows - users to grant any privilege to any user, including themselves, - the role also indirectly provides :ref:`superuser ` - access to either the database or, if scoped to the ``admin`` - database, the cluster. + - .. include:: /includes/extracts/built-in-roles-userAdmin.rst For the specific privileges granted by the role, see :authrole:`userAdmin`. @@ -95,10 +80,7 @@ Every database includes the following database administration roles: Cluster Administration Roles ---------------------------- -The ``admin`` database includes the following roles for administering the -whole system rather than a specific database. These roles include but are -not limited to :term:`replica set` and :term:`sharded cluster` -administrative functions. +.. include:: /includes/extracts/built-in-roles-cluster-admin-roles.rst .. list-table:: :header-rows: 1 @@ -109,32 +91,25 @@ administrative functions. * - :authrole:`clusterAdmin` - - Provides the greatest cluster-management access. This role combines the - privileges granted by the :authrole:`clusterManager`, - :authrole:`clusterMonitor`, and :authrole:`hostManager` roles. - Additionally, the role provides the :authaction:`dropDatabase` action. + - .. include:: /includes/extracts/built-in-roles-clusterAdmin.rst * - :authrole:`clusterManager` - - Provides management and monitoring actions on the cluster. A - user with this role can access the ``config`` and ``local`` - databases, which are used in sharding and replication, - respectively. + - .. include:: /includes/extracts/built-in-roles-clusterManager.rst For the specific privileges granted by the role, see :authrole:`clusterManager`. * - :authrole:`clusterMonitor` - - Provides read-only access to monitoring tools, such as the |mms-home| - and :opsmgr:`Ops Manager ` monitoring agent. + - .. include:: /includes/extracts/built-in-roles-clusterMonitor.rst For the specific privileges granted by the role, see :authrole:`clusterMonitor`. * - :authrole:`hostManager` - - Provides the ability to monitor and manage servers. + - .. include:: /includes/extracts/built-in-roles-hostMonitor.rst For the specific privileges granted by the role, see :authrole:`hostManager`. @@ -142,8 +117,7 @@ administrative functions. Backup and Restoration Roles ---------------------------- -The ``admin`` database includes the following roles for backing up and -restoring data: +.. include:: /includes/extracts/built-in-roles-backup-roles.rst .. list-table:: :header-rows: 1 @@ -154,19 +128,14 @@ restoring data: * - :authrole:`backup` - - Provides privileges needed to back up data. This role provides - sufficient privileges to use the |mms-home| backup agent, - :opsmgr:`Ops Manager ` backup agent, or to use - :binary:`~bin.mongodump`. + - .. include:: /includes/extracts/built-in-roles-backup.rst For the specific privileges granted by the role, see :authrole:`backup`. * - :authrole:`restore` - - Provides privileges needed to restore data with - :binary:`~bin.mongorestore` without the :option:`--oplogReplay ` - option or without ``system.profile`` collection data. + - .. include:: /includes/extracts/built-in-roles-restore.rst For the specific privileges granted by the role, see :authrole:`restore`. @@ -176,10 +145,7 @@ restoring data: All-Database Roles ------------------ -.. versionchanged:: 3.4 - -These roles in the ``admin`` database apply to all but the ``local`` -and ``config`` databases in a :binary:`~bin.mongod` instance: +.. include:: /includes/extracts/built-in-roles-all-database-roles.rst .. list-table:: :header-rows: 1 @@ -190,53 +156,34 @@ and ``config`` databases in a :binary:`~bin.mongod` instance: * - :authrole:`readAnyDatabase` - - Provides the same read-only permissions as :authrole:`read`, - except it applies to all but the ``local`` and ``config`` - databases in the cluster. The role also provides the - :authaction:`listDatabases` action on the cluster as a whole. + - .. include:: /includes/extracts/built-in-roles-readAnyDatabase.rst For the specific privileges granted by the role, see :authrole:`readAnyDatabase`. .. versionchanged:: 3.4 - Prior to 3.4, :authrole:`readAnyDatabase` includes ``local`` - and ``config`` databases. To provide ``read`` privileges on - the ``local`` database, create a user in the ``admin`` - database with :authrole:`read` role in the ``local`` - database. See also :authrole:`clusterManager` role for access - to the ``config`` and ``local`` databases. + .. include:: /includes/extracts/built-in-roles-readAnyDatabase-prior.rst * - :authrole:`readWriteAnyDatabase` - - Provides the same read and write permissions as - :authrole:`readWrite`, except it applies to all but the - ``local`` and ``config`` databases in the cluster. The role also - provides the :authaction:`listDatabases` action on the cluster - as a whole. + - .. include:: /includes/extracts/built-in-roles-readWriteAnyDatabase.rst For the specific privileges granted by the role, see :authrole:`readWriteAnyDatabase`. .. versionchanged:: 3.4 - Prior to 3.4, :authrole:`readWriteAnyDatabase` includes - ``local`` and ``config`` databases. To provide ``readWrite`` - privileges on the ``local`` database, create a user in the - ``admin`` database with :authrole:`readWrite` role in the - ``local`` database. See also :authrole:`clusterManager` role - for access to the ``config`` and ``local`` databases. + .. include:: /includes/extracts/built-in-roles-readWriteAnyDatabase-prior.rst * - :authrole:`userAdminAnyDatabase` - - Provides the same access to user administration operations as - :authrole:`userAdmin`, except it applies to all but the - ``local`` and ``config`` databases in the cluster. + - .. include:: /includes/extracts/built-in-roles-userAdminAnyDatabase.rst Since the :authrole:`userAdminAnyDatabase` role allows users to grant any privilege to any user, including themselves, the role also indirectly provides :ref:`superuser ` access. - + For the specific privileges granted by the role, see :authrole:`userAdminAnyDatabase`. @@ -247,23 +194,14 @@ and ``config`` databases in a :binary:`~bin.mongod` instance: * - :authrole:`dbAdminAnyDatabase` - - Provides the same access to database administration operations - as :authrole:`dbAdmin`, except it applies to all but the - ``local`` and ``config`` databases in the cluster. The role also - provides the :authaction:`listDatabases` action on the cluster - as a whole. + - .. include:: /includes/extracts/built-in-roles-dbAdminAnyDatabase.rst For the specific privileges granted by the role, see :authrole:`dbAdminAnyDatabase`. .. versionchanged:: 3.4 - Prior to 3.4, :authrole:`dbAdminAnyDatabase` includes - ``local`` and ``config`` databases. To provide ``dbAdmin`` - privileges on the ``local`` database, create a user in the - ``admin`` database with :authrole:`dbAdmin` role in the - ``local`` database. See also :authrole:`clusterManager` role - for access to the ``config`` and ``local`` databases. + .. include:: /includes/extracts/built-in-roles-dbAdminAnyDatabase-prior.rst Superuser Roles --------------- @@ -279,11 +217,7 @@ The following role provides full privileges on all resources: * - :authrole:`root` - - Provides access to the operations and all the resources of the - :authrole:`readWriteAnyDatabase`, - :authrole:`dbAdminAnyDatabase`, :authrole:`userAdminAnyDatabase`, - :authrole:`clusterAdmin`, :authrole:`restore`, and - :authrole:`backup` *combined*. + - .. include:: /includes/extracts/built-in-roles-root.rst For the specific privileges granted by the role, see :authrole:`root`. @@ -306,6 +240,6 @@ Internal Role **Do not** assign this role to user objects representing applications or human administrators, other than in exceptional circumstances. - For more information, see :authrole:`root`. + For more information, see :authrole:`__system`. .. seealso:: :doc:`/reference/built-in-roles` diff --git a/source/includes/extracts-built-in-roles.yaml b/source/includes/extracts-built-in-roles.yaml new file mode 100644 index 00000000000..9fda6d81494 --- /dev/null +++ b/source/includes/extracts-built-in-roles.yaml @@ -0,0 +1,157 @@ +ref: built-in-roles-read +content: | + Provides the ability to read data on all *non*-system collections and on + the following system collections: :data:`system.indexes <.system.indexes>`, + :data:`system.js <.system.js>`, and + :data:`system.namespaces <.system.namespaces>` collections. +--- +ref: built-in-roles-read-write +content: | + Provides all the privileges of the :authrole:`read` role plus ability to + modify data on all *non*-system collections and the :data:`system.js + <.system.js>` collection. +--- +ref: built-in-roles-dbAdmin +content: | + Provides the ability to perform administrative tasks such as + schema-related tasks, indexing, and gathering statistics. This role + does not grant privileges for user and role management. +--- +ref: built-in-roles-dbOwner +content: | + The database owner can perform any administrative action on the database. + This role combines the privileges granted by the :authrole:`readWrite`, + :authrole:`dbAdmin` and :authrole:`userAdmin` roles. +--- +ref: built-in-roles-userAdmin +content: | + Provides the ability to create and modify roles and users on the + current database. Since the :authrole:`userAdmin` role allows + users to grant any privilege to any user, including themselves, + the role also indirectly provides :ref:`superuser ` + access to either the database or, if scoped to the ``admin`` + database, the cluster. +--- +ref: built-in-roles-cluster-admin-roles +content: | + The ``admin`` database includes the following roles for administering the + whole system rather than just a single database. These roles include but are + not limited to :term:`replica set` and :term:`sharded cluster` administrative + functions. +--- +ref: built-in-roles-clusterAdmin +content: | + Provides the greatest cluster-management access. This role combines the + privileges granted by the :authrole:`clusterManager`, + :authrole:`clusterMonitor`, and :authrole:`hostManager` roles. + Additionally, the role provides the :authaction:`dropDatabase` action. +--- +ref: built-in-roles-clusterManager +content: | + Provides management and monitoring actions on the cluster. A + user with this role can access the ``config`` and ``local`` + databases, which are used in sharding and replication, + respectively. +--- +ref: built-in-roles-clusterMonitor +content: | + Provides read-only access to monitoring tools, such as the |mms-home| + and :opsmgr:`Ops Manager ` monitoring agent. +--- +ref: built-in-roles-hostMonitor +content: | + Provides the ability to monitor and manage servers. +--- +ref: built-in-roles-backup-roles +content: | + The ``admin`` database includes the following roles for backing up and + restoring data: +--- +ref: built-in-roles-backup +content: | + Provides minimal privileges needed for backing up data. This role + provides sufficient privileges to use the |mms-home| backup agent, + :opsmgr:`Ops Manager ` backup agent, or to use + :binary:`~bin.mongodump` to back up an entire :binary:`~bin.mongod` instance. +--- +ref: built-in-roles-restore +content: | + .. versionchanged:: 3.6 + + Provides :authaction:`convertToCapped` on non-system collections. + + Provides privileges needed to restore data from backups that do not + include :data:`system.profile <.system.profile>` + collection data. This role is sufficient when restoring data with + :binary:`~bin.mongorestore` without the :option:`--oplogReplay + ` option. +--- +ref: built-in-roles-all-database-roles +content: | + .. versionchanged:: 3.4 + + The following roles are available on the ``admin`` database and provide + privileges which apply to all databases except ``local`` and + ``config``: +--- +ref: built-in-roles-readAnyDatabase +content: | + Provides the same read-only privileges as :authrole:`read` on all databases + except ``local`` and ``config``. The role also provides the + :authaction:`listDatabases` action on the cluster as a whole. +--- +ref: built-in-roles-readAnyDatabase-prior +content: | + Prior to 3.4, :authrole:`readAnyDatabase` includes ``local`` and + ``config`` databases. To provide ``read`` privileges on the + ``local`` database, create a user in the ``admin`` database with + :authrole:`read` role in the ``local`` database. See also + :authrole:`clusterManager` and :authrole:`clusterMonitor` role + for access to the ``config`` and ``local`` databases. +--- +ref: built-in-roles-readWriteAnyDatabase +content: | + Provides the same read-only privileges as :authrole:`readWrite` on + all databases except ``local`` and ``config``. The role also + provides the :authaction:`listDatabases` action on the cluster as a + whole. +--- +ref: built-in-roles-readWriteAnyDatabase-prior +content: | + Prior to 3.4, :authrole:`readWriteAnyDatabase` includes ``local`` + and ``config`` databases. To provide ``readWrite`` privileges on + the ``local`` database, create a user in the ``admin`` database + with :authrole:`readWrite` role in the ``local`` database. See + also :authrole:`clusterManager` and :authrole:`clusterMonitor` + role for access to the ``config`` and ``local`` databases. +--- +ref: built-in-roles-dbAdminAnyDatabase +content: | + Provides the same read-only privileges as :authrole:`dbAdmin` on + all databases except ``local`` and ``config``. The role also + provides the :authaction:`listDatabases` action on the cluster as + a whole. +--- +ref: built-in-roles-dbAdminAnyDatabase-prior +content: | + Prior to 3.4, :authrole:`dbAdminAnyDatabase` includes ``local`` + and ``config`` databases. To provide ``dbAdmin`` privileges on + the ``local`` database, create a user in the ``admin`` database + with :authrole:`dbAdmin` role in the ``local`` database. See also + :authrole:`clusterManager` and :authrole:`clusterMonitor` role + for access to the ``config`` and ``local`` databases. +--- +ref: built-in-roles-userAdminAnyDatabase +content: | + Provides the same access to user administration operations as + :authrole:`userAdmin` on all databases except ``local`` and + ``config``. +--- +ref: built-in-roles-root +content: | + Provides access to the operations and all the resources of the + :authrole:`readWriteAnyDatabase`, + :authrole:`dbAdminAnyDatabase`, :authrole:`userAdminAnyDatabase`, + :authrole:`clusterAdmin`, :authrole:`restore`, and + :authrole:`backup` *combined*. +... \ No newline at end of file diff --git a/source/includes/fact-required-access-for-backup-profiling.rst b/source/includes/fact-required-access-for-backup-profiling.rst index 89d05d2f5f3..89aee10e04d 100644 --- a/source/includes/fact-required-access-for-backup-profiling.rst +++ b/source/includes/fact-required-access-for-backup-profiling.rst @@ -2,6 +2,6 @@ The :authrole:`backup` role provides additional privileges to back up the :data:`system.profile <.system.profile>` - collections that exist when running with :ref:`database profiling - `. Previously, users required an additional + collection that exists when running with :ref:`database profiling + `. Previously, users required ``read`` access on this collection. diff --git a/source/reference/built-in-roles.txt b/source/reference/built-in-roles.txt index aa59cb66eb6..1a02ce7cd2d 100644 --- a/source/reference/built-in-roles.txt +++ b/source/reference/built-in-roles.txt @@ -47,11 +47,9 @@ Every database includes the following client roles: .. authrole:: read - Provides the ability to read data on all *non*-system collections and on - the following system collections: :data:`system.indexes - <.system.indexes>`, :data:`system.js <.system.js>`, and - :data:`system.namespaces <.system.namespaces>` collections. The - role provides read access by granting the following :ref:`actions + .. include:: /includes/extracts/built-in-roles-read.rst + + The role provides read access by granting the following :ref:`actions `: - :authaction:`collStats` @@ -64,10 +62,9 @@ Every database includes the following client roles: .. authrole:: readWrite - Provides all the privileges of the :authrole:`read` role plus ability to - modify data on all *non*-system collections and the :data:`system.js - <.system.js>` collection. The role provides the following - actions on those collections: + .. include:: /includes/extracts/built-in-roles-read-write.rst + + The role provides the following actions on those collections: - :authaction:`collStats` - :authaction:`convertToCapped` @@ -95,6 +92,8 @@ Every database includes the following database administration roles: .. authrole:: dbAdmin + .. include:: /includes/extracts/built-in-roles-dbAdmin.rst + Provides the following :ref:`actions ` on the database's :data:`system.indexes <.system.indexes>`, :data:`system.namespaces <.system.namespaces>`, and @@ -112,9 +111,9 @@ Every database includes the following database administration roles: .. versionchanged:: 2.6.4 :authrole:`dbAdmin` added the :authaction:`createCollection` - for the :data:`system.profile <.system.profile>` + action for the :data:`system.profile <.system.profile>` collection. Previous versions only had the - :authaction:`dropCollection` on the :data:`system.profile + :authaction:`dropCollection` action on the :data:`system.profile <.system.profile>` collection. Provides the following actions on all *non*-system @@ -140,15 +139,11 @@ Every database includes the following database administration roles: .. authrole:: dbOwner - The database owner can perform any administrative action on the database. - This role combines the privileges granted by the :authrole:`readWrite`, - :authrole:`dbAdmin` and :authrole:`userAdmin` roles. + .. include:: /includes/extracts/built-in-roles-dbOwner.rst .. authrole:: userAdmin - Provides the ability to create and modify roles and users for a database. - A user with this role on a database can assign any role or privilege - to any user for that database, including themselves. + .. include:: /includes/extracts/built-in-roles-userAdmin.rst The :authrole:`userAdmin` role explicitly provides the following actions: @@ -181,25 +176,17 @@ Every database includes the following database administration roles: Cluster Administration Roles ---------------------------- -The ``admin`` database includes the following roles for administering the -whole system rather than just a single database. These roles include but are -not limited to :term:`replica set` and :term:`sharded cluster` administrative -functions. +.. include:: /includes/extracts/built-in-roles-cluster-admin-roles.rst .. authrole:: clusterAdmin - Provides the greatest cluster-management access. This role combines the - privileges granted by the :authrole:`clusterManager`, - :authrole:`clusterMonitor`, and :authrole:`hostManager` roles. - Additionally, the role provides the :authaction:`dropDatabase` action. + .. include:: /includes/extracts/built-in-roles-clusterAdmin.rst .. authrole:: clusterManager .. versionchanged:: 3.4 - Provides management and monitoring actions on the cluster. A user with - this role can access the ``config`` and ``local`` databases, which are - used in sharding and replication, respectively. + .. include:: /includes/extracts/built-in-roles-clusterManager.rst Provides the following actions on the cluster as a whole: @@ -302,9 +289,7 @@ functions. .. versionchanged:: 3.4 - Provides read-only access to monitoring tools, such as the - |mms-home| and :opsmgr:`Ops Manager - ` monitoring agent. + .. include:: /includes/extracts/built-in-roles-clusterMonitor.rst Provides the following actions on the cluster as a whole: @@ -412,7 +397,7 @@ functions. .. authrole:: hostManager - Provides the ability to monitor and manage servers. + .. include:: /includes/extracts/built-in-roles-hostMonitor.rst Provides the following actions on the cluster as a whole: @@ -420,7 +405,6 @@ functions. - :authaction:`closeAllDatabases` - :authaction:`connPoolSync` - :authaction:`cpuProfiler` - - :authaction:`diagLogging` - :authaction:`flushRouterConfig` - :authaction:`fsync` - :authaction:`invalidateUserCache` @@ -445,17 +429,13 @@ functions. Backup and Restoration Roles ---------------------------- -The ``admin`` database includes the following roles for backing up and -restoring data: +.. include:: /includes/extracts/built-in-roles-backup-roles.rst .. authrole:: backup .. versionchanged:: 3.4 - Provides minimal privileges needed for backing up data. This role - provides sufficient privileges to use the |mms-home| backup agent, - :opsmgr:`Ops Manager ` backup agent, or to use - :binary:`~bin.mongodump` to back up an entire :binary:`~bin.mongod` instance. + .. include:: /includes/extracts/built-in-roles-backup.rst .. todo: should we document the mms.backup collection in the system-collections document? @@ -500,21 +480,14 @@ restoring data: - system.version Do we want to document these? - Provides :authaction:`insert` and :authaction:`update` action on the - :data:`config.settings` collection. + Provides the :authaction:`insert` and :authaction:`update` actions + on the :data:`config.settings` collection. .. include:: /includes/fact-required-access-for-backup-profiling.rst .. authrole:: restore - .. versionchanged:: 3.6 - - Provides :authaction:`convertToCapped` on non-system collections. - - Provides privileges needed to restore data from backups that do not - include :data:`system.profile <.system.profile>` - collection data. This role is sufficient when restoring data with - :binary:`~bin.mongorestore` without the :option:`--oplogReplay ` option. + .. include:: /includes/extracts/built-in-roles-restore.rst - .. include:: /includes/fact-restore-role-system.profile.rst @@ -622,53 +595,33 @@ restoring data: All-Database Roles ------------------ -.. versionchanged:: 3.4 - -The following roles are available only to users on the ``admin`` -database. These roles provide privileges which apply to all -collections except ``system.*`` collections on all databases -except ``local`` and ``config``: +.. include:: /includes/extracts/built-in-roles-all-database-roles.rst .. authrole:: readAnyDatabase - Provides the same read-only privileges as :authrole:`read` on all - databases except ``local`` and ``config``. - :authrole:`readAnyDatabase` also provides the - :authaction:`listDatabases` privilege action on the cluster. + .. include:: /includes/extracts/built-in-roles-readAnyDatabase.rst .. versionchanged:: 3.4 - :authrole:`readAnyDatabase` no longer - applies to the ``local`` and ``config`` databases. To provide - read privileges on ``local`` and ``config``, create a - user on the ``admin`` database with the :authrole:`read` - role on the ``local`` and ``config`` databases. + .. include:: /includes/extracts/built-in-roles-readAnyDatabase-prior.rst .. include:: /includes/seealso-cluster-manager.rst .. authrole:: readWriteAnyDatabase - Provides the same read and write privileges as - :authrole:`readWrite` on all databases except ``local`` and - ``config``. :authrole:`readWriteAnyDatabase` also provides the - :authaction:`listDatabases` privilege action on the cluster. + .. include:: /includes/extracts/built-in-roles-readWriteAnyDatabase.rst .. versionchanged:: 3.4 - :authrole:`readWriteAnyDatabase` no longer - applies to the ``local`` and ``config`` databases. To provide - read and write privileges on ``local`` and ``config``, - create a user on the ``admin`` database with the - :authrole:`readWrite` role on the ``local`` and ``config`` - databases. + .. include:: /includes/extracts/built-in-roles-readWriteAnyDatabase-prior.rst .. include:: /includes/seealso-cluster-manager.rst .. authrole:: userAdminAnyDatabase - Provides the same access to user administration operations as - :authrole:`userAdmin` on all databases except ``local`` and - ``config``. :authrole:`userAdminAnyDatabase` also provides the + .. include:: /includes/extracts/built-in-roles-userAdminAnyDatabase.rst + + :authrole:`userAdminAnyDatabase` also provides the following privilege actions on the cluster: - :authaction:`authSchemaUpgrade` @@ -711,19 +664,11 @@ except ``local`` and ``config``: .. authrole:: dbAdminAnyDatabase - Provides the same access to database administration operations as - :authrole:`dbAdmin` on all databases except ``local`` and - ``config``. :authrole:`dbAdminAnyDatabase` also provides the - :authaction:`listDatabases` privilege action on the cluster. + .. include:: /includes/extracts/built-in-roles-dbAdminAnyDatabase.rst .. versionchanged:: 3.4 - :authrole:`dbAdminAnyDatabase` no longer - applies to the ``local`` and ``config`` databases. - To provide ``dbAdmin`` privileges on ``local`` and ``config``, - create a user on the ``admin`` database with the - :authrole:`dbAdmin` role on the ``local`` and ``config`` - databases. + .. include:: /includes/extracts/built-in-roles-dbAdminAnyDatabase-prior.rst .. include:: /includes/seealso-cluster-manager.rst @@ -748,10 +693,7 @@ The following role provides full privileges on all resources: .. authrole:: root - Provides access to the operations and all the resources of the - :authrole:`readWriteAnyDatabase`, :authrole:`dbAdminAnyDatabase`, - :authrole:`userAdminAnyDatabase`, :authrole:`clusterAdmin` roles, - :authrole:`restore`, and :authrole:`backup` roles *combined*. + .. include:: /includes/extracts/built-in-roles-root.rst .. versionchanged:: 3.4 @@ -760,13 +702,14 @@ The following role provides full privileges on all resources: .. versionchanged:: 3.0.7 - The :authrole:`root` has :authaction:`validate` action on - ``system.`` collections. Previously, :authrole:`root` does - **not** include any access to collections that begin with the + The :authrole:`root` has the :authaction:`validate` privilege + action on ``system.`` collections. Previously, :authrole:`root` + does **not** include any access to collections that begin with the ``system.`` prefix other than ``system.indexes`` and ``system.namespaces``. - The :authrole:`root` role includes privileges from the :authrole:`restore` role. + The :authrole:`root` role includes privileges from the + :authrole:`restore` role. Internal Role -------------