DOCS-2308 assign a user a role

bin/builddata/htaccess-next.yaml

@@ -712,6 +712,13 @@ redirect-path: '/tutorial/copy-databases-between-instances'
 url-base: '/reference/command/copydb'
 type: 'redirect'
 code: 303
+outputs:
+  - 'after-v2.4'
+---
+redirect-path: '/tutorial/assign-role-to-user'
+url-base: '/core/access-control'
+type: 'redirect'
+code: 303
 outputs:
   - 'after-v2.4'
 ...

source/includes/steps-assign-role-to-user.yaml

@@ -0,0 +1,70 @@
+title: Connect with the Privilege to Grant Roles
+stepnum: 1
+ref: connect-with-grant-role-privileges
+pre: |
+  Connect to the :program:`mongod` or :program:`mongos` as a user with the
+  :authaction:`grantRole` actions on the role's database.
+action:
+  pre: |
+    The following example operation connects to the MongoDB instance as a user
+    named ``roleManager``:
+  language: javascript
+  code: |
+    mongo --port 27017 -u roleManager -p 12345678 --authenticationDatabase admin
+---
+title: Verify Your Privileges
+stepnum: 2
+ref: verify-grant-role-privileges
+pre: |
+  Verify that the user you are connected as has the :authaction:`grantRole`
+  actions on the ``admin`` database.
+action:
+  pre: |
+    The following example operation checks privileges for the user connected
+    as ``roleManager``:
+    language: javascript
+    code: |
+      db.runCommand(
+         {
+           usersInfo:"roleManager",
+           showPrivileges:true
+         }
+      )
+  post: |
+    The resulting ``users`` document displays the privileges granted to the user.
+---
+source:
+  file: steps-change-user-privileges.yaml
+  ref: collect-roles
+---
+source:
+  file: steps-change-user-privileges.yaml
+  ref: identify-privileges
+---
+source:
+  file: steps-change-user-privileges.yaml
+  ref: select-roles-to-modify
+---
+title: Grant the Role to the User
+stepnum: 6
+ref: grant-role-to-user
+pre: |
+  Grant the user the role using the :method:`db.grantRolesToUser()` method.
+pre: |
+  For example:
+action:
+  language: javascript
+  code: |
+    use admin
+    db.grantRolesToUser(
+      "accountAdmin01",
+      [
+        { 
+          role: "readWrite", db: "products"
+        },
+        {
+          role: "readAnyDatabase", db:"admin"
+        }
+      ]
+    )
+...

source/includes/toc-security-tutorials-access-control.yaml

@@ -18,6 +18,11 @@ file: /tutorial/define-roles
 description: |
   Create custom role.
 ---
+file: /tutorial/assign-role-to-user
+description: |
+  Assign a user a role. A role grants the user a defined set of privileges.
+  A user can have multiple roles.
+---
 file: /tutorial/change-user-privileges
 description: |
   Modify the actions available to a user on specific database resources.

source/tutorial/assign-role-to-user.txt

@@ -0,0 +1,37 @@
+====================
+Assign a User a Role
+====================
+
+.. default-domain:: mongodb
+
+Overview
+--------
+
+A role provides a user privileges to perform a set of :ref:`actions
+<security-user-actions>` on a given :ref:`resource <resource-document>`. A
+user can have multiple roles.
+
+In MongoDB systems where :setting:`auth` is enabled, users must be granted
+roles and the ensuing privileges to access databases. Without an assigned
+role, a user cannot access database resources.
+
+Assign a user's role according to the user's responsibilities. When assigning
+a role, first determine the privileges the user needs and then the role that
+grants those privileges.
+
+For an overview of roles and privileges, see :ref:`authorization`.
+
+For descriptions of the access each system role provides, see
+:ref:`system-defined roles <system-user-roles>.
+
+Prerequisites
+-------------
+
+.. include:: /includes/access-grant-roles.rst
+
+.. include:: /includes/access-roles-info.rst
+
+Procedure
+---------
+
+.. include:: /includes/steps/assign-role-to-user.rst

source/tutorial/change-user-privileges.txt

@@ -25,6 +25,8 @@ Prerequisites
 
 .. include:: /includes/access-revoke-roles.rst
 
+.. include:: /includes/access-roles-info.rst
+
 Procedure
 ---------