DOCSP-27685 permissions for reverse (#115)

Dave Cuthbert · web-flow · commit 06f9702d6d35 · 2023-03-16T09:14:16.000-07:00
* DOCSP-27685 permissions for reverse * DOCSP-27685 permissions for reverse * DOCSP-27685 permissions for reverse * Review feedback * Staging updates * Staging fixes * Staging fixes * Review feedback * Merge feedback * Merge feedback
diff --git a/source/connecting/atlas-to-atlas.txt b/source/connecting/atlas-to-atlas.txt
@@ -32,7 +32,11 @@ Authentication
 Roles
 -----
 
-.. include:: /includes/fact-atlas-roles
+.. include:: /includes/fact-permissions-body.rst
+
+The Atlas permissions are:
+
+.. include:: /includes/table-permissions-atlas.rst
 
 Behavior
 --------
diff --git a/source/connecting/onprem-to-atlas.txt b/source/connecting/onprem-to-atlas.txt
@@ -36,7 +36,15 @@ Authentication
 Roles
 -----
 
-.. include:: /includes/fact-atlas-roles
+.. include:: /includes/fact-permissions-body.rst
+
+The self-managed permissions are:
+
+.. include:: /includes/table-permissions-self-hosted.rst
+
+The Atlas permissions are:
+
+.. include:: /includes/table-permissions-atlas.rst
 
 Behavior
 --------
diff --git a/source/connecting/onprem-to-onprem.txt b/source/connecting/onprem-to-onprem.txt
@@ -31,7 +31,11 @@ Authentication
 Roles
 -----
 
-.. include:: /includes/fact-onprem-roles
+.. include:: /includes/fact-permissions-body.rst
+
+The self-managed permissions are:
+
+.. include:: /includes/table-permissions-self-hosted.rst
 
 Behavior
 --------
diff --git a/source/includes/fact-atlas-roles.rst b/source/includes/fact-atlas-roles.rst
diff --git a/source/includes/fact-onprem-roles.rst b/source/includes/fact-onprem-roles.rst
diff --git a/source/includes/fact-permissions-body.rst b/source/includes/fact-permissions-body.rst
@@ -0,0 +1,5 @@
+The user specified in the ``mongosync`` connection string must have the
+required permissions on the source and destination clusters. The
+permissions vary depending on your environment and if you want to run a
+write-blocking or reverse sync.
+
diff --git a/source/includes/fact-reverse-sync-action-types.rst b/source/includes/fact-reverse-sync-action-types.rst
diff --git a/source/includes/table-permissions-atlas.rst b/source/includes/table-permissions-atlas.rst
@@ -0,0 +1,47 @@
+..
+   Comment: The nested lists need blank lines before and after each list
+            plus extra indents 
+
+.. list-table::
+   :header-rows: 1
+
+   * - Sync Type
+     - Target
+     - Required Permissions
+
+   * - default
+     - source cluster
+     -
+
+         - atlasAdmin
+         - backup
+
+   * - default
+     - destination cluster
+     -
+
+         - atlasAdmin
+
+   * - write-blocking or reversing
+     - source cluster
+     -
+
+         - atlasAdmin
+         - backup
+         - bypassWriteBlockMode privilege
+
+   * - write-blocking or reversing
+     - destination cluster
+     -
+
+         - atlasAdmin
+         - backup
+         - bypassWriteBlockMode privilege
+
+For details on Atlas roles, see: :atlas:`Atlas User Roles
+</reference/user-roles/>`.
+
+To update Atlas user permissions, see:
+:atlas:`Manage Access to a Project </access/manage-project-access/>`.
+
+
diff --git a/source/includes/table-permissions-self-hosted.rst b/source/includes/table-permissions-self-hosted.rst
@@ -0,0 +1,49 @@
+..
+   Comment: The nested lists need blank lines before and after each list
+            plus extra indents 
+
+.. list-table::
+   :header-rows: 1
+
+   * - Sync Type
+     - Target
+     - Required Permissions
+
+   * - default
+     - source cluster
+     -
+
+         - readAnyDatabase
+         - backup
+         - clusterMonitor (sharded clusters only)
+
+   * - default
+     - destination cluster
+     -
+
+         - readWriteAnyDatabase
+         - restore
+         - clusterManager (sharded clusters only)
+
+   * - write-blocking or reversing
+     - source cluster
+     -  
+
+         - readWriteAnyDatabase
+         - backup
+         - restore
+         - clusterManager (sharded clusters only)
+
+   * - write-blocking or reversing
+     - destination cluster
+     -
+
+         - readWriteAnyDatabase
+         - backup
+         - restore
+         - clusterManager (sharded clusters only)
+
+For details on server roles, see: :ref:`authorization`.
+
+To update user permissions, see: :dbcommand:`grantRolesToUser`.
+
diff --git a/source/quickstart.txt b/source/quickstart.txt
@@ -237,16 +237,19 @@ Synchronization Notes
   - ``enableUserWriteBlocking``
 
   .. literalinclude:: /includes/api/requests/reverse.sh
-   :language: shell
+     :language: shell
+
+- .. include:: /includes/fact-permissions-body.rst
 
-.. include:: /includes/fact-reverse-sync-action-types.rst
+  To determine the correct the user permissions for your use case, see
+  :ref:`c2c-permissions-and-roles`.
 
 - You may need to increase the file descriptor ``ulimits`` on the host
   that is running ``mongosync``. This applies to any UNIX-like system,
   but macOS in particular has low defaults. See :ref:`UNIX ulimit
   settings <system-resource-utilization>`.
 
 - To estimate the size of ``oplog`` needed for initial synchronization,
-  see: :ref:`c2c-oplog-sizing`.
+  see :ref:`c2c-oplog-sizing`.
 
 
diff --git a/source/reference.txt b/source/reference.txt
@@ -16,5 +16,6 @@ Reference
    /reference/disaster-recovery
    /reference/limitations
    /reference/logging
+   /reference/permissions
    /reference/versioning
 
diff --git a/source/reference/api/reverse.txt b/source/reference/api/reverse.txt
@@ -4,7 +4,6 @@
 ``reverse``
 ===========
 
-
 .. default-domain:: mongodb
 
 .. contents:: On this page
@@ -47,8 +46,7 @@ To use the ``reverse`` endpoint:
   :ref:`resync <resync-replica-member>` all of the nodes in the
   original source cluster before reversing.
 - .. include:: /includes/fact-reverse-limitation.rst
-
-.. include:: /includes/fact-reverse-sync-action-types.rst
+- .. include:: /includes/fact-permissions-body.rst
 
 Request
 -------
diff --git a/source/reference/permissions.txt b/source/reference/permissions.txt
@@ -0,0 +1,30 @@
+.. _c2c-permissions-and-roles:
+
+================
+User Permissions
+================
+
+.. default-domain:: mongodb
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 2
+   :class: singlecol
+
+.. include:: /includes/fact-permissions-body.rst
+
+Self-Managed Clusters
+---------------------
+
+The self-managed permissions are:
+
+.. include:: /includes/table-permissions-self-hosted.rst
+
+Atlas Clusters
+--------------
+
+The Atlas permissions are:
+
+.. include:: /includes/table-permissions-atlas.rst
+
