Granting and revoking user rights --------------------------------- .. index:: user;user grant .. index:: user;user revoke .. index:: user;user list Once a user is added the user needs to be granted access to run commands. The user's command menu will only display those commands to which access have been granted. To grant access to a command use the 'user grant' command as follows: **user grant [options]** Only one command can be granted at a time, however these can be complex. The more detailed the command, the more fine-grained the privilege becomes.  This is best explained by example. Running the following command: **user grant peter app** Will allow the user peter to execute any command within the 'app' series of commands. However it could be restricted further by instead running a command like: **user grant peter app list** With this version peter will see the **app** command on his menu, but its help will only display 'list' as a sub-command - peter can thus see the list of apps but cannot perform more potentially risky tasks such as installing or restarting applications. This can be expanded to other subsets by simply running additional grants: **user grant peter app start** Would now allow peter to both see the list of applications or restart applications that failed, however he will not be able to do other app related tasks such as installations. The **grant** command effectively verifies that the start of a command by a user matches one of the privileges granted to that user - so peter will be able to add options to any command he is granted access to. In order to restrict commands - be sure to determine whether any options should be allowed and if not, only grant access to the specific parameters you wish peter to be able to execute. For example if peter is your database administrator for example you may wish to use: **user grant peter app start mongodb** Instead of giving access to all **app start** commands. Should you wish to revoke a command privilege from a user you can do this using the following command: **user revoke ** The command being revoked must match exactly one of the commands previously granted to a user. To review the current privileges of a user use: **user list ** Which will display the user's entire list of granted commands in full. You can also just run **user list** Without an option to list all users created on your system and their privileges.