diff --git a/docs/database/mongo-db.md b/docs/database/mongo-db.md
index e328df4..66ee6f3 100644
--- a/docs/database/mongo-db.md
+++ b/docs/database/mongo-db.md
@@ -317,44 +317,6 @@ db.<collection>.dropIndex( { "index-name": 1 } ) # drop a specific index
---
-## Roles and permissions
-
-**Authentication**: identifies valid users
-**Authorization**: identifies what a user can do
-
-- **userAdminAnyDatabase**: can admin every db in the instance (role must be created on admin db)
-- **userAdmin**: can admin the specific db in which is created
-- **readWrite**: can read and write in the specific db in which is created
-- **read**: can read the specific db in which is created
-
-```sh
-# create users in the current MongoDB instance
-db.createUser(
- {
- user: "dbAdmin",
- pwd: "password",
- roles:[
- {
- role: "userAdminAnyDatabase",
- db:"admin"
- }
- ]
- },
- {
- user: "username",
- pwd: "password",
- roles:[
- {
- role: "role",
- db: "database"
- }
- ]
- }
-)
-```
-
----
-
## Cluster Administration
### `mongod`
@@ -451,6 +413,63 @@ db.system.profile.find().limit(n).sort( {} ).pretty() # see logs
db.system.profile.find().limit(n).sort( { ts : -1 } ).pretty() # sort by decreasing timestamp
```
+### Authentication
+
+Client Authentication Mechanisms:
+
+- **SCRAM** (Default): Salted Challenge Response Authentication Mechanism
+- **X.509**: `X.509` Certificate
+- **LADP**: Lightweight Directory Access Protocol (Enterprise Only)
+- **KERBEROS** (Enterprise Only)
+
+Cluster Authentication Mechanism:
+
+### Authorization: Role Based Access Control (RBAC)
+
+Each user has one or more **Roles**. Each role has one or more **Privileges**.
+A privilege represents a group of _actions_ and the _resources_ those actions apply to.
+
+By default no user exists so the ONLY way to act is to connect locally to the server.
+This is the "localhost exception" and it closes after the _first_ user is created.
+
+> **WARN**: Always create an admin user first (ideally with the `userAdmin` role)
+
+Role's Resources:
+
+- specific database and collection: `{ "db": "<database>", "collection": "<collection>" }`
+- all databases and collections: `{ "db": "", "collection": "" }`
+- any databases and specific collection: `{ "db": "", "collection": "<collections>" }`
+- specific database and any collection: `{ "db": "<database>", "collection": "" }`
+- cluster resource: `{ "cluster": true }`
+
+Role's Privileges: `{ resource: { <resource> }, actions: [ "<action>" ] }`
+
+A role can _inherit_ from multiple others and can define **network restrictions** such as _Server Address_ and _Client Source_.
+
+Built-in Roles Groups and Names:
+
+- Database User: `read`, `readWrite`, `readAnyDatabase`, `readWriteAnyDatabase`
+- Database Administration: `dbAdmin`, `userAdmin`, `dbOwner`, `dbAdminAnyDatabase`, `userAdminAnyDatabase`
+- Cluster Administration: `clusterAdmin`, `clusterManager`, `clusterMonitor`, `hostManager`
+- Backup/Restore: `backup`, `restore`
+- Super User: `root`
+
+```sh
+db.createUser(
+ {
+ user: "<username>",
+ pwd: "<password>",
+ roles: [ { role: "<role>", db: "<database>" } ]
+ }
+)
+
+# add role to existing user
+db.grantRolesToUser( "<user>", [ { db: "<database>", role: "<role>" } ] )
+
+# show role privilege
+db.runCommand( { rolesInfo: { db: "<database>", role: "<role>" }, showPrivileges: true } )
+```
+
### [Replica set](https://docs.mongodb.com/manual/replication/)
A **replica set** in MongoDB is a group of `mongod` processes that maintain the `same dataset`. Replica sets provide redundancy and high availability, and are the basis for all production deployments.