mongodb · kay-kim · Nov 15, 2017 · Oct 24, 2017
diff --git a/source/reference/built-in-roles.txt b/source/reference/built-in-roles.txt
@@ -160,6 +160,7 @@ Every database includes the following database administration roles:
    - :authaction:`dropUser`
    - :authaction:`grantRole`
    - :authaction:`revokeRole`
+   - :authaction:`setAuthenticationRestriction`
    - :authaction:`viewRole`
    - :authaction:`viewUser`
 
@@ -253,11 +254,11 @@ functions.
            | :authaction:`update`
 
       * - | :data:`system.indexes <<database>.system.indexes>`,
-          
+
           | :data:`system.js <<database>.system.js>`,
-          
+
           | :data:`system.namespaces <<database>.system.namespaces>` collections
-   
+
         -  | :authaction:`collStats`
            | :authaction:`dbHash`
            | :authaction:`dbStats`
@@ -285,7 +286,7 @@ functions.
           - :authaction:`splitChunk`
           - :authaction:`splitVector`
           - :authaction:`update`
-   
+
       * - :data:`system.replset <local.system.replset>` collection
 
         - - :authaction:`collStats`
@@ -460,12 +461,12 @@ restoring data:
 
    Provides the :authaction:`insert` and :authaction:`update` actions
    on the
-   ``mms.backup`` collection in the ``admin`` database and on the 
+   ``mms.backup`` collection in the ``admin`` database and on the
    :data:`settings <config.settings>` collection in the ``config`` database.
 
    On :ref:`anyResource`, provides the
-   
-   - :authaction:`listDatabases` action 
+
+   - :authaction:`listDatabases` action
    - :authaction:`listCollections` action
    - :authaction:`listIndexes` action
 
@@ -487,7 +488,7 @@ restoring data:
      :data:`system.profile <<database>.system.profile>`
 
    - the :data:`admin.system.users` and :data:`admin.system.roles` collections
-   
+
    - the :data:`config.settings` collection
 
    - legacy ``system.users`` collections from versions of MongoDB prior to 2.6
@@ -533,8 +534,8 @@ restoring data:
 
    Provides the following action on the cluster as a whole:
 
-   - :authaction:`getParameter` 
-      
+   - :authaction:`getParameter`
+
    Provides the following actions on all *non*-system collections:
 
    - :authaction:`bypassDocumentValidation`
@@ -566,7 +567,7 @@ restoring data:
 
    Provides the following action on :ref:`anyResource`:
 
-   - :authaction:`listCollections` 
+   - :authaction:`listCollections`
 
    Provides the :authaction:`find` action on all the :data:`system.namespaces
    <<database>.system.namespaces>` collections in the cluster.
@@ -700,7 +701,7 @@ and are roughly equivalent to their single-database equivalents:
 
       Prior to 3.4, :authrole:`userAdminAnyDatabase` includes ``local``
       and ``config`` databases.
-          
+
 .. authrole:: dbAdminAnyDatabase
 
    Provides the same access to database administration operations as
@@ -753,7 +754,7 @@ The following role provides full privileges on all resources:
       The :authrole:`root` has :authaction:`validate` action on
       ``system.`` collections. Previously, :authrole:`root` does
       **not** include any access to collections that begin with the
-      ``system.`` prefix other than ``system.indexes`` and 
+      ``system.`` prefix other than ``system.indexes`` and
       ``system.namespaces``.
 
       The :authrole:`root` role includes privileges from the :authrole:`restore` role.

diff --git a/source/reference/command/createUser.txt b/source/reference/command/createUser.txt
@@ -47,6 +47,8 @@ Roles
 
 .. include:: /includes/fact-roles-array-contents.rst
 
+.. _create-user-auth-restrictions:
+
 Authentication Restrictions
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

diff --git a/source/reference/privilege-actions.txt b/source/reference/privilege-actions.txt
@@ -233,6 +233,38 @@ Database Management Actions
    User can remove any role from any user from any database in the system.
    Apply this action to database resources.
 
+.. authaction:: setAuthenticationRestriction
+
+   .. versionadded:: 3.6
+
+   User can specify the
+   :ref:`authenticationRestrictions <create-user-auth-restrictions>`
+   field in the ``user`` document when running the following commands:
+
+   - :doc:`createUser </reference/command/createUser/>`
+   - :doc:`updateUser </reference/command/updateUser/>`
+
+   User can specify the ``authenticationRestrictions`` field in the
+   ``role`` document when running the following commands:
+
+   - :doc:`createRole </reference/command/createRole/>`
+   - :doc:`updateRole </reference/command/updateRole/>`
+
+   .. note::
+
+      The following built-in roles grant this privilege:
+
+      - The :authrole:`userAdmin` role provides this privilege
+        on the database that the role is assigned.
+
+      - The  :authrole:`userAdminAnyDatabase` role provides this
+        privilege on all databases.
+
+      Transitively, the :authrole:`restore` and :authrole:`root` roles
+      also provide this privilege.
+
+   Apply this action to database resources.
+
 .. authaction:: unlock
 
    User can perform the :method:`db.fsyncUnlock()` method. Apply this