REVOKE
Synopsis
Use the REVOKE
statement to remove access privileges from one or more roles.
Syntax
revoke_table ::= REVOKE [ GRANT OPTION FOR ]
{ { SELECT
| INSERT
| UPDATE
| DELETE
| TRUNCATE
| REFERENCES
| TRIGGER } [ , ... ]
| ALL [ PRIVILEGES ] } ON
{ [ TABLE ] table_name [ , ... ]
| ALL TABLES IN SCHEMA schema_name [ , ... ] }
FROM { [ GROUP ] role_name | PUBLIC } [ , ... ]
[ CASCADE | RESTRICT ]
revoke_table_col ::= REVOKE [ GRANT OPTION FOR ]
{ { SELECT | INSERT | UPDATE | REFERENCES } (
column_names ) [ ,(column_names ... ]
| ALL [ PRIVILEGES ] ( column_names ) } ON
[ TABLE ] table_name [ , ... ] FROM
{ [ GROUP ] role_name | PUBLIC } [ , ... ]
[ CASCADE | RESTRICT ]
revoke_seq ::= REVOKE [ GRANT OPTION FOR ]
{ { USAGE | SELECT | UPDATE } [ , ... ]
| ALL [ PRIVILEGES ] } ON
{ SEQUENCE sequence_name [ , ... ]
| ALL SEQUENCES IN SCHEMA schema_name [ , ... ] }
FROM { [ GROUP ] role_name | PUBLIC } [ , ... ]
[ CASCADE | RESTRICT ]
revoke_db ::= REVOKE [ GRANT OPTION FOR ]
{ { CREATE | CONNECT | TEMPORARY | TEMP } [ , ... ]
| ALL [ PRIVILEGES ] } ON DATABASE database_name
[ , ... ] FROM { [ GROUP ] role_name | PUBLIC }
[ , ... ] [ CASCADE | RESTRICT ]
revoke_domain ::= REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] } ON DOMAIN domain_name
[ , ... ] FROM { [ GROUP ] role_name | PUBLIC }
[ , ... ] [ CASCADE | RESTRICT ]
revoke_schema ::= REVOKE [ GRANT OPTION FOR ]
{ { CREATE | USAGE } [ , ... ]
| ALL [ PRIVILEGES ] } ON SCHEMA schema_name
[ , ... ] FROM { [ GROUP ] role_name | PUBLIC }
[ , ... ] [ CASCADE | RESTRICT ]
revoke_type ::= REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] } ON TYPE type_name
[ , ... ] FROM { [ GROUP ] role_name | PUBLIC }
[ , ... ] [ CASCADE | RESTRICT ]
revoke_role ::= REVOKE [ ADMIN OPTION FOR ] role_name [ , ... ] FROM
role_name [ , ... ] [ CASCADE | RESTRICT ]
revoke_table
revoke_table_col
revoke_seq
revoke_db
revoke_domain
revoke_schema
revoke_type
revoke_role
Semantics
Any role has the sum of all privileges assigned to it. So, if REVOKE
is used to revoke SELECT
from PUBLIC
, then it does not mean that all roles have lost SELECT
privilege.
If a role had SELECT
granted directly to it or inherited it via a group, then it can continue to hold the SELECT
privilege.
If GRANT OPTION FOR
is specified, only the grant option for the privilege is revoked, not the privilege itself. Otherwise, both the privilege and the grant option are revoked.
Similarly, while revoking a role, if ADMIN OPTION FOR
is specified, then only the admin option for the privilege is revoked.
If a user holds a privilege with grant option and has granted it to other users, then revoking the privilege from the first user will also revoke it from dependent users
if CASCADE
is specified. Otherwise, the REVOKE
will fail.
When revoking privileges on a table, the corresponding column privileges (if any) are automatically revoked on each column of the table, as well. On the other hand, if a role has been granted privileges on a table, then revoking the same privileges from individual columns will have no effect.
Examples
- Revoke SELECT privilege for PUBLIC on table 'stores'
yugabyte=# REVOKE SELECT ON stores FROM PUBLIC;
- Remove user John from SysAdmins group.
yugabyte=# REVOKE SysAdmins FROM John;