Skip to main content

REVOKE

Introduced or updated: v1.2.275

Revokes privileges, roles, and ownership of a specific database object. This includes:

  • Revoking privileges from users or roles.
  • Removing roles from users or other roles.

See also:

Syntax

Revoking Privileges

REVOKE { 
        schemaObjectPrivileges | ALL [ PRIVILEGES ] ON <privileges_level>
       }
FROM [ ROLE <role_name> ] [ <user> ]

Where:

schemaObjectPrivileges ::=
-- For TABLE
  { SELECT | INSERT }
  
-- For SCHEMA
  { CREATE | DROP | ALTER }
  
-- For USER
  { CREATE USER }
  
-- For ROLE
  { CREATE ROLE}

-- For STAGE
  { READ, WRITE }

-- For UDF
  { USAGE }
privileges_level ::=
    *.*
  | db_name.*
  | db_name.tbl_name
  | STAGE <stage_name>
  | UDF <udf_name>

Revoking Role

-- Revoke a role from a user
REVOKE ROLE <role_name> FROM <user_name>

-- Revoke a role from a role
REVOKE ROLE <role_name> FROM ROLE <role_name>

Examples

Example 1: Revoking Privileges from a User

Create a user:

CREATE USER user1 IDENTIFIED BY 'abc123';

Grant the SELECT,INSERT privilege on all existing tables in the default database to the user user1:

GRANT SELECT,INSERT ON default.* TO user1;
SHOW GRANTS FOR user1;
+---------------------------------------------------+
| Grants                                            |
+---------------------------------------------------+
| GRANT SELECT,INSERT ON 'default'.* TO 'user1'@'%' |
+---------------------------------------------------+

Revoke INSERT privilege from user user1:

REVOKE INSERT ON default.* FROM user1;
SHOW GRANTS FOR user1;
+--------------------------------------------+
| Grants                                     |
+--------------------------------------------+
| GRANT SELECT ON 'default'.* TO 'user1'@'%' |
+--------------------------------------------+

Example 2: Revoking Privileges from a Role

Grant the SELECT,INSERT privilege on all existing tables in the mydb database to the role role1:

Create role:

CREATE ROLE role1;

Grant privileges to the role:

GRANT SELECT,INSERT ON mydb.* TO ROLE role1;

Show the grants for the role:

SHOW GRANTS FOR ROLE role1;
+--------------------------------------------+
| Grants                                     |
+--------------------------------------------+
| GRANT SELECT,INSERT ON 'mydb'.* TO 'role1' |
+--------------------------------------------+

Revoke INSERT privilege from role role1:

REVOKE INSERT ON mydb.* FROM ROLE role1;
SHOW GRANTS FOR ROLE role1;
+-------------------------------------+
| Grants                              |
+-------------------------------------+
| GRANT SELECT ON 'mydb'.* TO 'role1' |
+-------------------------------------+

Example 3: Revoking a Role from a User

REVOKE ROLE role1 FROM USER user1;
SHOW GRANTS FOR user1;
+-----------------------------------------+
| Grants                                  |
+-----------------------------------------+
| GRANT ALL ON 'default'.* TO 'user1'@'%' |
| GRANT ALL ON *.* TO 'user1'@'%'         |
+-----------------------------------------+
Did this page help you?
Yes
No
Join our growing community
GitHub
🌟 7.9K Stars
Slack
Twitter
YouTube
Explore Databend Cloud for FREE
Low-cost
Fast Analytics
Easy Data Ingestion
Elastic Scaling
Try it today