Updated on 2024-08-20 GMT+08:00

REVOKE

Description

Revokes permissions from one or more roles.

Precautions

If a non-owner user of an object attempts to REVOKE permission on the object, the statement is executed based on the following rules:

  • If the user has no permissions whatsoever on the object, the statement will fail outright.
  • If an authorized user has some permissions, only the permissions with authorization options are revoked.
  • If the authorized user does not have the authorization option, the REVOKE ALL PRIVILEGES form will issue an error message. For other forms of statements, if the permission specified in the statement does not have the corresponding authorization option, the statement will issue a warning.

Syntax

  • Revoke the permission on a specified table or view.
    1
    2
    3
    4
    5
    6
    7
    REVOKE [ GRANT OPTION FOR ]
        { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | ALTER | DROP | COMMENT | INDEX | VACUUM }[, ...] 
        | ALL [ PRIVILEGES ] }
        ON { [ TABLE ] table_name [, ...]
           | ALL TABLES IN SCHEMA schema_name [, ...] }
        FROM { [ GROUP ] role_name | PUBLIC } [, ...]
        [ CASCADE | RESTRICT ];
    
  • Revoke the permission on a specified field in a table.
    1
    2
    3
    4
    5
    6
    REVOKE [ GRANT OPTION FOR ]
        { {{ SELECT | INSERT | UPDATE | REFERENCES | COMMENT } ( column_name [, ...] )}[, ...] 
        | ALL [ PRIVILEGES ] ( column_name [, ...] ) }
        ON [ TABLE ] table_name [, ...]
        FROM { [ GROUP ] role_name | PUBLIC } [, ...]
        [ CASCADE | RESTRICT ];
    
  • Revoke the permission on a specified sequence.
    1
    2
    3
    4
    5
    6
    7
    REVOKE [ GRANT OPTION FOR ]
        { { SELECT | UPDATE | ALTER | DROP | COMMENT }[, ...] 
        | ALL [ PRIVILEGES ] }
        ON { [ SEQUENCE ] sequence_name [, ...]
           | ALL SEQUENCES IN SCHEMA schema_name [, ...] }
        FROM { [ GROUP ] role_name | PUBLIC } [, ...]
        [ CASCADE | RESTRICT ];
    
  • Revoke the permission on a specified database.
    1
    2
    3
    4
    5
    6
    REVOKE [ GRANT OPTION FOR ]
        { { CREATE | CONNECT | TEMPORARY | TEMP | ALTER | DROP | COMMENT } [, ...] 
        | ALL [ PRIVILEGES ] }
        ON DATABASE database_name [, ...]
        FROM { [ GROUP ] role_name | PUBLIC } [, ...]
        [ CASCADE | RESTRICT ];
    
  • Revoke the permission on a specified domain.
    1
    2
    3
    4
    5
    REVOKE [ GRANT OPTION FOR ]
        { USAGE | ALL [ PRIVILEGES ] }
        ON DOMAIN domain_name [, ...]
        FROM { [ GROUP ] role_name | PUBLIC } [, ...]
        [ CASCADE | RESTRICT ];
    
  • Revoke the specified CMK permission.
    1
    2
    3
    4
    5
    REVOKE [ GRANT OPTION FOR ]
        { { USAGE | DROP } [, ...] | ALL [PRIVILEGES] }
        ON CLIENT_MASTER_KEYS client_master_keys_name [, ...]
        FROM { [ GROUP ] role_name | PUBLIC } [, ...]
        [ CASCADE | RESTRICT ];
    
  • Revoke the specified CEK permission.
    1
    2
    3
    4
    5
    REVOKE [ GRANT OPTION FOR ]
        { { USAGE | DROP } [, ...] | ALL [PRIVILEGES]}
        ON COLUMN_ENCRYPTION_KEYS column_encryption_keys_name [, ...]
        FROM { [ GROUP ] role_name | PUBLIC } [, ...]
        [ CASCADE | RESTRICT ];
    
  • Revoke the permission on a specified directory.
    1
    2
    3
    4
    5
    REVOKE [ GRANT OPTION FOR ]
        { { READ | WRITE | ALTER | DROP } [, ...] | ALL [ PRIVILEGES ] }
        ON DIRECTORY directory_name [, ...]
        FROM { [ GROUP ] role_name | PUBLIC } [, ...]
        [ CASCADE | RESTRICT ];
    
  • Revoke the permission on a specified external data source.
    1
    2
    3
    4
    5
    REVOKE [ GRANT OPTION FOR ]
       { USAGE | ALL [ PRIVILEGES ] }
        ON FOREIGN DATA WRAPPER fdw_name [, ...]
        FROM { [ GROUP ] role_name | PUBLIC } [, ...]
        [ CASCADE | RESTRICT ];
    
  • Revoke the permission on a specified external server.
    1
    2
    3
    4
    5
    REVOKE [ GRANT OPTION FOR ]
        { { USAGE | ALTER | DROP | COMMENT } [, ...] | ALL [ PRIVILEGES ] }
        ON FOREIGN SERVER server_name [, ...]
        FROM { [ GROUP ] role_name | PUBLIC } [, ...]
        [ CASCADE | RESTRICT ];
    
  • Revoke the permission on a specified function.
    1
    2
    3
    4
    5
    6
    REVOKE [ GRANT OPTION FOR ]
        { { EXECUTE | ALTER | DROP | COMMENT } [, ...] | ALL [ PRIVILEGES ] }
        ON { FUNCTION {function_name ( [ {[ argmode ] [ arg_name ] arg_type} [, ...] ] )} [, ...]
           | ALL FUNCTIONS IN SCHEMA schema_name [, ...] }
        FROM { [ GROUP ] role_name | PUBLIC } [, ...]
        [ CASCADE | RESTRICT ];
    
  • Revoke the permission on a specified stored procedure.
    1
    2
    3
    4
    5
    6
    REVOKE [ GRANT OPTION FOR ]
        { { EXECUTE | ALTER | DROP | COMMENT } [, ...] | ALL [ PRIVILEGES ] }
        ON { PROCEDURE {proc_name ( [ {[ argmode ] [ arg_name ] arg_type} [, ...] ] )} [, ...]
           | ALL PROCEDURE IN SCHEMA schema_name [, ...] }
        FROM { [ GROUP ] role_name | PUBLIC } [, ...]
        [ CASCADE | RESTRICT ];
    
  • Revoke the permission on a specified procedural language.
    1
    2
    3
    4
    5
    REVOKE [ GRANT OPTION FOR ]
       { USAGE | ALL [ PRIVILEGES ] }
        ON LANGUAGE lang_name [, ...]
        FROM { [ GROUP ] role_name | PUBLIC } [, ...]
        [ CASCADE | RESTRICT ];
    
  • Revoke the permission on a specified large object.
    1
    2
    3
    4
    5
    REVOKE [ GRANT OPTION FOR ]
        { { SELECT | UPDATE } [, ...] | ALL [ PRIVILEGES ] }
        ON LARGE OBJECT loid [, ...]
        FROM { [ GROUP ] role_name | PUBLIC } [, ...]
        [ CASCADE | RESTRICT ];
    
  • Revoke the permission on a specified schema.
    1
    2
    3
    4
    5
    REVOKE [ GRANT OPTION FOR ]
        { { CREATE | USAGE | ALTER | DROP | COMMENT } [, ...] | ALL [ PRIVILEGES ] }
        ON SCHEMA schema_name [, ...]
        FROM { [ GROUP ] role_name | PUBLIC } [, ...]
        [ CASCADE | RESTRICT ];
    
  • Revoke the permission on a specified tablespace.
    1
    2
    3
    4
    5
    REVOKE [ GRANT OPTION FOR ]
        { { CREATE  | ALTER | DROP | COMMENT } [, ...] | ALL [ PRIVILEGES ] }
        ON TABLESPACE tablespace_name [, ...]
        FROM { [ GROUP ] role_name | PUBLIC } [, ...]
        [ CASCADE | RESTRICT ];
    
  • Revoke the permission on a specified type.
    1
    2
    3
    4
    5
    REVOKE [ GRANT OPTION FOR ]
       { { USAGE | ALTER | DROP | COMMENT } [, ...] | ALL [ PRIVILEGES ] }
        ON TYPE type_name [, ...]
        FROM { [ GROUP ] role_name | PUBLIC } [, ...]
        [ CASCADE | RESTRICT ];
    
  • Revoke the permission on a specified sub-cluster.
    1
    2
    3
    4
    5
    REVOKE [ GRANT OPTION FOR ]
        { { CREATE | USAGE | COMPUTE  | ALTER | DROP } [, ...] | ALL [ PRIVILEGES ] }
        ON NODE GROUP group_name [, ...]
        FROM { [ GROUP ] role_name | PUBLIC } [, ...]
        [ CASCADE | RESTRICT ];
    

    When the CREATE permission on a sub-cluster is revoked, the USAGE and COMPUTE permissions are revoked by default.

  • Revoke the permission on a directory object.
    1
    2
    3
    4
    5
    REVOKE [ GRANT OPTION FOR ]
       { { READ | WRITE } [, ...] | ALL [PRIVILEGES] }
       ON DIRECTORY directory_name [, ...]
       FROM {[GROUP] role_name | PUBLIC} [, ...]
       [ CASCADE | RESTRICT ];
    
  • Revoke permissions from a role.
    1
    2
    3
    REVOKE [ ADMIN OPTION FOR ]
        role_name [, ...] FROM role_name [, ...]
        [ CASCADE | RESTRICT ];
    
  • Revoke the sysadmin permission from a role.
    1
    REVOKE ALL { PRIVILEGES | PRIVILEGE } FROM role_name;
    
  • Revoke the ANY permissions.
    1
    2
    3
    4
    5
    6
    7
    8
    REVOKE [ ADMIN OPTION FOR ]
      { CREATE ANY TABLE | ALTER ANY TABLE | DROP ANY TABLE | SELECT ANY TABLE | INSERT ANY TABLE | UPDATE ANY TABLE |
      DELETE ANY TABLE | CREATE ANY SEQUENCE | CREATE ANY INDEX | CREATE ANY FUNCTION | EXECUTE ANY FUNCTION |
       CREATE ANY TYPE | ALTER ANY TYPE | DROP ANY TYPE | ALTER ANY SEQUENCE | DROP ANY SEQUENCE |
      SELECT ANY SEQUENCE | ALTER ANY INDEX | DROP ANY INDEX | CREATE ANY SYNONYM | DROP ANY SYNONYM | CREATE ANY TRIGGER | ALTER ANY TRIGGER |
      DROP ANY TRIGGER
     } [, ...]
      FROM [ GROUP ] role_name [, ...];
    
  • Revoke the permission on database links.
    REVOKE { CREATE | ALTER | DROP } [PUBLIC] DATABASE LINK FROM role_name; 

    For details about database links, see DATABASE LINK.

  • Revoke the permission on PUBLIC synonyms.
    REVOKE { CREATE | DROP } PUBLIC SYNONYM FROM role_name; 

    Built-in roles (gs_role_public_synonym_create and gs_role_public_synonym_drop) can also be used to revoke the permission on PUBLIC synonyms.

    • Revoke the permission to create PUBLIC synonyms.
      REVOKE gs_role_public_synonym_create FROM role_name;
    • Revoke the permission to delete PUBLIC synonyms.
      REVOKE gs_role_public_synonym_drop FROM role_name;

Parameters

The keyword PUBLIC indicates an implicitly defined group that has all roles.

For details about permission types and parameters, see Parameters in section "GRANT."

Permissions of a role include the permissions directly granted to the role, permissions inherited from the parent role, and permissions granted to PUBLIC. Therefore, revoking the SELECT permission on an object from PUBLIC users does not necessarily mean that the SELECT permission on the object has been revoked from all roles, because the SELECT permission directly granted to roles and inherited from parent roles remains. Similarly, if the SELECT permission is revoked from a user but is not revoked from PUBLIC users, the user can still run the SELECT statement.

If GRANT OPTION FOR is specified, the permission cannot be granted to others, but permission itself is not revoked.

If user A holds the UPDATE permissions on a table and the WITH GRANT OPTION option and has granted them to user B, the permissions that user B holds are called dependent permissions. If the permissions or the grant option held by user A is revoked, the dependent permissions still exist. Those dependent permissions are also revoked if CASCADE is specified.

A user can only revoke permissions that were granted directly by that user. For example, if user A has granted permission with grant option (WITH ADMIN OPTION) to user B, and user B has in turn granted it to user C, then user A cannot revoke the permission directly from C. However, user A can revoke the grant option held by user B and use CASCADE. In this way, the permission of user C is automatically revoked. For another example, if both user A and user B have granted the same permission to C, A can revoke his own grant but not B's grant, so C will still effectively have the permission.

If the role executing REVOKE holds permissions indirectly by using more than one role membership path, it is unspecified which containing role will be used to execute the statement. In such cases, you are advised to use SET ROLE to become the specific role, and then execute REVOKE. Failure to do so may lead to deleting permissions not intended to delete, or not deleting any permissions at all.

Examples

  • Revoke the permission of role jerry from user tom.
    1
    2
    gaussdb=# REVOKE jerry FROM tom;
    REVOKE ROLE
    
  • Revoke the SELECT permission for the t1 table in schema jerry from user tom.
    1
    2
    gaussdb=# REVOKE SELECT ON TABLE jerry.t1 FROM tom;
    REVOKE
    
  • Revoke the EXECUTE permission for the fun1 function in schema jerry from user tom.
    1
    2
    gaussdb=# REVOKE EXECUTE ON FUNCTION jerry.fun1() FROM tom;
    REVOKE
    
  • Revoke the CONNECT permission on database DB1 from user tom.
    1
    2
    gaussdb=# REVOKE CONNECT ON database DB1 FROM tom;
    REVOKE
    

For more examples, see Examples in section "GRANT."

Helpful Links

GRANT