revoke-privilege.md 6.2 KB
title: "REVOKE PRIVILEGE"
description: "REVOKE revokes privileges from a database object."
menu:
main:
parent: commands
REVOKE revokes privileges from a database object. The PUBLIC pseudo-role can
be used to indicate that the privileges should be revoked from all roles
(including roles that might not exist yet).
Syntax
{{< diagram "revoke-privilege.svg" >}}
privilege
{{< diagram "privilege.svg" >}}
| Field | Use |
|---|---|
| _objectname | The object that privileges are being revoked from. |
| ALL _objecttype IN SCHEMA schema_name | The privilege will be revoked from all objects of _objecttype in _schemaname. |
| ALL _objecttype IN DATABASE database_name | The privilege will be revoked from all objects of _objecttype in _databasename. |
| ALL _objecttype | The privilege will be revoked from all objects of _objecttype, excluding system objects. |
| _rolename | The role name that is losing privileges. Use the PUBLIC pseudo-role to revoke privileges from all roles. |
| SELECT | Allows reading rows from an object. The abbreviation for this privilege is 'r' (read). |
| INSERT | Allows inserting into an object. The abbreviation for this privilege is 'a' (append). |
| UPDATE | Allows updating an object (requires SELECT if a read is necessary). The abbreviation for this privilege is 'w' (write). |
| DELETE | Allows deleting from an object (requires SELECT if a read is necessary). The abbreviation for this privilege is 'd'. |
| CREATE | Allows creating a new object within another object. The abbreviation for this privilege is 'C'. |
| USAGE | Allows using an object or looking up members of an object. The abbreviation for this privilege is 'U'. |
| CREATEROLE | Allows creating, altering, deleting roles and the ability to grant and revoke role membership. This privilege is very powerful. It allows roles to grant and revoke membership in other roles, even if it doesn't have explicit membership in those roles. As a consequence, any role with this privilege can obtain the privileges of any other role in the system. The abbreviation for this privilege is 'R' (Role). |
| CREATEDB | Allows creating databases. The abbreviation for this privilege is 'B' (dataBase). |
| CREATECLUSTER | Allows creating clusters. The abbreviation for this privilege is 'N' (compute Node). |
| ALL PRIVILEGES | All applicable privileges for the provided object type. |
Details
The following tables describes which privileges are applicable to which objects:
{{< note >}}
For PostgreSQL compatibility reasons, you must specify TABLE as the object
type for sources, views, and materialized views, or omit the object type.
{{</ note >}}
| Object type | All privileges |
|---|---|
SYSTEM |
RBN |
DATABASE |
UC |
SCHEMA |
UC |
TABLE |
arwd |
(VIEW) |
r |
(MATERIALIZED VIEW) |
r |
INDEX |
|
TYPE |
U |
(SOURCE) |
r |
SINK |
|
CONNECTION |
U |
SECRET |
U |
CLUSTER |
UC |
Unlike PostgreSQL, UPDATE and DELETE always require SELECT privileges on the object being
updated.
Compatibility
For PostgreSQL compatibility reasons, you must specify TABLE as the object
type for sources, views, and materialized views, or omit the object type.
Examples
REVOKE SELECT ON mv FROM joe, mike;
REVOKE USAGE, CREATE ON DATABASE materialize FROM joe;
REVOKE ALL ON CLUSTER dev FROM joe;
REVOKE CREATEDB ON SYSTEM FROM joe;
Privileges
The privileges required to execute this statement are:
{{< include-md file="shared-content/sql-command-privileges/revoke-privilege.md"
}}
Useful views
mz_internal.mz_show_system_privilegesmz_internal.mz_show_my_system_privilegesmz_internal.mz_show_cluster_privilegesmz_internal.mz_show_my_cluster_privilegesmz_internal.mz_show_database_privilegesmz_internal.mz_show_my_database_privilegesmz_internal.mz_show_schema_privilegesmz_internal.mz_show_my_schema_privilegesmz_internal.mz_show_object_privilegesmz_internal.mz_show_my_object_privilegesmz_internal.mz_show_all_privilegesmz_internal.mz_show_all_my_privileges