REVOKE
Revokes permissions from a role. REVOKE can also be used to revoke a role from another role or a user.
For more information, see Role-based access control.
REVOKE PRIVILEGE
Revokes a permission from a role.
Only account_admin or a role owner can revoke a permission to a role.
Syntax
REVOKE <permission> ON <object_type> <object_name> [IN <object_type> <object_name>] FROM <role_name>
Parameters
| Parameter | Description |
|---|---|
<permission> | The name of the permission to revoke from a role. Permissions that can be revoked vary depending on the object that they apply to. For a full list, see Permissions. |
<object_type> | The type of the object to revoke permissions from. |
<object_name> | The name of the object to revoke permissions from. |
<role_name> | The name of the role from which the permission will be revoked. |
Examples
Revoke MODIFY permission on a database
The following code example revokes the MODIFY permission on the db database from the role user_role, preventing it from making changes to the database:
REVOKE MODIFY ON DATABASE db FROM user_role;
Revoke all permissions on a database
The following code example revokes the all permissions on the db database from the role user_role, preventing all operations on it:
REVOKE ALL ON DATABASE db FROM user_role;
Revoke USAGE permissions on all databases in an account
The following code example revokes USAGE permissions on all databases in the dev account from the role user_role, preventing it from accessing metadata or using those databases:
REVOKE USAGE ANY DATABASE ON ACCOUNT dev FROM user_role;
Revoke SELECT permission on a specific table
The following code example sets the active database to db and revokes user_role’s permission to read data from the my_table table in the public schema.:
USE DATABASE db;
REVOKE SELECT ON TABLE my_table IN SCHEMA public TO user_role;
Revoke SELECT permission on all tables in a schema
The following code revokes user_role’s permission to read data from all existing and future tables in the public schema of the db database:
REVOKE SELECT ANY ON SCHEMA public IN DATABASE db TO user_role;
REVOKE ROLE
Revokes a role from a user or from another role.
Syntax
REVOKE ROLE <role_name> FROM { USER <user_name> | ROLE <role_name_2> }
Parameters
| Parameter | Description |
|---|---|
<role_name> | The name of the role to revoke. |
<user_name> | The name of the user from which to revoke the <role_name> role. |
<role_name_2> | The name of the role from which to revoke the role. |
Examples
Revoke a role from another role
The following code example removes the role_name role from role_name_2, revoking access to permissions granted to role_name:
REVOKE ROLE role_name FROM ROLE role_name_2;
Revoke a role from a user
The following command revokes role role_name from user user_name, removing the user’s access to the permissions granted to role_name:
REVOKE ROLE role_name FROM USER user_name;