REVOKE PRIVILEGE

REVOKE revokes privileges from a database object. The PUBLIC pseudo-role can be used to indicate that the privileges should be revoked from all roles (including roles that might not exist yet).

Syntax

The syntax supports the ALL [PRIVILEGES] shorthand to refer to all applicable privileges for the object type.

For specific cluster(s):

mzsql

REVOKE <USAGE | CREATE | ALL [PRIVILEGES]> [, ... ]
ON CLUSTER <name> [, ...]
FROM <role_name> [, ... ]
;

For all clusters:

mzsql

REVOKE <USAGE | CREATE | ALL [PRIVILEGES]> [, ... ]
ON ALL CLUSTERS
FROM <role_name> [, ... ]
;

For specific connection(s):

mzsql

REVOKE <USAGE | ALL [PRIVILEGES]>
ON CONNECTION <name> [, ...]
FROM <role_name> [, ... ];

For all connections or all connections in specific schema(s) or in database(s):

mzsql

REVOKE <USAGE | ALL [PRIVILEGES]>
ON ALL CONNECTIONS
 [ IN <SCHEMA | DATABASE> <name> [, <name> ...] ]
FROM <role_name> [, ... ];

For specific database(s):

mzsql

REVOKE <USAGE | CREATE | ALL [PRIVILEGES]> [, ... ]
ON DATABASE <name> [, ...]
FROM <role_name> [, ... ];

For all database:

mzsql

REVOKE <USAGE | CREATE | ALL [PRIVILEGES]> [, ... ]
ON ALL DATABASES
FROM <role_name> [, ... ];

{{< note >}} {{% include-headless "/headless/rbac-cloud/privilege-for-views-mat-views" %}} {{</ note >}}

For specific materialized view(s)/view(s)/source(s):

mzsql

REVOKE <SELECT | ALL [PRIVILEGES]>
ON [TABLE] <name> [, <name> ...] -- For PostgreSQL compatibility, if specifying type, use TABLE
FROM <role_name> [, ... ];

For specific schema(s):

mzsql

REVOKE <USAGE | CREATE | ALL [PRIVILEGES]> [, ... ]
ON SCHEMA <name> [, ...]
FROM <role_name> [, ... ];

For all schemas or all schemas in a specific database(s):

mzsql

REVOKE <USAGE | CREATE | ALL [PRIVILEGES]> [, ... ]
ON ALL SCHEMAS [IN DATABASE <name> [, <name> ...]]
FROM <role_name> [, ... ];

For specific secret(s):

mzsql

REVOKE <USAGE | ALL [PRIVILEGES]> [, ... ]
ON SECRET <name> [, ...]
FROM <role_name> [, ... ];

For all secrets or all secrets in a specific database(s):

mzsql

REVOKE <USAGE | ALL [PRIVILEGES]> [, ... ]
ON ALL SECRET [IN DATABASE <name> [, <name> ...]]
FROM <role_name> [, ... ];

mzsql

REVOKE <CREATEROLE | CREATEDB | CREATECLUSTER | CREATENETWORKPOLICY | ALL [PRIVILEGES]> [, ... ]
ON SYSTEM
FROM <role_name> [, ... ];

For specific view(s):

mzsql

REVOKE <USAGE | ALL [PRIVILEGES]>
ON TYPE <name> [, <name> ...]
FROM <role_name> [, ... ];

For all types or all types in a specific schema(s) or in a specific database(s):

mzsql

REVOKE <USAGE | ALL [PRIVILEGES]>
ON ALL TYPES
  [ IN <SCHEMA|DATABASE> <name> [, <name> ...] ]
FROM <role_name> [, ... ];

For specific table(s):

mzsql

REVOKE <SELECT | INSERT | UPDATE | DELETE | ALL [PRIVILEGES]> [, ...]
ON [TABLE] <name> [, <name> ...]
FROM <role_name> [, ... ];

For all tables or all tables in a specific schema(s) or in a specific database(s):

{{% include-headless "/headless/rbac-cloud/grant-privilege-all-tables" %}}

mzsql

REVOKE <SELECT | INSERT | UPDATE | DELETE | ALL [PRIVILEGES]> [, ...]
ON ALL TABLES
  [ IN <SCHEMA|DATABASE> <name> [, <name> ...] ]
FROM <role_name> [, ... ];

Details

Applicable privileges to revoke

{{< tabs >}} {{< tab "By Privilege" >}} {{< yaml-table data="rbac/privileges_objects" >}} {{</ tab >}} {{< tab "By Object" >}} {{< yaml-table data="rbac/object_privileges" >}} {{</ tab >}} {{</ tabs >}}

Privileges

The privileges required to execute this statement are:

{{% include-headless "/headless/sql-command-privileges/revoke-privilege" %}}

Examples

mzsql

REVOKE SELECT ON mv FROM joe, mike;

mzsql

REVOKE USAGE, CREATE ON DATABASE materialize FROM joe;

mzsql

REVOKE ALL ON CLUSTER dev FROM joe;

mzsql

REVOKE CREATEDB ON SYSTEM FROM joe;

Syntax

Details

Applicable privileges to revoke

Privileges

Examples

Useful views

Related pages