Home  /  SQL commands

REVOKE PRIVILEGE

REVOKE revokes privileges from a database object. The PUBLIC pseudo-role can be used to indicate that the privileges should be revoked from all roles (including roles that might not exist yet).

Syntax

NOTE: The syntax supports the ALL [PRIVILEGES] shorthand to refer to all applicable privileges for the object type.

    For specific cluster(s):

    REVOKE <USAGE | CREATE | ALL [PRIVILEGES]> [, ... ]
ON CLUSTER <name> [, ...]
FROM <role_name> [, ... ]
;

    For all clusters:

    REVOKE <USAGE | CREATE | ALL [PRIVILEGES]> [, ... ]
ON ALL CLUSTERS
FROM <role_name> [, ... ]
;

    For specific connection(s):

    REVOKE <USAGE | ALL [PRIVILEGES]>
ON CONNECTION <name> [, ...]
FROM <role_name> [, ... ];

    For all connections or all connections in specific schema(s) or in database(s):

    REVOKE <USAGE | ALL [PRIVILEGES]>
ON ALL CONNECTIONS
 [ IN <SCHEMA | DATABASE> <name> [, <name> ...] ]
FROM <role_name> [, ... ];

    For specific database(s):

    REVOKE <USAGE | CREATE | ALL [PRIVILEGES]> [, ... ]
ON DATABASE <name> [, ...]
FROM <role_name> [, ... ];

    For all database:

    REVOKE <USAGE | CREATE | ALL [PRIVILEGES]> [, ... ]
ON ALL DATABASES
FROM <role_name> [, ... ];
    NOTE: To read from a views or a materialized views, you must have SELECT privileges on the view/materialized views. That is, having SELECT privileges on the underlying objects defining the view/materialized view is insufficient.

    For specific materialized view(s)/view(s)/source(s):

    REVOKE <SELECT | ALL [PRIVILEGES]>
ON [TABLE] <name> [, <name> ...] -- For PostgreSQL compatibility, if specifying type, use TABLE
FROM <role_name> [, ... ];

    For specific schema(s):

    REVOKE <USAGE | CREATE | ALL [PRIVILEGES]> [, ... ]
ON SCHEMA <name> [, ...]
FROM <role_name> [, ... ];

    For all schemas or all schemas in a specific database(s):

    REVOKE <USAGE | CREATE | ALL [PRIVILEGES]> [, ... ]
ON ALL SCHEMAS [IN DATABASE <name> [, <name> ...]]
FROM <role_name> [, ... ];

    For specific secret(s):

    REVOKE <USAGE | ALL [PRIVILEGES]> [, ... ]
ON SECRET <name> [, ...]
FROM <role_name> [, ... ];

    For all secrets or all secrets in a specific database(s):

    REVOKE <USAGE | ALL [PRIVILEGES]> [, ... ]
ON ALL SECRET [IN DATABASE <name> [, <name> ...]]
FROM <role_name> [, ... ];

    REVOKE <CREATEROLE | CREATEDB | CREATECLUSTER | CREATENETWORKPOLICY | ALL [PRIVILEGES]> [, ... ]
ON SYSTEM
FROM <role_name> [, ... ];

    For specific view(s):

    REVOKE <USAGE | ALL [PRIVILEGES]>
ON TYPE <name> [, <name> ...]
FROM <role_name> [, ... ];

    For all types or all types in a specific schema(s) or in a specific database(s):

    REVOKE <USAGE | ALL [PRIVILEGES]>
ON ALL TYPES
  [ IN <SCHEMA|DATABASE> <name> [, <name> ...] ]
FROM <role_name> [, ... ];

    For specific table(s):

    REVOKE <SELECT | INSERT | UPDATE | DELETE | ALL [PRIVILEGES]> [, ...]
ON [TABLE] <name> [, <name> ...]
FROM <role_name> [, ... ];

    For all tables or all tables in a specific schema(s) or in a specific database(s):

    NOTE: Granting privileges via ALL TABLES […] also applies to sources, views, and materialized views (for the applicable privileges). 
    REVOKE <SELECT | INSERT | UPDATE | DELETE | ALL [PRIVILEGES]> [, ...]
ON ALL TABLES
  [ IN <SCHEMA|DATABASE> <name> [, <name> ...] ]
FROM <role_name> [, ... ];

    Details

    Applicable privileges to revoke

      Privilege Description Abbreviation Applies to
      SELECT Permission to read rows from an object. r
      • MATERIALIZED VIEW
      • SOURCE
      • TABLE
      • VIEW
      INSERT Permission to insert rows into an object. a
      • TABLE
      UPDATE

      Permission to modify rows in an object.

      Modifying rows may also require SELECT if a read is needed to determine which rows to update.

      		 w
      • TABLE
      DELETE

      Permission to delete rows from an object.

      Deleting rows may also require SELECT if a read is needed to determine which rows to delete.

      		 d
      • TABLE
      CREATE Permission to create a new objects within the specified object. C
      • DATABASE
      • SCHEMA
      • CLUSTER
      USAGE Permission to use or reference an object (e.g., schema/type lookup). U
      • CLUSTER
      • CONNECTION
      • DATABASE
      • SCHEMA
      • SECRET
      • TYPE
      CREATEROLE

      Permission to create/modify/delete roles and manage role memberships for any role in the system.

      WARNING! Roles with the CREATEROLE privilege can obtain the privileges of any other role in the system by granting themselves that role. Avoid granting CREATEROLE unnecessarily.
      		R
      • SYSTEM
      CREATEDB Permission to create new databases. B
      • SYSTEM
      CREATECLUSTER Permission to create new clusters. N
      • SYSTEM
      CREATENETWORKPOLICY Permission to create network policies to control access at the network layer. P
      • SYSTEM
      Object Privileges
      CLUSTER
      • USAGE
      • CREATE
      CONNECTION
      • USAGE
      DATABASE
      • USAGE
      • CREATE
      MATERIALIZED VIEW
      • SELECT
      SCHEMA
      • USAGE
      • CREATE
      SECRET
      • USAGE
      SOURCE
      • SELECT
      SYSTEM
      • CREATEROLE
      • CREATEDB
      • CREATECLUSTER
      • CREATENETWORKPOLICY
      TABLE
      • INSERT
      • SELECT
      • UPDATE
      • DELETE
      TYPE
      • USAGE
      VIEW
      • SELECT

      Privileges

      The privileges required to execute this statement are:

      • Ownership of affected objects.
      • USAGE privileges on the containing database if the affected object is a schema.
      • USAGE privileges on the containing schema if the affected object is namespaced by a schema.
      • superuser status if the privilege is a system privilege.

      Examples

      REVOKE SELECT ON mv FROM joe, mike;

      REVOKE USAGE, CREATE ON DATABASE materialize FROM joe;

      REVOKE ALL ON CLUSTER dev FROM joe;

      REVOKE CREATEDB ON SYSTEM FROM joe;

      Useful views

      Back to top ↑