Revoke
Important
This documentation has been retired and might not be updated. The products, services, or technologies mentioned in this content are no longer supported. See REVOKE.
REVOKE
privilege_type [, privilege_type ] ...
ON (CATALOG | DATABASE <database-name> | TABLE <table-name> | VIEW <view-name> | FUNCTION <function-name> | ANONYMOUS FUNCTION | ANY FILE)
FROM principal
privilege_type
: SELECT | CREATE | MODIFY | READ_METADATA | CREATE_NAMED_FUNCTION | ALL PRIVILEGES
principal
: `<user>@<domain-name>` | <group-name>
Revoke an explicitly granted or denied privilege on an object from a user or principal. A REVOKE
is strictly
scoped to the object specified in the command and does not cascade to contained objects.
To revoke a privilege from all users, specify the keyword users
after FROM
.
For example, suppose there is a database db
with tables t1
and t2
. A user is initially granted
SELECT
privileges on db
and on t1
. The user can access t2
due to the GRANT
on the
database db
.
If the administrator revokes the SELECT
privilege on db
, the user will no longer be able to
access t2
, but will still be able to access t1
since there is an explicit GRANT
on table t1
.
If the administrator instead revokes the SELECT
on table t1
but still keeps the SELECT
on
database db
, the user can still access t1
because the SELECT
on the database db
implicitly
confers privileges on the table t1
.