Revoke
Important
This documentation has been retired and might not be updated. The products, services, or technologies mentioned in this content are no longer supported. See REVOKE.
REVOKE
privilege_type [, privilege_type ] ...
ON (CATALOG | DATABASE <database-name> | TABLE <table-name> | VIEW <view-name> | FUNCTION <function-name> | ANONYMOUS FUNCTION | ANY FILE)
FROM principal
privilege_type
: SELECT | CREATE | MODIFY | READ_METADATA | CREATE_NAMED_FUNCTION | ALL PRIVILEGES
principal
: `<user>@<domain-name>` | <group-name>
Revoke an explicitly granted or denied privilege on an object from a user or principal. A REVOKE is strictly
scoped to the object specified in the command and does not cascade to contained objects.
To revoke a privilege from all users, specify the keyword users after FROM.
For example, suppose there is a database db with tables t1 and t2. A user is initially granted
SELECT privileges on db and on t1. The user can access t2 due to the GRANT on the
database db.
If the administrator revokes the SELECT privilege on db, the user will no longer be able to
access t2, but will still be able to access t1 since there is an explicit GRANT on table t1.
If the administrator instead revokes the SELECT on table t1 but still keeps the SELECT on
database db, the user can still access t1 because the SELECT on the database db implicitly
confers privileges on the table t1.