Revoke

REVOKE
  privilege_type [, privilege_type ] ...
  ON (CATALOG | DATABASE <database-name> | [TABLE] <table-name> | [VIEW] <view-name> | [FUNCTION] <function-name> | ANONYMOUS FUNCTION | ANY FILE)
  FROM principal

privilege_type
  : SELECT | CREATE | MODIFY | READ_METADATA | CREATE_NAMED_FUNCTION | ALL PRIVILEGES

principal
  : `<user>@<domain-name>` | <group-name>

Revoke an explicitly granted or denied privilege on an object from a user or principal. A REVOKE is strictly scoped to the object specified in the command and does not cascade to contained objects.

To revoke a privilege from all users, specify the keyword users after FROM.

For example, suppose there is a database db with tables t1 and t2. A user is initially granted SELECT privileges on db and on t1. The user can access t2 due to the GRANT on the database db.

If the administrator revokes the SELECT privilege on db, the user will no longer be able to access t2, but will still be able to access t1 since there is an explicit GRANT on table t1.

If the administrator instead revokes the SELECT on table t1 but still keeps the SELECT on database db, the user can still access t1 because the SELECT on the database db implicitly confers privileges on the table t1.

Examples

REVOKE ALL PRIVILEGES ON DATABASE default FROM `<user>@<domain-name>`
REVOKE SELECT ON <table-name> FROM `<user>@<domain-name>`