The DEFAULT Clause
When the DEFAULT clause is specified, the role itself is not revoked, only its DEFAULT property is removed without revoking the role itself.
%22%20gradientUnits%3D%22userSpaceOnUse%22%3E%3Cstop%20stop-color%3D%22%23fd0a02%22%20offset%3D%220%22%2F%3E%3Cstop%20stop-color%3D%22%23fd3703%22%20offset%3D%22.27%22%2F%3E%3Cstop%20stop-color%3D%22%23fffb17%22%20offset%3D%221%22%2F%3E%3C%2FlinearGradient%3E%3CradialGradient%20id%3D%22IDa%22%20cx%3D%22226.87%22%20cy%3D%22227.78%22%20r%3D%22226.77%22%20gradientTransform%3D%22matrix(1%200%200%20.99928%204.5%20.16398)%22%20gradientUnits%3D%22userSpaceOnUse%22%20spreadMethod%3D%22reflect%22%3E%3Cstop%20stop-color%3D%22%23fffb17%22%20offset%3D%22-99%22%2F%3E%3Cstop%20stop-color%3D%22%23fd3703%22%20style%3D%22stop-color%3A%23d6d6d6%3Bstop-opacity%3A.80992%22%20offset%3D%22-25.96%22%2F%3E%3Cstop%20stop-color%3D%22%23fd0a02%22%20style%3D%22stop-color%3A%23640401%22%20offset%3D%221%22%2F%3E%3C%2FradialGradient%3E%3Cfilter%20id%3D%22IDc%22%20x%3D%22-.073393%22%20y%3D%22-.073446%22%20width%3D%221.1468%22%20height%3D%221.1469%22%20style%3D%22color-interpolation-filters%3AsRGB%22%3E%3CfeGaussianBlur%20stdDeviation%3D%2213.661255%22%2F%3E%3C%2Ffilter%3E%3C%2Fdefs%3E%3Cg%20transform%3D%22translate(28.187%2031.614)%22%3E%3Cpath%20d%3D%22m144.36%20418.24c-31.519-36.408-42.174-117.36-35.104-140.33%209.9544-32.345%2021.049-46.054%2052.91-61.14%2012.171-5.7629%2030.369-9.7087%2040.618-16.999%209.6275-6.8485%2011.103-20.882%200.3031-30.555-11.374-10.186-25.905-6.8539-44.714-1.9463-0.8293%200.2163-2.2371%201.2415-2.4517%202.0893-0.5764%202.2763%200.3517%204.8404%201.55%207.9654-13.009-4.9358-26.833-14.752-28.839-21.314-6.3773-20.865%2017.573-38.445%2048.266-37.644-3.4102-17.273-3.4635-26.602%2018.537-25.134%2032.366%202.1593%2053.818%2013.086%2085.84%2021.325%202.5911%200.6668%2015.302%204.2674%2017.351%202.4455%201.3911-1.2363%202.2548-6.8008%204.1746-11.352%201.7884%205.7771%203.6412%2013.171%201.3306%2018.928-3.601%208.9701-42.338%200.4436-49.836-0.4936-1.4719%202.0873-0.7547%206.4248%201.0548%206.9152%2021.778%205.9031%2040.947%2025.511%2046.258%2034.455%208.8055%2014.832%2010.521%2029.513%207.7741%2042.707-2.5105%2012.06-21.178%2036.296-31.757%2050.233-13.891%2018.301-22.03%2028.984-9.0675%2043.421%206.6796%207.4391%2040.824%2010.557%2075.278-3.6384%2030.204-12.444%2075.735-59.108%2075.527-110.4-0.4087-100.65-83.111-169.04-176.17-181.35-4.1817-0.6355-4.2058-5.2511-0.0238-5.2514%2085.729-8e-3%20214.98%2078.833%20214.98%20226.49%202e-4%20127-105.71%20226.72-223.18%20226.72-46.871%200-69.584-11.872-90.603-36.151zm-139.76-190.62c0-147.17%20129.41-226.45%20214.98-226.45%204.2192%200%204.2282%204.6119%209e-3%205.2304-94.354%2010.94-163.61%2072.376-180.2%20163.11-13.135%2071.848%2014.501%20141.16%2066.086%20182.98%206.8172%2036.501%2027.251%2073.534%2052.047%2089.504-97.014-32.749-152.92-124.89-152.92-214.38zm189.2-109.32c-1.0982-0.0895-5.4887-5.9834-1.2128-6.6405%2010.982-1.6874%2021.989%202.9859%2027.148%206.8763%200.9582%200.7226%200.4686%203.0838-0.2361%202.9402-5.5378-1.1299-24.15-3.05-25.699-3.176z%22%20style%3D%22fill-rule%3Aevenodd%3Bfill%3Aurl(%23IDa)%3Bfilter%3Aurl(%23IDc)%3Bmix-blend-mode%3Anormal%3Bopacity%3A.61733%3Bstroke-width%3A.99975%3Bstroke%3A%23000000%22%2F%3E%3Cpath%20d%3D%22m139.76%20417.07c-31.519-36.408-42.174-117.36-35.104-140.33%209.9544-32.345%2021.049-46.054%2052.91-61.14%2012.171-5.7629%2030.369-9.7087%2040.618-16.999%209.6275-6.8485%2011.103-20.882%200.3031-30.555-11.374-10.186-25.905-6.8539-44.714-1.9463-0.8293%200.2163-2.2371%201.2415-2.4517%202.0893-0.5764%202.2763%200.3517%204.8404%201.55%207.9654-13.009-4.9358-26.833-14.752-28.839-21.314-6.3773-20.865%2017.573-38.445%2048.266-37.644-3.4102-17.273-3.4635-26.602%2018.537-25.134%2032.366%202.1593%2053.818%2013.086%2085.84%2021.325%202.5911%200.6668%2015.302%204.2674%2017.351%202.4455%201.3911-1.2363%202.2548-6.8008%204.1746-11.352%201.7884%205.7771%203.6412%2013.171%201.3306%2018.928-3.601%208.9701-42.338%200.4436-49.836-0.4936-1.4719%202.0873-0.7547%206.4248%201.0548%206.9152%2021.778%205.9031%2040.947%2025.511%2046.258%2034.455%208.8055%2014.832%2010.521%2029.513%207.7741%2042.707-2.5105%2012.06-21.178%2036.296-31.757%2050.233-13.891%2018.301-22.03%2028.984-9.0675%2043.421%206.6796%207.4391%2040.824%2010.557%2075.278-3.6384%2030.204-12.444%2075.735-59.108%2075.527-110.4-0.4087-100.65-83.111-169.04-176.17-181.35-4.1817-0.6355-4.2058-5.2511-0.0238-5.2514%2085.729-8e-3%20214.98%2078.833%20214.98%20226.49%202e-4%20127-105.71%20226.72-223.18%20226.72-46.871%200-69.584-11.872-90.603-36.151zm-139.76-190.62c0-147.17%20129.41-226.45%20214.98-226.45%204.2192%200%204.2282%204.6119%209e-3%205.2304-94.354%2010.94-163.61%2072.376-180.2%20163.11-13.135%2071.848%2014.501%20141.16%2066.086%20182.98%206.8172%2036.501%2027.251%2073.534%2052.047%2089.504-97.014-32.749-152.92-124.89-152.92-214.38zm189.2-109.32c-1.0982-0.0895-5.4887-5.9834-1.2128-6.6405%2010.982-1.6874%2021.989%202.9859%2027.148%206.8763%200.9582%200.7226%200.4686%203.0838-0.2361%202.9402-5.5378-1.1299-24.15-3.05-25.699-3.176z%22%20style%3D%22fill-rule%3Aevenodd%3Bfill%3Aurl(%23IDb)%3Bstroke-width%3A.32475%3Bstroke%3A%23909090%22%2F%3E%3C%2Fg%3E%3C%2Fsvg%3E%0A){kind=small}
- languageAnglaiskeyboard_arrow_down
- languageFrançais
- languageРусский
- languageDeutsch
The
The FROM Clause
The FROM clause specifies a list of users, roles and other database objects that will have the enumerated privileges revoked.The optional USER keyword in the FROM clause allow you to specify exactly which type is to have the privilege revoked.If a USER (or ROLE) keyword is not specified, the server first checks for a role with this name and, if there is no such role, the privileges are revoked from the user with that name without further checking.
|
Tip
|
|
|
Important
|
Revoking Privileges from user
PUBLICPrivileges that were granted to the special user named |
Revoking the GRANT OPTION
The optional GRANT OPTION FOR clause revokes the user’s privilege to grant the specified privileges to other users, roles, or database objects (as previously granted with the WITH GRANT OPTION).It does not revoke the specified privilege itself.
Removing the Privilege to One or More Roles
One usage of the REVOKE statement is to remove roles that were assigned to a user, or a group of users, by a GRANT statement.In the case of multiple roles and/or multiple grantees, the REVOKE verb is followed by the list of roles that will be removed from the list of users specified after the FROM clause.
The optional ADMIN OPTION FOR clause provides the means to revoke the grantee’s “administrator” privilege, the ability to assign the same role to other users, without revoking the grantee’s privilege to the role.
Multiple roles and grantees can be processed in a single statement.
Revoking Privileges That Were GRANTED BY
A privilege that has been granted using the GRANTED BY clause is internally attributed explicitly to the grantor designated by that original GRANT statement.Only that user can revoke the granted privilege.Using the GRANTED BY clause you can revoke privileges as if you are the specified user.To revoke a privilege with GRANTED BY, the current user must be logged in either with full administrative privileges, or as the user designated as grantor by that GRANTED BY clause.
|
Note
|
Not even the owner of a role can use |
The non-standard AS clause is supported as a synonym of the GRANTED BY clause to simplify migration from other database systems.
Revoking ALL ON ALL
The REVOKE ALL ON ALL statement allows a user to revoke all privileges (including roles) on all object from one or more users, roles or other database objects.It is a quick way to “clear” privileges when access to the database must be blocked for a particular user or role.
When the current user is logged in with full administrator privileges in the database, the REVOKE ALL ON ALL will remove all privileges, no matter who granted them.Otherwise, only the privileges granted by the current user are removed.
|
Note
|
The |
Examples using REVOKE
-
Revoking the privileges for selecting and inserting into the table (or view)
SALESREVOKE SELECT, INSERT ON TABLE SALES FROM USER ALEX; -
Revoking the privilege for selecting from the
CUSTOMERtable from theMANAGERandENGINEERroles and from the userIVAN:REVOKE SELECT ON TABLE CUSTOMER FROM ROLE MANAGER, ROLE ENGINEER, USER IVAN; -
Revoking from the
ADMINISTRATORrole the privilege to grant any privileges on theCUSTOMERtable to other users or roles:REVOKE GRANT OPTION FOR ALL ON TABLE CUSTOMER FROM ROLE ADMINISTRATOR; -
Revoking the privilege for selecting from the
COUNTRYtable and the privilege to reference theNAMEcolumn of theCOUNTRYtable from any user, via the special userPUBLIC:REVOKE SELECT, REFERENCES (NAME) ON TABLE COUNTRY FROM PUBLIC; -
Revoking the privilege for selecting form the
EMPLOYEEtable from the userIVAN, that was granted by the userALEX:REVOKE SELECT ON TABLE EMPLOYEE FROM USER IVAN GRANTED BY ALEX; -
Revoking the privilege for updating the
FIRST_NAMEandLAST_NAMEcolumns of theEMPLOYEEtable from the userIVAN:REVOKE UPDATE (FIRST_NAME, LAST_NAME) ON TABLE EMPLOYEE FROM USER IVAN; -
Revoking the privilege for inserting records into the
EMPLOYEE_PROJECTtable from theADD_EMP_PROJprocedure:REVOKE INSERT ON EMPLOYEE_PROJECT FROM PROCEDURE ADD_EMP_PROJ; -
Revoking the privilege for executing the procedure
ADD_EMP_PROJfrom theMANAGERrole:REVOKE EXECUTE ON PROCEDURE ADD_EMP_PROJ FROM ROLE MANAGER; -
Revoking the privilege to grant the
EXECUTEprivilege for the functionGET_BEGIN_DATEto other users from the roleMANAGER:REVOKE GRANT OPTION FOR EXECUTE ON FUNCTION GET_BEGIN_DATE FROM ROLE MANAGER; -
Revoking the
EXECUTEprivilege on the packageDATE_UTILSfrom userALEX:REVOKE EXECUTE ON PACKAGE DATE_UTILS FROM USER ALEX; -
Revoking the
USAGEprivilege on the sequenceGEN_AGEfrom the roleMANAGER:REVOKE USAGE ON SEQUENCE GEN_AGE FROM ROLE MANAGER; -
Revoking the
USAGEprivilege on the sequenceGEN_AGEfrom the triggerTR_AGE_BI:REVOKE USAGE ON SEQUENCE GEN_AGE FROM TRIGGER TR_AGE_BI; -
Revoking the
USAGEprivilege on the exceptionE_ACCESS_DENIEDfrom the packagePKG_BILL:REVOKE USAGE ON EXCEPTION E_ACCESS_DENIED FROM PACKAGE PKG_BILL; -
Revoking the privilege to create tables from user
JOE:REVOKE CREATE TABLE FROM USER Joe; -
Revoking the privilege to alter any procedure from user
JOE:REVOKE ALTER ANY PROCEDURE FROM USER Joe; -
Revoking the privilege to create databases from user
SUPERUSER:REVOKE CREATE DATABASE FROM USER Superuser; -
Revoking the
DIRECTORandMANAGERroles from the userIVAN:REVOKE DIRECTOR, MANAGER FROM USER IVAN; -
Revoke from the user
ALEXthe privilege to grant theMANAGERrole to other users:REVOKE ADMIN OPTION FOR MANAGER FROM USER ALEX; -
Revoking all privileges (including roles) on all objects from the user
IVAN:REVOKE ALL ON ALL FROM USER IVAN;After this statement is executed by an administrator, the user
IVANwill have no privileges whatsoever, except those granted throughPUBLIC. -
Revoking the
DEFAULTproperty of theDIRECTORrole from userALEX, while the role itself remains granted:REVOKE DEFAULT DIRECTOR FROM USER ALEX;
See also