REVOKE ROLE

Syntax

Copy

REVOKE ROLE role_name [, ...]
[
    FROM USER user_email
    | FROM ROLE role_name [, ...]
];

Description

Revoke access to role(s) from a user or other role(s). This prevents a user from USE ROLE and removes all the privileges previously granted to the role, respectively.

The current role requires one of the following privileges:

Ownership of organization
MANAGE_MEMBERS privilege on organization
OWNER privilege on both parent and child roles (when revoking from role(s))

Arguments

role_name [, role_name...]

One or more roles to revoke.

user_email

Email of the user from whom you are revoking roles.

role_name [, role_name...]

One or more roles that are revoked from role(s).

Examples

Revoke role from a user

<no-db>/<no-store># REVOKE ROLE custom_role FROM USER '[email protected]';
+-------------+------------+------------------------------------------+
|  Type       |  Command   |  Summary                                 |
+=============+============+==========================================+
| role revoke | ALTER      | Role(s) "custom_role" revoked from user  |
|             |            | "emailfbdad716-3abf-4484-b783-5ad48d32f0 |
|             |            | [email protected]"                       |
+-------------+------------+------------------------------------------+
<no-db>/<no-store># LIST USER ROLES;
+---------------+-------------+-------------+---------------+
|  Name         |  Is Current |  Is Default |  Is Inherited |
+===============+=============+=============+===============+
| orgadmin      | false       | false       | false         |
+---------------+-------------+-------------+---------------+
| public        | false       | false       | true          |
+---------------+-------------+-------------+---------------+
| securityadmin | false       | false       | true          |
+---------------+-------------+-------------+---------------+
| useradmin     | true        | false       | true          |
+---------------+-------------+-------------+---------------+
| sysadmin      | false       | true        | true          |
+---------------+-------------+-------------+---------------+

Revoke role from another role

<no-db>/<no-store># DESCRIBE ROLE sysadmin;
+--------------+------------+--------------------------+--------------------+-------------+
|  Type        |  Name      |  Privilege               |  With Grant Option |  Granted By |
+==============+============+==========================+====================+=============+
| role         | public     | usage                    | false              | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| role         | useradmin  | usage                    | false              | useradmin   |
+--------------+------------+--------------------------+--------------------+-------------+
| organization | uuid...    | create_database          | true               | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| organization | uuid...    | create_descriptor_source | true               | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| organization | uuid...    | create_function_source   | true               | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| organization | uuid...    | create_function          | true               | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| organization | uuid...    | create_store             | true               | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| organization | uuid...    | create_query             | true               | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| organization | uuid...    | usage                    | true               | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| organization | uuid...    | create_schema_registry   | true               | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| organization | uuid...    | create_connector         | true               | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| organization | uuid...    | create_secret            | true               | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| organization | uuid...    | create_aws_private_link  | true               | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| role         | useradmin  | usage                    | false              | useradmin   |
+--------------+------------+--------------------------+--------------------+-------------+
<no-db>/<no-store># REVOKE ROLE useradmin FROM ROLE sysadmin;
+-------------+------------+------------------------------------------+
|  Type       |  Command   |  Summary                                 |
+=============+============+==========================================+
| role revoke | ALTER      | Role(s) "useradmin" revoked from         |
|             |            | role(s) "sysadmin"                       |
+-------------+------------+------------------------------------------+
<no-db>/<no-store># DESCRIBE ROLE sysadmin;
+--------------+------------+--------------------------+--------------------+-------------+
|  Type        |  Name      |  Privilege               |  With Grant Option |  Granted By |
+==============+============+==========================+====================+=============+
| role         | public     | usage                    | false              | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| organization | uuid...    | create_database          | true               | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| organization | uuid...    | create_descriptor_source | true               | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| organization | uuid...    | create_function_source   | true               | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| organization | uuid...    | create_function          | true               | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| organization | uuid...    | create_store             | true               | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| organization | uuid...    | create_query             | true               | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| organization | uuid...    | usage                    | true               | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| organization | uuid...    | create_schema_registry   | true               | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| organization | uuid...    | create_connector         | true               | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| organization | uuid...    | create_secret            | true               | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+
| organization | uuid...    | create_aws_private_link  | true               | orgadmin    |
+--------------+------------+--------------------------+--------------------+-------------+

PreviousREVOKE PRIVILEGES NextSET DEFAULT

Last updated 9 months ago