1REVOKE(7)                PostgreSQL 14.3 Documentation               REVOKE(7)
2
3
4

NAME

6       REVOKE - remove access privileges
7

SYNOPSIS

9       REVOKE [ GRANT OPTION FOR ]
10           { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
11           [, ...] | ALL [ PRIVILEGES ] }
12           ON { [ TABLE ] table_name [, ...]
13                | ALL TABLES IN SCHEMA schema_name [, ...] }
14           FROM role_specification [, ...]
15           [ GRANTED BY role_specification ]
16           [ CASCADE | RESTRICT ]
17
18       REVOKE [ GRANT OPTION FOR ]
19           { { SELECT | INSERT | UPDATE | REFERENCES } ( column_name [, ...] )
20           [, ...] | ALL [ PRIVILEGES ] ( column_name [, ...] ) }
21           ON [ TABLE ] table_name [, ...]
22           FROM role_specification [, ...]
23           [ GRANTED BY role_specification ]
24           [ CASCADE | RESTRICT ]
25
26       REVOKE [ GRANT OPTION FOR ]
27           { { USAGE | SELECT | UPDATE }
28           [, ...] | ALL [ PRIVILEGES ] }
29           ON { SEQUENCE sequence_name [, ...]
30                | ALL SEQUENCES IN SCHEMA schema_name [, ...] }
31           FROM role_specification [, ...]
32           [ GRANTED BY role_specification ]
33           [ CASCADE | RESTRICT ]
34
35       REVOKE [ GRANT OPTION FOR ]
36           { { CREATE | CONNECT | TEMPORARY | TEMP } [, ...] | ALL [ PRIVILEGES ] }
37           ON DATABASE database_name [, ...]
38           FROM role_specification [, ...]
39           [ GRANTED BY role_specification ]
40           [ CASCADE | RESTRICT ]
41
42       REVOKE [ GRANT OPTION FOR ]
43           { USAGE | ALL [ PRIVILEGES ] }
44           ON DOMAIN domain_name [, ...]
45           FROM role_specification [, ...]
46           [ GRANTED BY role_specification ]
47           [ CASCADE | RESTRICT ]
48
49       REVOKE [ GRANT OPTION FOR ]
50           { USAGE | ALL [ PRIVILEGES ] }
51           ON FOREIGN DATA WRAPPER fdw_name [, ...]
52           FROM role_specification [, ...]
53           [ GRANTED BY role_specification ]
54           [ CASCADE | RESTRICT ]
55
56       REVOKE [ GRANT OPTION FOR ]
57           { USAGE | ALL [ PRIVILEGES ] }
58           ON FOREIGN SERVER server_name [, ...]
59           FROM role_specification [, ...]
60           [ GRANTED BY role_specification ]
61           [ CASCADE | RESTRICT ]
62
63       REVOKE [ GRANT OPTION FOR ]
64           { EXECUTE | ALL [ PRIVILEGES ] }
65           ON { { FUNCTION | PROCEDURE | ROUTINE } function_name [ ( [ [ argmode ] [ arg_name ] arg_type [, ...] ] ) ] [, ...]
66                | ALL { FUNCTIONS | PROCEDURES | ROUTINES } IN SCHEMA schema_name [, ...] }
67           FROM role_specification [, ...]
68           [ GRANTED BY role_specification ]
69           [ CASCADE | RESTRICT ]
70
71       REVOKE [ GRANT OPTION FOR ]
72           { USAGE | ALL [ PRIVILEGES ] }
73           ON LANGUAGE lang_name [, ...]
74           FROM role_specification [, ...]
75           [ GRANTED BY role_specification ]
76           [ CASCADE | RESTRICT ]
77
78       REVOKE [ GRANT OPTION FOR ]
79           { { SELECT | UPDATE } [, ...] | ALL [ PRIVILEGES ] }
80           ON LARGE OBJECT loid [, ...]
81           FROM role_specification [, ...]
82           [ GRANTED BY role_specification ]
83           [ CASCADE | RESTRICT ]
84
85       REVOKE [ GRANT OPTION FOR ]
86           { { CREATE | USAGE } [, ...] | ALL [ PRIVILEGES ] }
87           ON SCHEMA schema_name [, ...]
88           FROM role_specification [, ...]
89           [ GRANTED BY role_specification ]
90           [ CASCADE | RESTRICT ]
91
92       REVOKE [ GRANT OPTION FOR ]
93           { CREATE | ALL [ PRIVILEGES ] }
94           ON TABLESPACE tablespace_name [, ...]
95           FROM role_specification [, ...]
96           [ GRANTED BY role_specification ]
97           [ CASCADE | RESTRICT ]
98
99       REVOKE [ GRANT OPTION FOR ]
100           { USAGE | ALL [ PRIVILEGES ] }
101           ON TYPE type_name [, ...]
102           FROM role_specification [, ...]
103           [ GRANTED BY role_specification ]
104           [ CASCADE | RESTRICT ]
105
106       REVOKE [ ADMIN OPTION FOR ]
107           role_name [, ...] FROM role_specification [, ...]
108           [ GRANTED BY role_specification ]
109           [ CASCADE | RESTRICT ]
110
111       where role_specification can be:
112
113           [ GROUP ] role_name
114         | PUBLIC
115         | CURRENT_ROLE
116         | CURRENT_USER
117         | SESSION_USER
118

DESCRIPTION

120       The REVOKE command revokes previously granted privileges from one or
121       more roles. The key word PUBLIC refers to the implicitly defined group
122       of all roles.
123
124       See the description of the GRANT command for the meaning of the
125       privilege types.
126
127       Note that any particular role will have the sum of privileges granted
128       directly to it, privileges granted to any role it is presently a member
129       of, and privileges granted to PUBLIC. Thus, for example, revoking
130       SELECT privilege from PUBLIC does not necessarily mean that all roles
131       have lost SELECT privilege on the object: those who have it granted
132       directly or via another role will still have it. Similarly, revoking
133       SELECT from a user might not prevent that user from using SELECT if
134       PUBLIC or another membership role still has SELECT rights.
135
136       If GRANT OPTION FOR is specified, only the grant option for the
137       privilege is revoked, not the privilege itself. Otherwise, both the
138       privilege and the grant option are revoked.
139
140       If a user holds a privilege with grant option and has granted it to
141       other users then the privileges held by those other users are called
142       dependent privileges. If the privilege or the grant option held by the
143       first user is being revoked and dependent privileges exist, those
144       dependent privileges are also revoked if CASCADE is specified; if it is
145       not, the revoke action will fail. This recursive revocation only
146       affects privileges that were granted through a chain of users that is
147       traceable to the user that is the subject of this REVOKE command. Thus,
148       the affected users might effectively keep the privilege if it was also
149       granted through other users.
150
151       When revoking privileges on a table, the corresponding column
152       privileges (if any) are automatically revoked on each column of the
153       table, as well. On the other hand, if a role has been granted
154       privileges on a table, then revoking the same privileges from
155       individual columns will have no effect.
156
157       When revoking membership in a role, GRANT OPTION is instead called
158       ADMIN OPTION, but the behavior is similar. This form of the command
159       also allows a GRANTED BY option, but that option is currently ignored
160       (except for checking the existence of the named role). Note also that
161       this form of the command does not allow the noise word GROUP in
162       role_specification.
163

NOTES

165       A user can only revoke privileges that were granted directly by that
166       user. If, for example, user A has granted a privilege with grant option
167       to user B, and user B has in turn granted it to user C, then user A
168       cannot revoke the privilege directly from C. Instead, user A could
169       revoke the grant option from user B and use the CASCADE option so that
170       the privilege is in turn revoked from user C. For another example, if
171       both A and B have granted the same privilege to C, A can revoke their
172       own grant but not B's grant, so C will still effectively have the
173       privilege.
174
175       When a non-owner of an object attempts to REVOKE privileges on the
176       object, the command will fail outright if the user has no privileges
177       whatsoever on the object. As long as some privilege is available, the
178       command will proceed, but it will revoke only those privileges for
179       which the user has grant options. The REVOKE ALL PRIVILEGES forms will
180       issue a warning message if no grant options are held, while the other
181       forms will issue a warning if grant options for any of the privileges
182       specifically named in the command are not held. (In principle these
183       statements apply to the object owner as well, but since the owner is
184       always treated as holding all grant options, the cases can never
185       occur.)
186
187       If a superuser chooses to issue a GRANT or REVOKE command, the command
188       is performed as though it were issued by the owner of the affected
189       object. Since all privileges ultimately come from the object owner
190       (possibly indirectly via chains of grant options), it is possible for a
191       superuser to revoke all privileges, but this might require use of
192       CASCADE as stated above.
193
194       REVOKE can also be done by a role that is not the owner of the affected
195       object, but is a member of the role that owns the object, or is a
196       member of a role that holds privileges WITH GRANT OPTION on the object.
197       In this case the command is performed as though it were issued by the
198       containing role that actually owns the object or holds the privileges
199       WITH GRANT OPTION. For example, if table t1 is owned by role g1, of
200       which role u1 is a member, then u1 can revoke privileges on t1 that are
201       recorded as being granted by g1. This would include grants made by u1
202       as well as by other members of role g1.
203
204       If the role executing REVOKE holds privileges indirectly via more than
205       one role membership path, it is unspecified which containing role will
206       be used to perform the command. In such cases it is best practice to
207       use SET ROLE to become the specific role you want to do the REVOKE as.
208       Failure to do so might lead to revoking privileges other than the ones
209       you intended, or not revoking anything at all.
210
211       See Section 5.7 for more information about specific privilege types, as
212       well as how to inspect objects' privileges.
213

EXAMPLES

215       Revoke insert privilege for the public on table films:
216
217           REVOKE INSERT ON films FROM PUBLIC;
218
219       Revoke all privileges from user manuel on view kinds:
220
221           REVOKE ALL PRIVILEGES ON kinds FROM manuel;
222
223       Note that this actually means “revoke all privileges that I granted”.
224
225       Revoke membership in role admins from user joe:
226
227           REVOKE admins FROM joe;
228

COMPATIBILITY

230       The compatibility notes of the GRANT command apply analogously to
231       REVOKE. The keyword RESTRICT or CASCADE is required according to the
232       standard, but PostgreSQL assumes RESTRICT by default.
233

SEE ALSO

235       GRANT(7), ALTER DEFAULT PRIVILEGES (ALTER_DEFAULT_PRIVILEGES(7))
236
237
238
239PostgreSQL 14.3                      2022                            REVOKE(7)
Impressum