1REVOKE(7)                PostgreSQL 15.4 Documentation               REVOKE(7)
2
3
4

NAME

6       REVOKE - remove access privileges
7

SYNOPSIS

9       REVOKE [ GRANT OPTION FOR ]
10           { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
11           [, ...] | ALL [ PRIVILEGES ] }
12           ON { [ TABLE ] table_name [, ...]
13                | ALL TABLES IN SCHEMA schema_name [, ...] }
14           FROM role_specification [, ...]
15           [ GRANTED BY role_specification ]
16           [ CASCADE | RESTRICT ]
17
18       REVOKE [ GRANT OPTION FOR ]
19           { { SELECT | INSERT | UPDATE | REFERENCES } ( column_name [, ...] )
20           [, ...] | ALL [ PRIVILEGES ] ( column_name [, ...] ) }
21           ON [ TABLE ] table_name [, ...]
22           FROM role_specification [, ...]
23           [ GRANTED BY role_specification ]
24           [ CASCADE | RESTRICT ]
25
26       REVOKE [ GRANT OPTION FOR ]
27           { { USAGE | SELECT | UPDATE }
28           [, ...] | ALL [ PRIVILEGES ] }
29           ON { SEQUENCE sequence_name [, ...]
30                | ALL SEQUENCES IN SCHEMA schema_name [, ...] }
31           FROM role_specification [, ...]
32           [ GRANTED BY role_specification ]
33           [ CASCADE | RESTRICT ]
34
35       REVOKE [ GRANT OPTION FOR ]
36           { { CREATE | CONNECT | TEMPORARY | TEMP } [, ...] | ALL [ PRIVILEGES ] }
37           ON DATABASE database_name [, ...]
38           FROM role_specification [, ...]
39           [ GRANTED BY role_specification ]
40           [ CASCADE | RESTRICT ]
41
42       REVOKE [ GRANT OPTION FOR ]
43           { USAGE | ALL [ PRIVILEGES ] }
44           ON DOMAIN domain_name [, ...]
45           FROM role_specification [, ...]
46           [ GRANTED BY role_specification ]
47           [ CASCADE | RESTRICT ]
48
49       REVOKE [ GRANT OPTION FOR ]
50           { USAGE | ALL [ PRIVILEGES ] }
51           ON FOREIGN DATA WRAPPER fdw_name [, ...]
52           FROM role_specification [, ...]
53           [ GRANTED BY role_specification ]
54           [ CASCADE | RESTRICT ]
55
56       REVOKE [ GRANT OPTION FOR ]
57           { USAGE | ALL [ PRIVILEGES ] }
58           ON FOREIGN SERVER server_name [, ...]
59           FROM role_specification [, ...]
60           [ GRANTED BY role_specification ]
61           [ CASCADE | RESTRICT ]
62
63       REVOKE [ GRANT OPTION FOR ]
64           { EXECUTE | ALL [ PRIVILEGES ] }
65           ON { { FUNCTION | PROCEDURE | ROUTINE } function_name [ ( [ [ argmode ] [ arg_name ] arg_type [, ...] ] ) ] [, ...]
66                | ALL { FUNCTIONS | PROCEDURES | ROUTINES } IN SCHEMA schema_name [, ...] }
67           FROM role_specification [, ...]
68           [ GRANTED BY role_specification ]
69           [ CASCADE | RESTRICT ]
70
71       REVOKE [ GRANT OPTION FOR ]
72           { USAGE | ALL [ PRIVILEGES ] }
73           ON LANGUAGE lang_name [, ...]
74           FROM role_specification [, ...]
75           [ GRANTED BY role_specification ]
76           [ CASCADE | RESTRICT ]
77
78       REVOKE [ GRANT OPTION FOR ]
79           { { SELECT | UPDATE } [, ...] | ALL [ PRIVILEGES ] }
80           ON LARGE OBJECT loid [, ...]
81           FROM role_specification [, ...]
82           [ GRANTED BY role_specification ]
83           [ CASCADE | RESTRICT ]
84
85       REVOKE [ GRANT OPTION FOR ]
86           { { SET | ALTER SYSTEM } [, ...] | ALL [ PRIVILEGES ] }
87           ON PARAMETER configuration_parameter [, ...]
88           FROM role_specification [, ...]
89           [ GRANTED BY role_specification ]
90           [ CASCADE | RESTRICT ]
91
92       REVOKE [ GRANT OPTION FOR ]
93           { { CREATE | USAGE } [, ...] | ALL [ PRIVILEGES ] }
94           ON SCHEMA schema_name [, ...]
95           FROM role_specification [, ...]
96           [ GRANTED BY role_specification ]
97           [ CASCADE | RESTRICT ]
98
99       REVOKE [ GRANT OPTION FOR ]
100           { CREATE | ALL [ PRIVILEGES ] }
101           ON TABLESPACE tablespace_name [, ...]
102           FROM role_specification [, ...]
103           [ GRANTED BY role_specification ]
104           [ CASCADE | RESTRICT ]
105
106       REVOKE [ GRANT OPTION FOR ]
107           { USAGE | ALL [ PRIVILEGES ] }
108           ON TYPE type_name [, ...]
109           FROM role_specification [, ...]
110           [ GRANTED BY role_specification ]
111           [ CASCADE | RESTRICT ]
112
113       REVOKE [ ADMIN OPTION FOR ]
114           role_name [, ...] FROM role_specification [, ...]
115           [ GRANTED BY role_specification ]
116           [ CASCADE | RESTRICT ]
117
118       where role_specification can be:
119
120           [ GROUP ] role_name
121         | PUBLIC
122         | CURRENT_ROLE
123         | CURRENT_USER
124         | SESSION_USER
125

DESCRIPTION

127       The REVOKE command revokes previously granted privileges from one or
128       more roles. The key word PUBLIC refers to the implicitly defined group
129       of all roles.
130
131       See the description of the GRANT command for the meaning of the
132       privilege types.
133
134       Note that any particular role will have the sum of privileges granted
135       directly to it, privileges granted to any role it is presently a member
136       of, and privileges granted to PUBLIC. Thus, for example, revoking
137       SELECT privilege from PUBLIC does not necessarily mean that all roles
138       have lost SELECT privilege on the object: those who have it granted
139       directly or via another role will still have it. Similarly, revoking
140       SELECT from a user might not prevent that user from using SELECT if
141       PUBLIC or another membership role still has SELECT rights.
142
143       If GRANT OPTION FOR is specified, only the grant option for the
144       privilege is revoked, not the privilege itself. Otherwise, both the
145       privilege and the grant option are revoked.
146
147       If a user holds a privilege with grant option and has granted it to
148       other users then the privileges held by those other users are called
149       dependent privileges. If the privilege or the grant option held by the
150       first user is being revoked and dependent privileges exist, those
151       dependent privileges are also revoked if CASCADE is specified; if it is
152       not, the revoke action will fail. This recursive revocation only
153       affects privileges that were granted through a chain of users that is
154       traceable to the user that is the subject of this REVOKE command. Thus,
155       the affected users might effectively keep the privilege if it was also
156       granted through other users.
157
158       When revoking privileges on a table, the corresponding column
159       privileges (if any) are automatically revoked on each column of the
160       table, as well. On the other hand, if a role has been granted
161       privileges on a table, then revoking the same privileges from
162       individual columns will have no effect.
163
164       When revoking membership in a role, GRANT OPTION is instead called
165       ADMIN OPTION, but the behavior is similar. This form of the command
166       also allows a GRANTED BY option, but that option is currently ignored
167       (except for checking the existence of the named role). Note also that
168       this form of the command does not allow the noise word GROUP in
169       role_specification.
170

NOTES

172       A user can only revoke privileges that were granted directly by that
173       user. If, for example, user A has granted a privilege with grant option
174       to user B, and user B has in turn granted it to user C, then user A
175       cannot revoke the privilege directly from C. Instead, user A could
176       revoke the grant option from user B and use the CASCADE option so that
177       the privilege is in turn revoked from user C. For another example, if
178       both A and B have granted the same privilege to C, A can revoke their
179       own grant but not B's grant, so C will still effectively have the
180       privilege.
181
182       When a non-owner of an object attempts to REVOKE privileges on the
183       object, the command will fail outright if the user has no privileges
184       whatsoever on the object. As long as some privilege is available, the
185       command will proceed, but it will revoke only those privileges for
186       which the user has grant options. The REVOKE ALL PRIVILEGES forms will
187       issue a warning message if no grant options are held, while the other
188       forms will issue a warning if grant options for any of the privileges
189       specifically named in the command are not held. (In principle these
190       statements apply to the object owner as well, but since the owner is
191       always treated as holding all grant options, the cases can never
192       occur.)
193
194       If a superuser chooses to issue a GRANT or REVOKE command, the command
195       is performed as though it were issued by the owner of the affected
196       object. Since all privileges ultimately come from the object owner
197       (possibly indirectly via chains of grant options), it is possible for a
198       superuser to revoke all privileges, but this might require use of
199       CASCADE as stated above.
200
201       REVOKE can also be done by a role that is not the owner of the affected
202       object, but is a member of the role that owns the object, or is a
203       member of a role that holds privileges WITH GRANT OPTION on the object.
204       In this case the command is performed as though it were issued by the
205       containing role that actually owns the object or holds the privileges
206       WITH GRANT OPTION. For example, if table t1 is owned by role g1, of
207       which role u1 is a member, then u1 can revoke privileges on t1 that are
208       recorded as being granted by g1. This would include grants made by u1
209       as well as by other members of role g1.
210
211       If the role executing REVOKE holds privileges indirectly via more than
212       one role membership path, it is unspecified which containing role will
213       be used to perform the command. In such cases it is best practice to
214       use SET ROLE to become the specific role you want to do the REVOKE as.
215       Failure to do so might lead to revoking privileges other than the ones
216       you intended, or not revoking anything at all.
217
218       See Section 5.7 for more information about specific privilege types, as
219       well as how to inspect objects' privileges.
220

EXAMPLES

222       Revoke insert privilege for the public on table films:
223
224           REVOKE INSERT ON films FROM PUBLIC;
225
226       Revoke all privileges from user manuel on view kinds:
227
228           REVOKE ALL PRIVILEGES ON kinds FROM manuel;
229
230       Note that this actually means “revoke all privileges that I granted”.
231
232       Revoke membership in role admins from user joe:
233
234           REVOKE admins FROM joe;
235

COMPATIBILITY

237       The compatibility notes of the GRANT command apply analogously to
238       REVOKE. The keyword RESTRICT or CASCADE is required according to the
239       standard, but PostgreSQL assumes RESTRICT by default.
240

SEE ALSO

242       GRANT(7), ALTER DEFAULT PRIVILEGES (ALTER_DEFAULT_PRIVILEGES(7))
243
244
245
246PostgreSQL 15.4                      2023                            REVOKE(7)
Impressum