Skip to main content
The REVOKE revokes from . For the list of privileges that can be granted to and revoked from users and roles, see . You can use REVOKE to directly revoke privileges from a role or user, or you can revoke membership to an existing role, which effectively revokes that role’s privileges. The REVOKE statement performs a schema change. For more information about how online schema changes work in CockroachDB, see .

Syntax

revoke syntax diagram

Parameters

Supported privileges

The following privileges can be revoked:

Required privileges

  • To revoke privileges, user revoking privileges must have the GRANT privilege on the target , , , or . In addition to the GRANT privilege, the user revoking privileges must have the privilege being revoked on the target object. For example, a user revoking the SELECT privilege on a table to another user must have the GRANT and SELECT privileges on that table.
  • To revoke role membership, the user revoking role membership must be a role admin (i.e., members with the WITH ADMIN OPTION) or a member of the admin role. To remove membership to the admin role, the user must have WITH ADMIN OPTION on the admin role.

Considerations

  • The root user cannot be revoked from the admin role.

Known limitations

User/role management operations (such as and ) are . As such, they inherit the . For example, schema changes wait for concurrent using the same resources as the schema changes to complete. In the case of being modified inside a transaction, most transactions need access to the set of role memberships. Using the default settings, role modifications require schema leases to expire, which can take up to 5 minutes. This means that elsewhere in the system can cause user/role management operations inside transactions to take several minutes to complete. This can have a cascading effect. When a user/role management operation inside a transaction takes a long time to complete, it can in turn block all user-initiated transactions being run by your application, since the user/role management operation in the transaction has to commit before any other transactions that access role memberships (i.e., most transactions) can make progress. If you want user/role management operations to finish more quickly, and do not care whether concurrent transactions will immediately see the side effects of those operations, set the allow_role_memberships_to_change_during_transaction to true. When this session variable is enabled, any user/role management operations issued in the current session will only need to wait for the completion of statements in other sessions where allow_role_memberships_to_change_during_transaction is not enabled. To accelerate user/role management operations across your entire application, you have the following options:
  1. Set the session variable in all sessions by .
  2. Apply the allow_role_memberships_to_change_during_transaction setting globally to an entire cluster using the statement:

Examples

Setup

To follow along, run to start a temporary, in-memory cluster with the sample dataset preloaded:

Revoke privileges on databases

Any tables that previously inherited the database-level privileges retain the privileges.

Revoke privileges on specific tables in a database

Revoke privileges on all tables in a database or schema

This is equivalent to the following syntax:

Revoke system-level privileges on the entire cluster

live above the database level and apply to the entire cluster. root and users have system-level privileges by default, and are capable of revoking it from other users and roles using the REVOKE statement. For example, the following statement removes the ability to use the statement from the user maxroach by revoking the MODIFYCLUSTERSETTING system privilege:

Revoke privileges on schemas

Revoke privileges on user-defined types

To revoke privileges on , use the following statements.

Revoke role membership

Revoke the admin option

See also