REVOKE

Description

Revokes specific privileges or roles from a user or a role. For the supported privileges, see Privileges.

NOTE
Only the user_admin role can perform this operation. You are not allowed to revoke privileges or roles from system built-in roles account_admin and org_admin.

Syntax

Revoke privileges

The privileges that can be revoked are object-specific. The following part describes syntax based on objects.

-- System

REVOKE
    { CREATE EXTERNAL CATALOG | REPOSITORY } 
    ON SYSTEM
    FROM { ROLE | USER } {<role_name>|<username>}

-- User

REVOKE IMPERSONATE ON USER <username> FROM USER <username>;

-- Global UDF

REVOKE
    { USAGE | DROP | ALL [PRIVILEGES]} 
    ON { GLOBAL FUNCTION <function_name>(input_data_type) [, <function_name>(input_data_type),...]    
       | ALL GLOBAL FUNCTIONS }
    FROM { ROLE | USER} {<role_name>|<username>}

-- Internal catalog

REVOKE 
    { USAGE | CREATE DATABASE | ALL [PRIVILEGES]} 
    ON CATALOG default_catalog
    FROM { ROLE | USER} {<role_name>|<username>}

-- External catalog

REVOKE  
   { USAGE | DROP | ALL [PRIVILEGES] } 
   ON { CATALOG <catalog_name> [, <catalog_name>,...] | ALL CATALOGS}
   FROM { ROLE | USER} {<role_name>|<username>}

-- Database

REVOKE 
    { ALTER | DROP | CREATE TABLE | CREATE VIEW | CREATE FUNCTION | CREATE MATERIALIZED VIEW | ALL [PRIVILEGES] } 
    ON { DATABASE <database_name> [, <database_name>,...] | ALL DATABASES }
    FROM { ROLE | USER} {<role_name>|<username>}
  
-- Note: You must first run SET CATALOG before you run this command.

-- Table

REVOKE  
    { ALTER | DROP | SELECT | INSERT | EXPORT | UPDATE | DELETE | ALL [PRIVILEGES]} 
    ON { TABLE <table_name> [, < table_name >,...]
       | ALL TABLES} IN 
           {  DATABASE <database_name>  | ALL DATABASES }
    FROM { ROLE | USER} {<role_name>|<username>}

-- You must first run SET CATALOG before you run this command. 
-- You can also use db.tbl to represent a table.
REVOKE <priv> ON TABLE db.tbl FROM {ROLE <role_name> | USER <username>}

-- View

REVOKE  
    { ALTER | DROP | SELECT | ALL [PRIVILEGES]} 
    ON { VIEW <view_name> [, < view_name >,...]
       ｜ ALL VIEWS} IN 
           {  DATABASE <database_name> | ALL DATABASES }
    FROM { ROLE | USER} {<role_name>|<username>}
    
-- You must first run SET CATALOG before you run this command. 
-- You can also use db.view to represent a view.
REVOKE <priv> ON VIEW db.view FROM {ROLE <role_name> | USER <username>}

-- Materialized view

REVOKE
    { SELECT | ALTER | REFRESH | DROP | ALL [PRIVILEGES]} 
    ON { MATERIALIZED VIEW <mv_name> [, < mv_name >,...]
       ｜ ALL MATERIALIZED VIEWS} IN 
           {  DATABASE <database_name> | ALL [DATABASES] }
    FROM { ROLE | USER} {<role_name>|<username>}
    
-- You must first run SET CATALOG before you run this command. 
-- You can also use db.mv to represent an mv.
REVOKE <priv> ON MATERIALIZED VIEW db.mv FROM {ROLE <role_name> | USER <username>}

-- Function

REVOKE
    { USAGE | DROP | ALL [PRIVILEGES]} 
    ON { FUNCTION <function_name>(input_data_type) [, < function_name >(input_data_type),...]
       ｜ ALL FUNCTIONS} IN 
           {  DATABASE <database_name> | ALL DATABASES }
    FROM { ROLE | USER} {<role_name>|<username>}
    
-- You must first run SET CATALOG before you run this command. 
-- You can also use db.function to represent a function.
REVOKE <priv> ON FUNCTION db.function FROM {ROLE <role_name> | USER <username>}

Revoke roles

REVOKE <role_name> [,<role_name>, ...] FROM ROLE <role_name>
REVOKE <role_name> [,<role_name>, ...] FROM USER <username>

Parameters

Parameter	Description
role_name	The role name.
username	The username.
function_name	The function name.
catalog_name	The name of the External Catalog.
database_name	The database name.
table_name	The table name.
view_name	The view name.
mv_name	The name of the materialized view.

Examples

Revoke privileges

Revoke the SELECT privilege on table sr_member from user jack:

REVOKE SELECT ON TABLE sr_member FROM USER 'jack';

Revoke roles

Revoke the role example_role from user jack:

REVOKE example_role FROM 'jack';

Revoke the role example_role from role test_role:

REVOKE example_role FROM ROLE 'test_role';

References

GRANT