REVOKE
REVOKE — Remove access privileges
Synopsis
REVOKE [ GRANT OPTION FOR ]
{ { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }
[, ...] | ALL [ PRIVILEGES ] }
ON { [ TABLE ] table_name [, ...]
| ALL TABLES IN SCHEMA schema_name [, ...] }
FROM role_specification [, ...]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ { SELECT | INSERT | UPDATE | REFERENCES } ( column_name [, ...] )
[, ...] | ALL [ PRIVILEGES ] ( column_name [, ...] ) }
ON [ TABLE ] table_name [, ...]
FROM role_specification [, ...]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ { USAGE | SELECT | UPDATE }
[, ...] | ALL [ PRIVILEGES ] }
ON { SEQUENCE sequence_name [, ...]
| ALL SEQUENCES IN SCHEMA schema_name [, ...] }
FROM role_specification [, ...]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ { CREATE | CONNECT | TEMPORARY | TEMP } [, ...] | ALL [ PRIVILEGES ] }
ON DATABASE database_name [, ...]
FROM role_specification [, ...]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] }
ON DOMAIN domain_name [, ...]
FROM role_specification [, ...]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] }
ON FOREIGN DATA WRAPPER fdw_name [, ...]
FROM role_specification [, ...]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] }
ON FOREIGN SERVER server_name [, ...]
FROM role_specification [, ...]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ EXECUTE | ALL [ PRIVILEGES ] }
ON { { FUNCTION | PROCEDURE | ROUTINE } function_name [ ( [ [ argmode ]
[ arg_name ] arg_type [, ...] ] ) ] [, ...]
| ALL { FUNCTIONS | PROCEDURES | ROUTINES } IN SCHEMA schema_name
[, ...] }
FROM role_specification [, ...]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] }
ON LANGUAGE lang_name [, ...]
FROM role_specification [, ...]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ { SELECT | UPDATE } [, ...] | ALL [ PRIVILEGES ] }
ON LARGE OBJECT loid [, ...]
FROM role_specification [, ...]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ { CREATE | USAGE } [, ...] | ALL [ PRIVILEGES ] }
ON SCHEMA schema_name [, ...]
FROM role_specification [, ...]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ CREATE | ALL [ PRIVILEGES ] }
ON TABLESPACE tablespace_name [, ...]
FROM role_specification [, ...]
[ CASCADE | RESTRICT ]
REVOKE [ GRANT OPTION FOR ]
{ USAGE | ALL [ PRIVILEGES ] }
ON TYPE type_name [, ...]
FROM role_specification [, ...]
[ CASCADE | RESTRICT ]
REVOKE [ ADMIN OPTION FOR ]
role_name [, ...] FROM role_specification [, ...]
[ GRANTED BY role_specification ]
[ CASCADE | RESTRICT ]
where role_specification can be:
[ GROUP ] role_name
| PUBLIC
| CURRENT_USER
| SESSION_USER
Description
The REVOKE command revokes previously granted privileges from one or more roles. The keyword PUBLIC refers to the implicitly defined group of all roles.
For the meaning of privilege types, see the description of the GRANT command.
Note that any privileges held by a particular role include those directly granted to it, those inherited from roles it is a member of, and those granted to PUBLIC. Therefore, revoking SELECT privilege from PUBLIC does not necessarily mean all roles will lose SELECT privilege on the object: roles that were directly granted or granted through another role will still have it. Similarly, after revoking SELECT from a user, if PUBLIC or another membership role still has SELECT rights, the user can still use SELECT.
If GRANT OPTION FOR is specified, only the grant option for the privilege is revoked, not the privilege itself. Otherwise, both the privilege and its grant option are revoked.
If a user holds a privilege with a grant option and has granted it to other users, the privileges held by those other users are called dependent privileges. If the privilege or grant option held by the first user is being revoked and there are dependent privileges, specifying CASCADE will recursively revoke those dependent privileges; otherwise, the revocation will fail. This recursive revocation only affects privileges granted through a chain of users traceable to the subject of the REVOKE command. Therefore, if the privilege was also granted to the affected user by other users, the affected user may actually retain the privilege.
When revoking a privilege on a table, the corresponding column privileges (if any) on each column of the table are also automatically revoked.
On the other hand, if a role has already been granted a privilege on a table, revoking the same privilege from individual columns will have no effect.
When revoking membership in a role, GRANT OPTION is referred to as ADMIN OPTION, but the behavior is similar.
This form of the command also allows the use of the GRANTED BY option, but this option is currently ignored (except for checking the existence of the specified role). Also note that this form of the command does not allow the noise word GROUP in role_specification.
Notes
Users can only revoke privileges they directly granted. For example, if user A has granted a privilege with grant option to user B, and user B then grants it to user C, user A cannot directly revoke the privilege from C. Instead, user A can revoke the grant option from user B and use the CASCADE option, so the privilege will be recursively revoked from user C. For another example, if both A and B have granted the same privilege to C, A can revoke its own grant but not B's grant, so C will effectively still hold the privilege.
When a non-owner of an object attempts to REVOKE privileges on that object, the command will fail immediately if the user holds no privileges on the object at all. As long as some privilege is available, the command will proceed, but it will only revoke those privileges for which it has grant options. If no grant option is held, the REVOKE ALL PRIVILEGES form will issue a warning, and other forms will issue a warning when no grant option is held for any of the privileges specifically mentioned in the command (in principle, these statements also apply to object owners, but since owners are always considered to hold all grant options, these situations never occur).
If a superuser chooses to issue a GRANT or REVOKE command, the command is executed as if it were issued by the owner of the affected object. Since all privileges ultimately derive from the object owner (possibly indirectly through grant option chains), all privileges can be revoked by a superuser, but this may require the aforementioned CASCADE.
REVOKE can also be performed by a role that is not the owner of the affected object, but is a member of the role that owns the object or is a member of a role that holds the privilege WITH GRANT OPTION on the object. In this case, the command is executed as if it were issued by the containing role that actually owns the object or holds the privilege WITH GRANT OPTION. For example, if table t1 is owned by role g1, and u1 is a member of g1, then u1 can revoke privileges on t1 that are recorded as granted by g1. This includes grants made by u1 as well as grants made by other members of role g1.
If the role executing REVOKE holds the privilege indirectly through more than one role membership path, it is unspecified which containing role will be used to execute the command. In such cases, it is best to use SET ROLE to become the specific role under whose identity you want to execute REVOKE. Failing to do so may result in revoking more privileges than intended, or failing to revoke anything at all.
Examples
-- Revoke insert privilege on table films from public:
REVOKE INSERT ON films FROM PUBLIC;
-- Revoke all privileges on view kinds from user manuel:
REVOKE ALL PRIVILEGES ON kinds FROM manuel;
-- Note that this actually means "revoke all privileges I granted".
-- Revoke membership in role admins from user joe:
REVOKE admins FROM joe;