1999-07-22 17:09:15 +02:00
|
|
|
<!--
|
2005-05-26 22:05:03 +02:00
|
|
|
$PostgreSQL: pgsql/doc/src/sgml/ref/revoke.sgml,v 1.33 2005/05/26 20:05:03 tgl Exp $
|
2001-12-08 04:24:40 +01:00
|
|
|
PostgreSQL documentation
|
1999-07-22 17:09:15 +02:00
|
|
|
-->
|
|
|
|
|
1999-06-14 09:37:05 +02:00
|
|
|
<refentry id="SQL-REVOKE">
|
|
|
|
<refmeta>
|
2001-11-18 21:35:02 +01:00
|
|
|
<refentrytitle id="sql-revoke-title">REVOKE</refentrytitle>
|
1999-06-14 09:37:05 +02:00
|
|
|
<refmiscinfo>SQL - Language Statements</refmiscinfo>
|
|
|
|
</refmeta>
|
2001-05-27 11:59:30 +02:00
|
|
|
|
1999-06-14 09:37:05 +02:00
|
|
|
<refnamediv>
|
2001-05-27 11:59:30 +02:00
|
|
|
<refname>REVOKE</refname>
|
2001-09-03 14:57:50 +02:00
|
|
|
<refpurpose>remove access privileges</refpurpose>
|
1999-06-14 09:37:05 +02:00
|
|
|
</refnamediv>
|
|
|
|
|
2003-08-31 19:32:24 +02:00
|
|
|
<indexterm zone="sql-revoke">
|
|
|
|
<primary>REVOKE</primary>
|
|
|
|
</indexterm>
|
|
|
|
|
2001-05-27 11:59:30 +02:00
|
|
|
<refsynopsisdiv>
|
|
|
|
<synopsis>
|
2003-01-24 00:39:07 +01:00
|
|
|
REVOKE [ GRANT OPTION FOR ]
|
|
|
|
{ { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER }
|
2002-02-21 23:39:36 +01:00
|
|
|
[,...] | ALL [ PRIVILEGES ] }
|
2002-04-21 02:26:44 +02:00
|
|
|
ON [ TABLE ] <replaceable class="PARAMETER">tablename</replaceable> [, ...]
|
|
|
|
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
|
2003-01-24 00:39:07 +01:00
|
|
|
[ CASCADE | RESTRICT ]
|
2002-04-21 02:26:44 +02:00
|
|
|
|
2003-01-24 00:39:07 +01:00
|
|
|
REVOKE [ GRANT OPTION FOR ]
|
|
|
|
{ { CREATE | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }
|
2002-04-21 02:26:44 +02:00
|
|
|
ON DATABASE <replaceable>dbname</replaceable> [, ...]
|
2004-06-18 08:14:31 +02:00
|
|
|
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
|
|
|
|
[ CASCADE | RESTRICT ]
|
|
|
|
|
2003-01-24 00:39:07 +01:00
|
|
|
REVOKE [ GRANT OPTION FOR ]
|
|
|
|
{ EXECUTE | ALL [ PRIVILEGES ] }
|
2005-05-26 22:05:03 +02:00
|
|
|
ON FUNCTION <replaceable>funcname</replaceable> ( [ [ <replaceable class="parameter">argmode</replaceable> ] [ <replaceable class="parameter">argname</replaceable> ] <replaceable class="parameter">argtype</replaceable> [, ...] ] ) [, ...]
|
2002-02-19 00:11:58 +01:00
|
|
|
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
|
2003-01-24 00:39:07 +01:00
|
|
|
[ CASCADE | RESTRICT ]
|
2002-02-19 00:11:58 +01:00
|
|
|
|
2003-01-24 00:39:07 +01:00
|
|
|
REVOKE [ GRANT OPTION FOR ]
|
|
|
|
{ USAGE | ALL [ PRIVILEGES ] }
|
2002-02-19 00:11:58 +01:00
|
|
|
ON LANGUAGE <replaceable>langname</replaceable> [, ...]
|
|
|
|
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
|
2003-01-24 00:39:07 +01:00
|
|
|
[ CASCADE | RESTRICT ]
|
2002-04-21 02:26:44 +02:00
|
|
|
|
2003-01-24 00:39:07 +01:00
|
|
|
REVOKE [ GRANT OPTION FOR ]
|
|
|
|
{ { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
|
2002-04-21 02:26:44 +02:00
|
|
|
ON SCHEMA <replaceable>schemaname</replaceable> [, ...]
|
|
|
|
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
|
2004-11-05 20:17:13 +01:00
|
|
|
[ CASCADE | RESTRICT ]
|
|
|
|
|
|
|
|
REVOKE [ GRANT OPTION FOR ]
|
|
|
|
{ CREATE | ALL [ PRIVILEGES ] }
|
|
|
|
ON TABLESPACE <replaceable>tablespacename</replaceable> [, ...]
|
|
|
|
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
|
2003-01-24 00:39:07 +01:00
|
|
|
[ CASCADE | RESTRICT ]
|
2001-05-27 11:59:30 +02:00
|
|
|
</synopsis>
|
1999-06-14 09:37:05 +02:00
|
|
|
</refsynopsisdiv>
|
|
|
|
|
2001-05-27 11:59:30 +02:00
|
|
|
<refsect1 id="SQL-REVOKE-description">
|
|
|
|
<title>Description</title>
|
|
|
|
|
1999-06-14 09:37:05 +02:00
|
|
|
<para>
|
2003-04-27 01:56:51 +02:00
|
|
|
The <command>REVOKE</command> command revokes previously granted
|
|
|
|
privileges from one or more users or groups of users. The key word
|
|
|
|
<literal>PUBLIC</literal> refers to the implicitly defined group of
|
|
|
|
all users.
|
2001-11-19 20:03:56 +01:00
|
|
|
</para>
|
|
|
|
|
2003-10-31 21:00:49 +01:00
|
|
|
<para>
|
|
|
|
See the description of the <xref linkend="sql-grant" endterm="sql-grant-title"> command for
|
|
|
|
the meaning of the privilege types.
|
|
|
|
</para>
|
|
|
|
|
2001-11-19 20:03:56 +01:00
|
|
|
<para>
|
|
|
|
Note that any particular user will have the sum
|
|
|
|
of privileges granted directly to him, privileges granted to any group he
|
|
|
|
is presently a member of, and privileges granted to
|
2003-04-27 01:56:51 +02:00
|
|
|
<literal>PUBLIC</literal>. Thus, for example, revoking <literal>SELECT</> privilege
|
2001-11-19 20:03:56 +01:00
|
|
|
from <literal>PUBLIC</literal> does not necessarily mean that all users
|
2003-04-27 01:56:51 +02:00
|
|
|
have lost <literal>SELECT</> privilege on the object: those who have it granted
|
2001-11-19 20:03:56 +01:00
|
|
|
directly or via a group will still have it.
|
1999-06-14 09:37:05 +02:00
|
|
|
</para>
|
|
|
|
|
2003-01-10 12:02:51 +01:00
|
|
|
<para>
|
2003-01-24 00:39:07 +01:00
|
|
|
If <literal>GRANT OPTION FOR</literal> is specified, only the grant
|
|
|
|
option for the privilege is revoked, not the privilege itself.
|
2004-06-01 23:49:23 +02:00
|
|
|
Otherwise, both the privilege and the grant option are revoked.
|
2003-01-24 00:39:07 +01:00
|
|
|
</para>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
If a user holds a privilege with grant option and has granted it to
|
|
|
|
other users then the privileges held by those other users are
|
|
|
|
called dependent privileges. If the privilege or the grant option
|
|
|
|
held by the first user is being revoked and dependent privileges
|
|
|
|
exist, those dependent privileges are also revoked if
|
|
|
|
<literal>CASCADE</literal> is specified, else the revoke action
|
|
|
|
will fail. This recursive revocation only affects privileges that
|
|
|
|
were granted through a chain of users that is traceable to the user
|
|
|
|
that is the subject of this <literal>REVOKE</literal> command.
|
|
|
|
Thus, the affected users may effectively keep the privilege if it
|
|
|
|
was also granted through other users.
|
2003-01-10 12:02:51 +01:00
|
|
|
</para>
|
2001-05-27 11:59:30 +02:00
|
|
|
</refsect1>
|
1999-07-06 19:16:42 +02:00
|
|
|
|
2001-05-27 11:59:30 +02:00
|
|
|
<refsect1 id="SQL-REVOKE-notes">
|
|
|
|
<title>Notes</title>
|
1999-06-14 09:37:05 +02:00
|
|
|
|
2001-05-27 11:59:30 +02:00
|
|
|
<para>
|
|
|
|
Use <xref linkend="app-psql">'s <command>\z</command> command to
|
2004-06-01 23:49:23 +02:00
|
|
|
display the privileges granted on existing objects. See <xref
|
2002-11-22 00:34:43 +01:00
|
|
|
linkend="sql-grant" endterm="sql-grant-title"> for information about the format.
|
2001-05-27 11:59:30 +02:00
|
|
|
</para>
|
2003-01-24 00:39:07 +01:00
|
|
|
|
|
|
|
<para>
|
|
|
|
A user can only revoke privileges that were granted directly by
|
|
|
|
that user. If, for example, user A has granted a privilege with
|
|
|
|
grant option to user B, and user B has in turned granted it to user
|
|
|
|
C, then user A cannot revoke the privilege directly from C.
|
|
|
|
Instead, user A could revoke the grant option from user B and use
|
|
|
|
the <literal>CASCADE</literal> option so that the privilege is
|
2004-06-01 23:49:23 +02:00
|
|
|
in turn revoked from user C. For another example, if both A and B
|
|
|
|
have granted the same privilege to C, A can revoke his own grant
|
|
|
|
but not B's grant, so C will still effectively have the privilege.
|
2003-01-24 00:39:07 +01:00
|
|
|
</para>
|
2003-10-31 21:00:49 +01:00
|
|
|
|
2004-06-01 23:49:23 +02:00
|
|
|
<para>
|
|
|
|
When a non-owner of an object attempts to <command>REVOKE</> privileges
|
|
|
|
on the object, the command will fail outright if the user has no
|
|
|
|
privileges whatsoever on the object. As long as some privilege is
|
|
|
|
available, the command will proceed, but it will revoke only those
|
|
|
|
privileges for which the user has grant options. The <command>REVOKE ALL
|
|
|
|
PRIVILEGES</> forms will issue a warning message if no grant options are
|
|
|
|
held, while the other forms will issue a warning if grant options for
|
|
|
|
any of the privileges specifically named in the command are not held.
|
|
|
|
(In principle these statements apply to the object owner as well, but
|
|
|
|
since the owner is always treated as holding all grant options, the
|
|
|
|
cases can never occur.)
|
|
|
|
</para>
|
|
|
|
|
2003-10-31 21:00:49 +01:00
|
|
|
<para>
|
|
|
|
If a superuser chooses to issue a <command>GRANT</> or <command>REVOKE</>
|
|
|
|
command, the command is performed as though it were issued by the
|
|
|
|
owner of the affected object. Since all privileges ultimately come
|
|
|
|
from the object owner (possibly indirectly via chains of grant options),
|
|
|
|
it is possible for a superuser to revoke all privileges, but this may
|
|
|
|
require use of <literal>CASCADE</literal> as stated above.
|
|
|
|
</para>
|
1999-06-14 09:37:05 +02:00
|
|
|
</refsect1>
|
|
|
|
|
2001-05-27 11:59:30 +02:00
|
|
|
<refsect1 id="SQL-REVOKE-examples">
|
|
|
|
<title>Examples</title>
|
|
|
|
|
1999-06-14 09:37:05 +02:00
|
|
|
<para>
|
2001-11-19 20:03:56 +01:00
|
|
|
Revoke insert privilege for the public on table
|
1999-07-06 19:16:42 +02:00
|
|
|
<literal>films</literal>:
|
|
|
|
|
2001-05-27 11:59:30 +02:00
|
|
|
<programlisting>
|
1999-06-14 09:37:05 +02:00
|
|
|
REVOKE INSERT ON films FROM PUBLIC;
|
2001-05-27 11:59:30 +02:00
|
|
|
</programlisting>
|
1999-07-06 19:16:42 +02:00
|
|
|
</para>
|
|
|
|
|
|
|
|
<para>
|
2004-06-01 23:49:23 +02:00
|
|
|
Revoke all privileges from user <literal>manuel</literal> on view
|
|
|
|
<literal>kinds</literal>:
|
1999-06-14 09:37:05 +02:00
|
|
|
|
2004-06-01 23:49:23 +02:00
|
|
|
<programlisting>
|
2001-05-27 11:59:30 +02:00
|
|
|
REVOKE ALL PRIVILEGES ON kinds FROM manuel;
|
|
|
|
</programlisting>
|
2004-06-01 23:49:23 +02:00
|
|
|
|
|
|
|
Note that this actually means <quote>revoke all privileges that I
|
|
|
|
granted</>.
|
1999-06-14 09:37:05 +02:00
|
|
|
</para>
|
|
|
|
</refsect1>
|
|
|
|
|
2001-05-27 11:59:30 +02:00
|
|
|
<refsect1 id="SQL-REVOKE-compatibility">
|
|
|
|
<title>Compatibility</title>
|
1999-06-14 09:37:05 +02:00
|
|
|
|
|
|
|
<para>
|
2001-11-18 21:35:02 +01:00
|
|
|
The compatibility notes of the <xref linkend="sql-grant" endterm="sql-grant-title"> command
|
2001-05-27 11:59:30 +02:00
|
|
|
apply analogously to <command>REVOKE</command>. The syntax summary is:
|
|
|
|
|
|
|
|
<synopsis>
|
2003-04-27 01:56:51 +02:00
|
|
|
REVOKE [ GRANT OPTION FOR ] <replaceable class="PARAMETER">privileges</replaceable>
|
2001-05-27 11:59:30 +02:00
|
|
|
ON <replaceable class="parameter">object</replaceable> [ ( <replaceable class="parameter">column</replaceable> [, ...] ) ]
|
|
|
|
FROM { PUBLIC | <replaceable class="parameter">username</replaceable> [, ...] }
|
|
|
|
{ RESTRICT | CASCADE }
|
|
|
|
</synopsis>
|
2003-01-24 00:39:07 +01:00
|
|
|
One of <literal>RESTRICT</literal> or <literal>CASCADE</literal>
|
2003-10-31 21:00:49 +01:00
|
|
|
is required according to the standard, but <productname>PostgreSQL</>
|
|
|
|
assumes <literal>RESTRICT</literal> by default.
|
1999-06-14 09:37:05 +02:00
|
|
|
</para>
|
|
|
|
</refsect1>
|
2001-05-27 11:59:30 +02:00
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>See Also</title>
|
|
|
|
|
|
|
|
<simpara>
|
2002-11-22 00:34:43 +01:00
|
|
|
<xref linkend="sql-grant" endterm="sql-grant-title">
|
2001-05-27 11:59:30 +02:00
|
|
|
</simpara>
|
|
|
|
</refsect1>
|
|
|
|
|
1999-06-14 09:37:05 +02:00
|
|
|
</refentry>
|
|
|
|
|
|
|
|
<!-- Keep this comment at the end of the file
|
|
|
|
Local variables:
|
|
|
|
mode: sgml
|
|
|
|
sgml-omittag:nil
|
|
|
|
sgml-shorttag:t
|
|
|
|
sgml-minimize-attributes:nil
|
|
|
|
sgml-always-quote-attributes:t
|
|
|
|
sgml-indent-step:1
|
|
|
|
sgml-indent-data:t
|
|
|
|
sgml-parent-document:nil
|
|
|
|
sgml-default-dtd-file:"../reference.ced"
|
|
|
|
sgml-exposed-tags:nil
|
|
|
|
sgml-local-catalogs:"/usr/lib/sgml/catalog"
|
|
|
|
sgml-local-ecat-files:nil
|
|
|
|
End:
|
|
|
|
-->
|