1999-07-22 17:09:15 +02:00
|
|
|
<!--
|
2007-04-07 06:04:56 +02:00
|
|
|
$PostgreSQL: pgsql/doc/src/sgml/ref/revoke.sgml,v 1.44 2007/04/07 04:04:56 momjian Exp $
|
2001-12-08 04:24:40 +01:00
|
|
|
PostgreSQL documentation
|
1999-07-22 17:09:15 +02:00
|
|
|
-->
|
|
|
|
|
1999-06-14 09:37:05 +02:00
|
|
|
<refentry id="SQL-REVOKE">
|
|
|
|
<refmeta>
|
2001-11-18 21:35:02 +01:00
|
|
|
<refentrytitle id="sql-revoke-title">REVOKE</refentrytitle>
|
1999-06-14 09:37:05 +02:00
|
|
|
<refmiscinfo>SQL - Language Statements</refmiscinfo>
|
|
|
|
</refmeta>
|
2001-05-27 11:59:30 +02:00
|
|
|
|
1999-06-14 09:37:05 +02:00
|
|
|
<refnamediv>
|
2001-05-27 11:59:30 +02:00
|
|
|
<refname>REVOKE</refname>
|
2001-09-03 14:57:50 +02:00
|
|
|
<refpurpose>remove access privileges</refpurpose>
|
1999-06-14 09:37:05 +02:00
|
|
|
</refnamediv>
|
|
|
|
|
2003-08-31 19:32:24 +02:00
|
|
|
<indexterm zone="sql-revoke">
|
|
|
|
<primary>REVOKE</primary>
|
|
|
|
</indexterm>
|
|
|
|
|
2001-05-27 11:59:30 +02:00
|
|
|
<refsynopsisdiv>
|
|
|
|
<synopsis>
|
2003-01-24 00:39:07 +01:00
|
|
|
REVOKE [ GRANT OPTION FOR ]
|
2006-09-05 23:08:36 +02:00
|
|
|
{ { SELECT | INSERT | UPDATE | DELETE | REFERENCES | TRIGGER }
|
2002-02-21 23:39:36 +01:00
|
|
|
[,...] | ALL [ PRIVILEGES ] }
|
2002-04-21 02:26:44 +02:00
|
|
|
ON [ TABLE ] <replaceable class="PARAMETER">tablename</replaceable> [, ...]
|
|
|
|
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
|
2003-01-24 00:39:07 +01:00
|
|
|
[ CASCADE | RESTRICT ]
|
2002-04-21 02:26:44 +02:00
|
|
|
|
2006-01-21 03:16:21 +01:00
|
|
|
REVOKE [ GRANT OPTION FOR ]
|
|
|
|
{ { USAGE | SELECT | UPDATE }
|
|
|
|
[,...] | ALL [ PRIVILEGES ] }
|
|
|
|
ON SEQUENCE <replaceable class="PARAMETER">sequencename</replaceable> [, ...]
|
|
|
|
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
|
|
|
|
[ CASCADE | RESTRICT ]
|
|
|
|
|
2003-01-24 00:39:07 +01:00
|
|
|
REVOKE [ GRANT OPTION FOR ]
|
2006-04-30 23:15:33 +02:00
|
|
|
{ { CREATE | CONNECT | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }
|
2002-04-21 02:26:44 +02:00
|
|
|
ON DATABASE <replaceable>dbname</replaceable> [, ...]
|
2004-06-18 08:14:31 +02:00
|
|
|
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
|
|
|
|
[ CASCADE | RESTRICT ]
|
|
|
|
|
2003-01-24 00:39:07 +01:00
|
|
|
REVOKE [ GRANT OPTION FOR ]
|
|
|
|
{ EXECUTE | ALL [ PRIVILEGES ] }
|
2005-05-26 22:05:03 +02:00
|
|
|
ON FUNCTION <replaceable>funcname</replaceable> ( [ [ <replaceable class="parameter">argmode</replaceable> ] [ <replaceable class="parameter">argname</replaceable> ] <replaceable class="parameter">argtype</replaceable> [, ...] ] ) [, ...]
|
2002-02-19 00:11:58 +01:00
|
|
|
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
|
2003-01-24 00:39:07 +01:00
|
|
|
[ CASCADE | RESTRICT ]
|
2002-02-19 00:11:58 +01:00
|
|
|
|
2003-01-24 00:39:07 +01:00
|
|
|
REVOKE [ GRANT OPTION FOR ]
|
|
|
|
{ USAGE | ALL [ PRIVILEGES ] }
|
2002-02-19 00:11:58 +01:00
|
|
|
ON LANGUAGE <replaceable>langname</replaceable> [, ...]
|
|
|
|
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
|
2003-01-24 00:39:07 +01:00
|
|
|
[ CASCADE | RESTRICT ]
|
2002-04-21 02:26:44 +02:00
|
|
|
|
2003-01-24 00:39:07 +01:00
|
|
|
REVOKE [ GRANT OPTION FOR ]
|
|
|
|
{ { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
|
2002-04-21 02:26:44 +02:00
|
|
|
ON SCHEMA <replaceable>schemaname</replaceable> [, ...]
|
|
|
|
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
|
2004-11-05 20:17:13 +01:00
|
|
|
[ CASCADE | RESTRICT ]
|
|
|
|
|
|
|
|
REVOKE [ GRANT OPTION FOR ]
|
|
|
|
{ CREATE | ALL [ PRIVILEGES ] }
|
|
|
|
ON TABLESPACE <replaceable>tablespacename</replaceable> [, ...]
|
|
|
|
FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
|
2003-01-24 00:39:07 +01:00
|
|
|
[ CASCADE | RESTRICT ]
|
2005-07-27 01:24:02 +02:00
|
|
|
|
|
|
|
REVOKE [ ADMIN OPTION FOR ]
|
2006-08-02 18:29:49 +02:00
|
|
|
<replaceable class="PARAMETER">role</replaceable> [, ...] FROM <replaceable class="PARAMETER">username</replaceable> [, ...]
|
2005-07-27 01:24:02 +02:00
|
|
|
[ CASCADE | RESTRICT ]
|
2001-05-27 11:59:30 +02:00
|
|
|
</synopsis>
|
1999-06-14 09:37:05 +02:00
|
|
|
</refsynopsisdiv>
|
|
|
|
|
2001-05-27 11:59:30 +02:00
|
|
|
<refsect1 id="SQL-REVOKE-description">
|
|
|
|
<title>Description</title>
|
|
|
|
|
1999-06-14 09:37:05 +02:00
|
|
|
<para>
|
2003-04-27 01:56:51 +02:00
|
|
|
The <command>REVOKE</command> command revokes previously granted
|
2005-07-27 01:24:02 +02:00
|
|
|
privileges from one or more roles. The key word
|
2003-04-27 01:56:51 +02:00
|
|
|
<literal>PUBLIC</literal> refers to the implicitly defined group of
|
2005-07-27 01:24:02 +02:00
|
|
|
all roles.
|
2001-11-19 20:03:56 +01:00
|
|
|
</para>
|
|
|
|
|
2003-10-31 21:00:49 +01:00
|
|
|
<para>
|
|
|
|
See the description of the <xref linkend="sql-grant" endterm="sql-grant-title"> command for
|
|
|
|
the meaning of the privilege types.
|
|
|
|
</para>
|
|
|
|
|
2001-11-19 20:03:56 +01:00
|
|
|
<para>
|
2005-07-27 01:24:02 +02:00
|
|
|
Note that any particular role will have the sum
|
|
|
|
of privileges granted directly to it, privileges granted to any role it
|
2001-11-19 20:03:56 +01:00
|
|
|
is presently a member of, and privileges granted to
|
2003-04-27 01:56:51 +02:00
|
|
|
<literal>PUBLIC</literal>. Thus, for example, revoking <literal>SELECT</> privilege
|
2005-07-27 01:24:02 +02:00
|
|
|
from <literal>PUBLIC</literal> does not necessarily mean that all roles
|
2003-04-27 01:56:51 +02:00
|
|
|
have lost <literal>SELECT</> privilege on the object: those who have it granted
|
2005-07-27 01:24:02 +02:00
|
|
|
directly or via another role will still have it.
|
1999-06-14 09:37:05 +02:00
|
|
|
</para>
|
|
|
|
|
2003-01-10 12:02:51 +01:00
|
|
|
<para>
|
2003-01-24 00:39:07 +01:00
|
|
|
If <literal>GRANT OPTION FOR</literal> is specified, only the grant
|
|
|
|
option for the privilege is revoked, not the privilege itself.
|
2004-06-01 23:49:23 +02:00
|
|
|
Otherwise, both the privilege and the grant option are revoked.
|
2003-01-24 00:39:07 +01:00
|
|
|
</para>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
If a user holds a privilege with grant option and has granted it to
|
|
|
|
other users then the privileges held by those other users are
|
|
|
|
called dependent privileges. If the privilege or the grant option
|
|
|
|
held by the first user is being revoked and dependent privileges
|
|
|
|
exist, those dependent privileges are also revoked if
|
|
|
|
<literal>CASCADE</literal> is specified, else the revoke action
|
|
|
|
will fail. This recursive revocation only affects privileges that
|
|
|
|
were granted through a chain of users that is traceable to the user
|
|
|
|
that is the subject of this <literal>REVOKE</literal> command.
|
Update reference documentation on may/can/might:
Standard English uses "may", "can", and "might" in different ways:
may - permission, "You may borrow my rake."
can - ability, "I can lift that log."
might - possibility, "It might rain today."
Unfortunately, in conversational English, their use is often mixed, as
in, "You may use this variable to do X", when in fact, "can" is a better
choice. Similarly, "It may crash" is better stated, "It might crash".
2007-02-01 00:26:05 +01:00
|
|
|
Thus, the affected users might effectively keep the privilege if it
|
2003-01-24 00:39:07 +01:00
|
|
|
was also granted through other users.
|
2003-01-10 12:02:51 +01:00
|
|
|
</para>
|
2005-07-27 01:24:02 +02:00
|
|
|
|
|
|
|
<para>
|
|
|
|
When revoking membership in a role, <literal>GRANT OPTION</> is instead
|
|
|
|
called <literal>ADMIN OPTION</>, but the behavior is similar.
|
2006-08-02 18:29:49 +02:00
|
|
|
Note also that this form of the command does not
|
|
|
|
allow the noise word <literal>GROUP</>.
|
2005-07-27 01:24:02 +02:00
|
|
|
</para>
|
2001-05-27 11:59:30 +02:00
|
|
|
</refsect1>
|
1999-07-06 19:16:42 +02:00
|
|
|
|
2001-05-27 11:59:30 +02:00
|
|
|
<refsect1 id="SQL-REVOKE-notes">
|
|
|
|
<title>Notes</title>
|
1999-06-14 09:37:05 +02:00
|
|
|
|
2001-05-27 11:59:30 +02:00
|
|
|
<para>
|
|
|
|
Use <xref linkend="app-psql">'s <command>\z</command> command to
|
2004-06-01 23:49:23 +02:00
|
|
|
display the privileges granted on existing objects. See <xref
|
2002-11-22 00:34:43 +01:00
|
|
|
linkend="sql-grant" endterm="sql-grant-title"> for information about the format.
|
2001-05-27 11:59:30 +02:00
|
|
|
</para>
|
2003-01-24 00:39:07 +01:00
|
|
|
|
|
|
|
<para>
|
|
|
|
A user can only revoke privileges that were granted directly by
|
|
|
|
that user. If, for example, user A has granted a privilege with
|
|
|
|
grant option to user B, and user B has in turned granted it to user
|
|
|
|
C, then user A cannot revoke the privilege directly from C.
|
|
|
|
Instead, user A could revoke the grant option from user B and use
|
|
|
|
the <literal>CASCADE</literal> option so that the privilege is
|
2004-06-01 23:49:23 +02:00
|
|
|
in turn revoked from user C. For another example, if both A and B
|
|
|
|
have granted the same privilege to C, A can revoke his own grant
|
|
|
|
but not B's grant, so C will still effectively have the privilege.
|
2003-01-24 00:39:07 +01:00
|
|
|
</para>
|
2003-10-31 21:00:49 +01:00
|
|
|
|
2004-06-01 23:49:23 +02:00
|
|
|
<para>
|
|
|
|
When a non-owner of an object attempts to <command>REVOKE</> privileges
|
|
|
|
on the object, the command will fail outright if the user has no
|
|
|
|
privileges whatsoever on the object. As long as some privilege is
|
|
|
|
available, the command will proceed, but it will revoke only those
|
|
|
|
privileges for which the user has grant options. The <command>REVOKE ALL
|
|
|
|
PRIVILEGES</> forms will issue a warning message if no grant options are
|
|
|
|
held, while the other forms will issue a warning if grant options for
|
|
|
|
any of the privileges specifically named in the command are not held.
|
|
|
|
(In principle these statements apply to the object owner as well, but
|
|
|
|
since the owner is always treated as holding all grant options, the
|
|
|
|
cases can never occur.)
|
|
|
|
</para>
|
|
|
|
|
2003-10-31 21:00:49 +01:00
|
|
|
<para>
|
|
|
|
If a superuser chooses to issue a <command>GRANT</> or <command>REVOKE</>
|
|
|
|
command, the command is performed as though it were issued by the
|
|
|
|
owner of the affected object. Since all privileges ultimately come
|
|
|
|
from the object owner (possibly indirectly via chains of grant options),
|
Update reference documentation on may/can/might:
Standard English uses "may", "can", and "might" in different ways:
may - permission, "You may borrow my rake."
can - ability, "I can lift that log."
might - possibility, "It might rain today."
Unfortunately, in conversational English, their use is often mixed, as
in, "You may use this variable to do X", when in fact, "can" is a better
choice. Similarly, "It may crash" is better stated, "It might crash".
2007-02-01 00:26:05 +01:00
|
|
|
it is possible for a superuser to revoke all privileges, but this might
|
2003-10-31 21:00:49 +01:00
|
|
|
require use of <literal>CASCADE</literal> as stated above.
|
|
|
|
</para>
|
2005-10-20 21:18:01 +02:00
|
|
|
|
|
|
|
<para>
|
|
|
|
<command>REVOKE</> can also be done by a role
|
|
|
|
that is not the owner of the affected object, but is a member of the role
|
|
|
|
that owns the object, or is a member of a role that holds privileges
|
|
|
|
<literal>WITH GRANT OPTION</literal> on the object. In this case the
|
|
|
|
command is performed as though it were issued by the containing role that
|
|
|
|
actually owns the object or holds the privileges
|
|
|
|
<literal>WITH GRANT OPTION</literal>. For example, if table
|
|
|
|
<literal>t1</> is owned by role <literal>g1</>, of which role
|
|
|
|
<literal>u1</> is a member, then <literal>u1</> can revoke privileges
|
|
|
|
on <literal>t1</> that are recorded as being granted by <literal>g1</>.
|
|
|
|
This would include grants made by <literal>u1</> as well as by other
|
|
|
|
members of role <literal>g1</>.
|
|
|
|
</para>
|
|
|
|
|
|
|
|
<para>
|
|
|
|
If the role executing <command>REVOKE</> holds privileges
|
|
|
|
indirectly via more than one role membership path, it is unspecified
|
|
|
|
which containing role will be used to perform the command. In such cases
|
|
|
|
it is best practice to use <command>SET ROLE</> to become the specific
|
Update reference documentation on may/can/might:
Standard English uses "may", "can", and "might" in different ways:
may - permission, "You may borrow my rake."
can - ability, "I can lift that log."
might - possibility, "It might rain today."
Unfortunately, in conversational English, their use is often mixed, as
in, "You may use this variable to do X", when in fact, "can" is a better
choice. Similarly, "It may crash" is better stated, "It might crash".
2007-02-01 00:26:05 +01:00
|
|
|
role you want to do the <command>REVOKE</> as. Failure to do so might
|
2005-10-20 21:18:01 +02:00
|
|
|
lead to revoking privileges other than the ones you intended, or not
|
|
|
|
revoking anything at all.
|
|
|
|
</para>
|
1999-06-14 09:37:05 +02:00
|
|
|
</refsect1>
|
|
|
|
|
2001-05-27 11:59:30 +02:00
|
|
|
<refsect1 id="SQL-REVOKE-examples">
|
|
|
|
<title>Examples</title>
|
|
|
|
|
1999-06-14 09:37:05 +02:00
|
|
|
<para>
|
2001-11-19 20:03:56 +01:00
|
|
|
Revoke insert privilege for the public on table
|
1999-07-06 19:16:42 +02:00
|
|
|
<literal>films</literal>:
|
|
|
|
|
2001-05-27 11:59:30 +02:00
|
|
|
<programlisting>
|
1999-06-14 09:37:05 +02:00
|
|
|
REVOKE INSERT ON films FROM PUBLIC;
|
2001-05-27 11:59:30 +02:00
|
|
|
</programlisting>
|
1999-07-06 19:16:42 +02:00
|
|
|
</para>
|
|
|
|
|
|
|
|
<para>
|
2004-06-01 23:49:23 +02:00
|
|
|
Revoke all privileges from user <literal>manuel</literal> on view
|
|
|
|
<literal>kinds</literal>:
|
1999-06-14 09:37:05 +02:00
|
|
|
|
2004-06-01 23:49:23 +02:00
|
|
|
<programlisting>
|
2001-05-27 11:59:30 +02:00
|
|
|
REVOKE ALL PRIVILEGES ON kinds FROM manuel;
|
|
|
|
</programlisting>
|
2004-06-01 23:49:23 +02:00
|
|
|
|
|
|
|
Note that this actually means <quote>revoke all privileges that I
|
|
|
|
granted</>.
|
1999-06-14 09:37:05 +02:00
|
|
|
</para>
|
2005-07-27 01:24:02 +02:00
|
|
|
|
|
|
|
<para>
|
|
|
|
Revoke membership in role <literal>admins</> from user <literal>joe</>:
|
|
|
|
|
|
|
|
<programlisting>
|
|
|
|
REVOKE admins FROM joe;
|
|
|
|
</programlisting>
|
|
|
|
</para>
|
1999-06-14 09:37:05 +02:00
|
|
|
</refsect1>
|
|
|
|
|
2001-05-27 11:59:30 +02:00
|
|
|
<refsect1 id="SQL-REVOKE-compatibility">
|
|
|
|
<title>Compatibility</title>
|
1999-06-14 09:37:05 +02:00
|
|
|
|
|
|
|
<para>
|
2001-11-18 21:35:02 +01:00
|
|
|
The compatibility notes of the <xref linkend="sql-grant" endterm="sql-grant-title"> command
|
2007-04-07 05:48:25 +02:00
|
|
|
apply analogously to <command>REVOKE</command>.
|
2007-04-07 06:04:56 +02:00
|
|
|
They keyword <literal>RESTRICT</literal> or <literal>CASCADE</literal>
|
2003-10-31 21:00:49 +01:00
|
|
|
is required according to the standard, but <productname>PostgreSQL</>
|
|
|
|
assumes <literal>RESTRICT</literal> by default.
|
1999-06-14 09:37:05 +02:00
|
|
|
</para>
|
|
|
|
</refsect1>
|
2001-05-27 11:59:30 +02:00
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>See Also</title>
|
|
|
|
|
|
|
|
<simpara>
|
2002-11-22 00:34:43 +01:00
|
|
|
<xref linkend="sql-grant" endterm="sql-grant-title">
|
2001-05-27 11:59:30 +02:00
|
|
|
</simpara>
|
|
|
|
</refsect1>
|
|
|
|
|
1999-06-14 09:37:05 +02:00
|
|
|
</refentry>
|