4 REVOKE — remove access privileges
8 REVOKE [ GRANT OPTION FOR ]
9 { { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER | MA
11 [, ...] | ALL [ PRIVILEGES ] }
12 ON { [ TABLE ] table_name [, ...]
13 | ALL TABLES IN SCHEMA schema_name [, ...] }
14 FROM role_specification [, ...]
15 [ GRANTED BY role_specification ]
16 [ CASCADE | RESTRICT ]
18 REVOKE [ GRANT OPTION FOR ]
19 { { SELECT | INSERT | UPDATE | REFERENCES } ( column_name [, ...] )
20 [, ...] | ALL [ PRIVILEGES ] ( column_name [, ...] ) }
21 ON [ TABLE ] table_name [, ...]
22 FROM role_specification [, ...]
23 [ GRANTED BY role_specification ]
24 [ CASCADE | RESTRICT ]
26 REVOKE [ GRANT OPTION FOR ]
27 { { USAGE | SELECT | UPDATE }
28 [, ...] | ALL [ PRIVILEGES ] }
29 ON { SEQUENCE sequence_name [, ...]
30 | ALL SEQUENCES IN SCHEMA schema_name [, ...] }
31 FROM role_specification [, ...]
32 [ GRANTED BY role_specification ]
33 [ CASCADE | RESTRICT ]
35 REVOKE [ GRANT OPTION FOR ]
36 { { CREATE | CONNECT | TEMPORARY | TEMP } [, ...] | ALL [ PRIVILEGES ] }
37 ON DATABASE database_name [, ...]
38 FROM role_specification [, ...]
39 [ GRANTED BY role_specification ]
40 [ CASCADE | RESTRICT ]
42 REVOKE [ GRANT OPTION FOR ]
43 { USAGE | ALL [ PRIVILEGES ] }
44 ON DOMAIN domain_name [, ...]
45 FROM role_specification [, ...]
46 [ GRANTED BY role_specification ]
47 [ CASCADE | RESTRICT ]
49 REVOKE [ GRANT OPTION FOR ]
50 { USAGE | ALL [ PRIVILEGES ] }
51 ON FOREIGN DATA WRAPPER fdw_name [, ...]
52 FROM role_specification [, ...]
53 [ GRANTED BY role_specification ]
54 [ CASCADE | RESTRICT ]
56 REVOKE [ GRANT OPTION FOR ]
57 { USAGE | ALL [ PRIVILEGES ] }
58 ON FOREIGN SERVER server_name [, ...]
59 FROM role_specification [, ...]
60 [ GRANTED BY role_specification ]
61 [ CASCADE | RESTRICT ]
63 REVOKE [ GRANT OPTION FOR ]
64 { EXECUTE | ALL [ PRIVILEGES ] }
65 ON { { FUNCTION | PROCEDURE | ROUTINE } function_name [ ( [ [ argmode ] [ ar
66 g_name ] arg_type [, ...] ] ) ] [, ...]
67 | ALL { FUNCTIONS | PROCEDURES | ROUTINES } IN SCHEMA schema_name [, ..
69 FROM role_specification [, ...]
70 [ GRANTED BY role_specification ]
71 [ CASCADE | RESTRICT ]
73 REVOKE [ GRANT OPTION FOR ]
74 { USAGE | ALL [ PRIVILEGES ] }
75 ON LANGUAGE lang_name [, ...]
76 FROM role_specification [, ...]
77 [ GRANTED BY role_specification ]
78 [ CASCADE | RESTRICT ]
80 REVOKE [ GRANT OPTION FOR ]
81 { { SELECT | UPDATE } [, ...] | ALL [ PRIVILEGES ] }
82 ON LARGE OBJECT loid [, ...]
83 FROM role_specification [, ...]
84 [ GRANTED BY role_specification ]
85 [ CASCADE | RESTRICT ]
87 REVOKE [ GRANT OPTION FOR ]
88 { { SET | ALTER SYSTEM } [, ...] | ALL [ PRIVILEGES ] }
89 ON PARAMETER configuration_parameter [, ...]
90 FROM role_specification [, ...]
91 [ GRANTED BY role_specification ]
92 [ CASCADE | RESTRICT ]
94 REVOKE [ GRANT OPTION FOR ]
95 { { CREATE | USAGE } [, ...] | ALL [ PRIVILEGES ] }
96 ON SCHEMA schema_name [, ...]
97 FROM role_specification [, ...]
98 [ GRANTED BY role_specification ]
99 [ CASCADE | RESTRICT ]
101 REVOKE [ GRANT OPTION FOR ]
102 { CREATE | ALL [ PRIVILEGES ] }
103 ON TABLESPACE tablespace_name [, ...]
104 FROM role_specification [, ...]
105 [ GRANTED BY role_specification ]
106 [ CASCADE | RESTRICT ]
108 REVOKE [ GRANT OPTION FOR ]
109 { USAGE | ALL [ PRIVILEGES ] }
110 ON TYPE type_name [, ...]
111 FROM role_specification [, ...]
112 [ GRANTED BY role_specification ]
113 [ CASCADE | RESTRICT ]
115 REVOKE [ { ADMIN | INHERIT | SET } OPTION FOR ]
116 role_name [, ...] FROM role_specification [, ...]
117 [ GRANTED BY role_specification ]
118 [ CASCADE | RESTRICT ]
120 where role_specification can be:
130 The REVOKE command revokes previously granted privileges from one or
131 more roles. The key word PUBLIC refers to the implicitly defined group
134 See the description of the GRANT command for the meaning of the
137 Note that any particular role will have the sum of privileges granted
138 directly to it, privileges granted to any role it is presently a member
139 of, and privileges granted to PUBLIC. Thus, for example, revoking
140 SELECT privilege from PUBLIC does not necessarily mean that all roles
141 have lost SELECT privilege on the object: those who have it granted
142 directly or via another role will still have it. Similarly, revoking
143 SELECT from a user might not prevent that user from using SELECT if
144 PUBLIC or another membership role still has SELECT rights.
146 If GRANT OPTION FOR is specified, only the grant option for the
147 privilege is revoked, not the privilege itself. Otherwise, both the
148 privilege and the grant option are revoked.
150 If a user holds a privilege with grant option and has granted it to
151 other users then the privileges held by those other users are called
152 dependent privileges. If the privilege or the grant option held by the
153 first user is being revoked and dependent privileges exist, those
154 dependent privileges are also revoked if CASCADE is specified; if it is
155 not, the revoke action will fail. This recursive revocation only
156 affects privileges that were granted through a chain of users that is
157 traceable to the user that is the subject of this REVOKE command. Thus,
158 the affected users might effectively keep the privilege if it was also
159 granted through other users.
161 When revoking privileges on a table, the corresponding column
162 privileges (if any) are automatically revoked on each column of the
163 table, as well. On the other hand, if a role has been granted
164 privileges on a table, then revoking the same privileges from
165 individual columns will have no effect.
167 When revoking membership in a role, GRANT OPTION is instead called
168 ADMIN OPTION, but the behavior is similar. Note that, in releases prior
169 to PostgreSQL 16, dependent privileges were not tracked for grants of
170 role membership, and thus CASCADE had no effect for role membership.
171 This is no longer the case. Note also that this form of the command
172 does not allow the noise word GROUP in role_specification.
174 Just as ADMIN OPTION can be removed from an existing role grant, it is
175 also possible to revoke INHERIT OPTION or SET OPTION. This is
176 equivalent to setting the value of the corresponding option to FALSE.
180 A user can only revoke privileges that were granted directly by that
181 user. If, for example, user A has granted a privilege with grant option
182 to user B, and user B has in turn granted it to user C, then user A
183 cannot revoke the privilege directly from C. Instead, user A could
184 revoke the grant option from user B and use the CASCADE option so that
185 the privilege is in turn revoked from user C. For another example, if
186 both A and B have granted the same privilege to C, A can revoke their
187 own grant but not B's grant, so C will still effectively have the
190 When a non-owner of an object attempts to REVOKE privileges on the
191 object, the command will fail outright if the user has no privileges
192 whatsoever on the object. As long as some privilege is available, the
193 command will proceed, but it will revoke only those privileges for
194 which the user has grant options. The REVOKE ALL PRIVILEGES forms will
195 issue a warning message if no grant options are held, while the other
196 forms will issue a warning if grant options for any of the privileges
197 specifically named in the command are not held. (In principle these
198 statements apply to the object owner as well, but since the owner is
199 always treated as holding all grant options, the cases can never
202 If a superuser chooses to issue a GRANT or REVOKE command, the command
203 is performed as though it were issued by the owner of the affected
204 object. (Since roles do not have owners, in the case of a GRANT of role
205 membership, the command is performed as though it were issued by the
206 bootstrap superuser.) Since all privileges ultimately come from the
207 object owner (possibly indirectly via chains of grant options), it is
208 possible for a superuser to revoke all privileges, but this might
209 require use of CASCADE as stated above.
211 REVOKE can also be done by a role that is not the owner of the affected
212 object, but is a member of the role that owns the object, or is a
213 member of a role that holds privileges WITH GRANT OPTION on the object.
214 In this case the command is performed as though it were issued by the
215 containing role that actually owns the object or holds the privileges
216 WITH GRANT OPTION. For example, if table t1 is owned by role g1, of
217 which role u1 is a member, then u1 can revoke privileges on t1 that are
218 recorded as being granted by g1. This would include grants made by u1
219 as well as by other members of role g1.
221 If the role executing REVOKE holds privileges indirectly via more than
222 one role membership path, it is unspecified which containing role will
223 be used to perform the command. In such cases it is best practice to
224 use SET ROLE to become the specific role you want to do the REVOKE as.
225 Failure to do so might lead to revoking privileges other than the ones
226 you intended, or not revoking anything at all.
228 See Section 5.8 for more information about specific privilege types, as
229 well as how to inspect objects' privileges.
233 Revoke insert privilege for the public on table films:
234 REVOKE INSERT ON films FROM PUBLIC;
236 Revoke all privileges from user manuel on view kinds:
237 REVOKE ALL PRIVILEGES ON kinds FROM manuel;
239 Note that this actually means “revoke all privileges that I granted”.
241 Revoke membership in role admins from user joe:
242 REVOKE admins FROM joe;
246 The compatibility notes of the GRANT command apply analogously to
247 REVOKE. The keyword RESTRICT or CASCADE is required according to the
248 standard, but PostgreSQL assumes RESTRICT by default.
252 GRANT, ALTER DEFAULT PRIVILEGES
begriffs.com / projects / ai-pg / blob