Purpose
This statement is used by a system administrator to revoke certain privileges from a user.
Limitations and considerations
- The user must have the revoked privilege (for example, if
user1wants to revoke theSELECTprivilege on tabletbl1fromuser2,user1must have theSELECTprivilege on tabletbl1) and theGRANT OPTIONprivilege.
Privilege requirements
If the
GRANT OPTIONis not specified, the revocation does not cascade. For example, if useruser1grants some privileges to useruser2, revoking privileges fromuser1does not also revoke the corresponding privileges fromuser2. If theGRANT OPTIONis specified, the revocation cascades.To revoke the
ALL PRIVILEGESandGRANT OPTIONprivileges, the current user must have the globalGRANT OPTIONprivilege, or theUPDATEandDELETEprivileges on the privilege table.
For more information about the privileges of OceanBase Database, see Privilege classification in Oracle mode.
Syntax
/*Revoke object privileges*/
REVOKE {obj_privilege [, obj_privilege...]} ON obj_clause FROM {user_name [, user_name ...]}
/*Revoke system privileges*/
REVOKE {system_privilege_list | ALL PRIVILEGES} FROM user_name [, user_name ...];
REVOKE ALL [PRIVILEGES], GRANT_OPTION FROM user_name [, user_name ...];
/*Revoke roles*/
REVOKE role_name [, role_name ...] FROM user_name;
obj_clause:
* [. *]
| relation_name . {* | relation_name}
| [DIRECTORY] relation_name
Parameters
| Parameter | Description |
|---|---|
| obj_privilege | Specifies the type of object privilege to revoke. For more information about the privilege types, see the table below. When revoking multiple privileges, separate the privilege types with commas. |
| obj_clause | Specifies the scope of the privilege to revoke. relation_name specifies the name of the specific object. Privileges can be categorized into the following scopes:
|
| system_privilege_list | Specifies the type of system privilege to revoke. When revoking multiple privileges, separate the privilege types with commas. |
| ALL [PRIVILEGES] | Specifies all privileges except GRANT OPTION. |
obj_clause
* [. *]: Specifies all tables in all databases.Example:
Revoke the global
SELECTandINSERTprivileges from usersuser001anduser002.REVOKE SELECT, INSERT ON *.* FROM 'user001', 'user002';relation_name . {* | relation_name}: Specifies all tables in the specified database.db_namespecifies the name of the specified database.Example:
Revoke the
INSERTprivilege on all tables in thetestdatabase from useruser003.REVOKE INSERT ON 'test'.* FROM 'user003';[DIRECTORY] relation_name: Specifies a specific table in a specific database.Example:
Revoke the
SELECTprivilege on thetbl2table in thetestdatabase from useruser003.REVOKE SELECT ON 'test'.'tbl2' FROM 'user003';
The following table lists the types of privileges that can be revoked.
Privilege type description table
| Privilege | Description |
|---|---|
| ALL PRIVILEGES | All privileges except GRANT OPTION. |
| ALTER | Privilege to execute ALTER TABLE. |
| CREATE | Privilege to execute CREATE TABLE. |
| DELETE | Privilege to execute DELETE. |
| DROP | Privilege to execute DROP. |
| GRANT OPTION | Privilege to execute GRANT OPTION. |
| INSERT | Privilege to execute INSERT. |
| UPDATE | Privilege to execute UPDATE. |
| SELECT | Privilege to execute SELECT. |
| INDEX | Privilege to execute CREATE INDEX and DROP INDEX. |
| SHOW VIEW | Privilege to execute SHOW CREATE VIEW. |
| SHOW DATABASES | Global privilege to execute SHOW DATABASES. |
| SUPER | Privilege to execute SET GLOBAL to modify global system parameters. |
| REFERENCES | Privilege to create constraints that reference tables. |
| EXECUTE | Privilege to execute stored procedures. |
| FLASHBACK | Privilege to execute FLASHBACK. |
| READ | Privilege to execute READ. |
| WRITE | Privilege to execute WRITE. |
| CREATE SESSION | Privilege to connect to the database. |
| EXEMPT REDACTION POLICY | Privilege to bypass any existing REDACTION POLICY and view data. |
| SYSDBA | Privilege to execute SYSDBA. |
| SYSOPER | Privilege to execute SYSOPER. |
| SYSBACKUP | Privilege to execute SYSBACKUP. |
| CREATE TABLE | Privilege to create tables in the specified user schema. |
| CREATE ANY TABLE | Privilege to create tables in all user schemas except the SYS schema. |
| ALTER ANY TABLE | Privilege to modify tables in all user schemas except the SYS schema. |
| BACKUP ANY TABLE | Privilege to create tables in all user schemas except the SYS schema. |
| DROP ANY TABLE | Privilege to backup tables in all user schemas except the SYS schema. |
| LOCK ANY TABLE | Privilege to lock tables in all user schemas except the SYS schema. |
| COMMENT ANY TABLE | Privilege to comment on tables in all user schemas except the SYS schema. |
| SELECT ANY TABLE | Privilege to view tables in all user schemas except the SYS schema. |
| INSERT ANY TABLE | Privilege to insert rows into tables in all user schemas except the SYS schema. |
| UPDATE ANY TABLE | Privilege to update rows in tables in all user schemas except the SYS schema. |
| DELETE ANY TABLE | Privilege to delete tables in all user schemas except the SYS schema. |
| FLASHBACK ANY TABLE | Privilege to FLASHBACK tables in all user schemas except the SYS schema. |
| CREATE ROLE | Privilege to create roles. |
| DROP ANY ROLE | Privilege to drop any role. |
| GRANT ANY ROLE | Privilege to grant any role. |
| ALTER ANY ROLE | Grants the right to alter any role. |
| AUDIT ANY | Grants the right to audit any object in any schema except the SYS schema. |
| GRANT ANY PRIVILEGE | Grants the right to grant any system privilege. |
| GRANT ANY OBJECT PRIVILEGE | Grants the right to grant any object privilege. |
| CREATE ANY INDEX | Grants the right to create any index in any schema except the SYS schema. |
| ALTER ANY INDEX | Grants the right to alter any index in any schema except the SYS schema. |
| DROP ANY INDEX | Grants the right to drop any index in any schema except the SYS schema. |
| CREATE ANY VIEW | Grants the right to create any view in any schema except the SYS schema. |
| DROP ANY VIEW | Grants the right to drop any view in any schema except the SYS schema. |
| CREATE VIEW | Grants the right to create a view in the specified schema. |
| SELECT ANY DICTIONARY | Grants the right to query the DICTIONARY table in the specified schema. |
| CREATE PROCEDURE | Grants the right to create a PROCEDURE in the specified schema. |
| CREATE ANY PROCEDURE | Grants the right to create a PROCEDURE in any schema except the SYS schema. |
| ALTER ANY PROCEDURE | Grants the right to alter a PROCEDURE in any schema except the SYS schema. |
| DROP ANY PROCEDURE | Grants the right to drop a PROCEDURE in any schema except the SYS schema. |
| EXECUTE ANY PROCEDURE | Grants the right to execute a PROCEDURE in any schema except the SYS schema. |
| CREATE SYNONYM | Grants the right to create a SYNONYM in the specified schema. |
| CREATE ANY SYNONYM | Grants the right to create a SYNONYM in any schema except the SYS schema. |
| DROP ANY SYNONYM | Grants the right to drop a SYNONYM in any schema except the SYS schema. |
| CREATE PUBLIC SYNONYM | Grants the right to create a public SYNONYM. |
| DROP PUBLIC SYNONYM | Grants the right to drop a public SYNONYM. |
| CREATE SEQUENCE | Grants the right to create a SEQUENCE in the specified schema. |
| CREATE ANY SEQUENCE | Grants the right to create a SEQUENCE in any schema except the SYS schema. |
| ALTER ANY SEQUENCE | Grants the right to alter a SEQUENCE in any schema except the SYS schema. |
| DROP ANY SEQUENCE | Grants the right to drop a SEQUENCE in any schema except the SYS schema. |
| SELECT ANY SEQUENCE | Grants the right to query a SEQUENCE in any schema except the SYS schema. |
| CREATE TRIGGER | Grants the right to create a TRIGGER in the specified schema. |
| CREATE ANY TRIGGER | Grants the right to create a TRIGGER in any schema except the SYS schema. |
| ALTER ANY TRIGGER | Grants the right to alter a TRIGGER in any schema except the SYS schema. |
| DROP ANY TRIGGER | Grants the right to drop a TRIGGER in any schema except the SYS schema. |
| CREATE PROFILE | Grants the right to create a PROFILE. |
| ALTER PROFILE | Grants the right to alter a PROFILE. |
| DROP PROFILE | Grants the right to drop a PROFILE. |
| CREATE USER | Grants the right to create a user. |
| ALTER USER | Grants the right to alter a user. |
| DROP USER | Grants the right to drop a user. |
| CREATE TYPE | Grants the right to create a TYPE in the specified schema. |
| CREATE ANY TYPE | Grants the right to create a TYPE in any schema except the SYS schema. |
| ALTER ANY TYPE | Grants the right to alter a TYPE in any schema except the SYS schema. |
| DROP ANY TYPE | Grants the right to drop a TYPE in any schema except the SYS schema. |
| EXECUTE ANY TYPE | The right to execute TYPE in the schemas of all users except the SYS user. |
| UNDER ANY TYPE | The right to create SUBTYPE based on TYPE in the schemas of all users except the SYS user. |
| PURGE DBA_RECYCLEBIN | The right to delete all objects from the system recycle bin. |
| CREATE ANY OUTLINE | The right to create OUTLINE in the schemas of all users except the SYS user. |
| ALTER ANY OUTLINE | The right to modify OUTLINE in the schemas of all users except the SYS user. |
| DROP ANY OUTLINE | The right to delete OUTLINE in the schemas of all users except the SYS user. |
| SYSKM | The right to SYSKM. |
| CREATE TABLESPACE | The right to create tablespaces. |
| ALTER TABLESPACE | The right to modify tablespaces. |
| DROP TABLESPACE | The right to drop tablespaces. |
| ALTER SYSTEM | The right to ALTER SYSTEM. |
| CREATE DATABASE LINK | The right to create DATABASE LINK in the specified user schema. |
| CREATE PUBLIC DATABASE LINK | The right to create PUBLIC DATABASE LINK. |
| DROP DATABASE LINK | The right to drop DATABASE LINK in the specified user schema. |
| ALTER SESSION | The right to modify SESSION. |
| ALTER DATABASE | The right to modify DATABASE. |
Examples
Create a user and a role.
CREATE USER user1 IDENTIFIED BY password; CREATE ROLE role1; CREATE TABLE user1.tbl1 (id INT);Grant privileges to the role.
GRANT SELECT ON user1.tbl1 TO role1;Grant the role to the user.
GRANT role1 TO user1;Revoke the role's privileges on the table.
REVOKE SELECT ON user1.tbl1 FROM role1;
The preceding steps demonstrate how to grant and revoke privileges.
The following examples show how to revoke all privileges, revoke object privileges, and revoke system privileges.
- Revoke all privileges from user user1.
obclient> REVOKE ALL PRIVILEGES FROM user1;
Query OK, 0 rows affected
- Revoke the SELECT object privilege on table user1.tbl1 from role role1.
obclient> REVOKE SELECT ON user1.tbl1 FROM role1;
Query OK, 0 rows affected
- Revoke the DROP ANY TABLE system privilege from users user1 and user2.
obclient> REVOKE DROP ANY TABLE FROM user1,user2;
Query OK, 0 rows affected
References
For information about how to view user privileges, see View user privileges.
For information about how to view roles and the privileges of roles, see View roles.
You can query the
dba_userstable to view the information about the created users. For more information about thedba_userstable, see DBA_USERS.