thevar1able/ClickHouse
1
0
Fork 0
mirror of https://github.com/ClickHouse/ClickHouse.git synced 2024-09-30 05:30:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
ad6447398f
ClickHouse/docs/en/sql-reference/statements/revoke.md
BayoNet c701493e30 DOCS-626: EN review, RU translations for RBAC docs (#10951) 
* DOCSUP-1062 (#112)

* added first draft

* minor fixes

* fixed anchors

* yet another fixes

* and the minorest fixes

* Apply suggestions from doc review

Co-authored-by: BayoNet <da-daos@yandex.ru>

* fixed terminology in ru (access entity, throws exception)

* fixed typo

* fixed typo

Co-authored-by: Elizaveta Mironyuk <emironyuk@yandex-team.ru>
Co-authored-by: BayoNet <da-daos@yandex.ru>

* Fixed link.

* CLICKHOUSEDOCS-626: Fixed links.

Co-authored-by: Sergei Shtykov <bayonet@yandex-team.ru>
Co-authored-by: emironyuk <62014692+emironyuk@users.noreply.github.com>
Co-authored-by: Elizaveta Mironyuk <emironyuk@yandex-team.ru>
2020-05-15 23:30:51 +03:00

1.6 KiB
Raw Blame History

toc_priority toc_title
40 REVOKE

REVOKE

Revokes privileges from users or roles.

Syntax

Revoking privileges from users

REVOKE [ON CLUSTER cluster_name] privilege[(column_name [,...])] [,...] ON {db.table|db.*|*.*|table|*} FROM {user | CURRENT_USER} [,...] | ALL | ALL EXCEPT {user | CURRENT_USER} [,...]

Revoking roles from users

REVOKE [ON CLUSTER cluster_name] [ADMIN OPTION FOR] role [,...] FROM {user | role | CURRENT_USER} [,...] | ALL | ALL EXCEPT {user_name | role_name | CURRENT_USER} [,...]

Description

To revoke some privilege you can use a privilege of a wider scope than you plan to revoke. For example, if a user has the SELECT (x,y) privilege, administrator can execute REVOKE SELECT(x,y) ..., or REVOKE SELECT * ..., or even REVOKE ALL PRIVILEGES ... query to revoke this privilege.

Partial Revokes

You can revoke a part of a privilege. For example, if a user has the SELECT *.* privilege you can revoke from it a privilege to read data from some table or a database.

Examples

Grant the john user account with a privilege to select from all the databases, excepting the accounts one:

GRANT SELECT ON *.* TO john;
REVOKE SELECT ON accounts.* FROM john;

Grant the mira user account with a privilege to select from all the columns of the accounts.staff table, excepting the wage one.

GRANT SELECT ON accounts.staff TO mira;
REVOKE SELECT(wage) ON accounts.staff FROM mira;

{## Original article ##}