On this page
Warning:
CockroachDB v20.1 is no longer supported as of November 12, 2021. For more details, refer to the Release Support Policy.
The REVOKE <roles>
statement lets you revoke a role or user's membership to a role.
Note:
New in v20.1 REVOKE <roles>
is no longer an enterprise feature and is now freely available in the core version of CockroachDB.
Synopsis
Required privileges
The user revoking role membership must be a role admin (i.e., members with the WITH ADMIN OPTION
) or a member of the admin
role.
To remove membership to the admin
role, the user must have WITH ADMIN OPTION
on the admin
role.
Considerations
- The
root
user cannot be revoked from theadmin
role.
Parameters
Parameter | Description |
---|---|
ADMIN OPTION |
Revoke the user's role admin status. |
role_name |
The name of the role from which you want to remove members. To revoke members from multiple roles, use a comma-separated list of role names. |
user_name |
The name of the user or role from whom you want to revoke membership. To revoke multiple members, use a comma-separated list of user and/or role names. |
Examples
Revoke role membership
> SHOW GRANTS ON ROLE design;
+--------+---------+---------+
| role | member | isAdmin |
+--------+---------+---------+
| design | barkley | false |
| design | ernie | true |
| design | lola | false |
| design | lucky | false |
+--------+---------+---------+
> REVOKE design FROM lola;
> SHOW GRANTS ON ROLE design;
+--------+---------+---------+
| role | member | isAdmin |
+--------+---------+---------+
| design | barkley | false |
| design | ernie | true |
| design | lucky | false |
+--------+---------+---------+
Revoke the admin option
To revoke a user or role's admin option from a role (without revoking the membership):
> REVOKE ADMIN OPTION FOR design FROM ernie;
+--------+---------+---------+
| role | member | isAdmin |
+--------+---------+---------+
| design | barkley | false |
| design | ernie | false |
| design | lucky | false |
+--------+---------+---------+