SQL - REVOKE

Changes permissions of a role, revoking access to one or more resources. To give access to a resource to the role, see the GRANT command.

Syntax

REVOKE [ <permission> | POLICY <policyName> ] ON <resource> FROM <role>
  • <permission> Defines the permission you want to revoke from the role.
  • <policyName> Defines the name of a security policy
  • <resource> Defines the resource on which you want to revoke the permissions.
  • <role> Defines the role you want to revoke the permissions.

Examples

  • Revoke permission to delete records on any cluster to the role backoffice:

    orientdb> REVOKE DELETE ON database.cluster.* FROM backoffice
    
  • Revoke a security policy previously assigned to backoffice profile on Person class:

    orientdb> REVOKE POLICY ON database.class.Person FROM backoffice
    

For more information, see

Supported Permissions

Using this command, you can grant the following permissions to a role.

PermissionDescription
NONERevokes no permissions on the resource.
CREATERevokes create permissions on the resource, such as the CREATE CLASS or CREATE CLUSTER commands.
READRevokes read permissions on the resource, such as the SELECT query.
UPDATERevokes update permissions on the resource, such as the UPDATE or UPDATE EDGE commands.
DELETERevokes delete permissions on the resource, such as the DROP INDEX or DROP SEQUENCE commands.
ALLRevokes all permissions on the resource.

Supported Resources

Using this command, you can grant permissions on the following resources.

ResourceDescription
databaseRevokes access on the current database.
database.class.<class>Revokes access on records contained in the indicated class. Use ** to indicate all classes.
database.class.<class>.<property>intended only for security policies. Revokes policies assigned to a specific class property for a role. Use ** to indicate all classes and/or all properties.
database.cluster.<cluster>Revokes access to records contained in the indicated cluster. Use ** to indicate all clusters.
database.queryRevokes the ability to execute a query, (READ is sufficient).
database.command.<command>Revokes the ability to execute the given command. Use CREATE for INSERT, READ for SELECT, UPDATE for UPDATE and DELETE for DELETE.
database.config.<permission>Revokes access to the configuration. Valid permissions are READ and UPDATE.
database.hook.recordRevokes the ability to set hooks.
server.adminRevokes the ability to access server resources.