SQL - REVOKE

Changes permissions of a role, revoking access to one or more resources. To give access to a resource to the role, see the GRANT command.

Syntax

REVOKE [ <permission> | POLICY <policyName> ] ON <resource> FROM <role>
  • <permission> Defines the permission you want to revoke from the role.
  • <policyName> Defines the name of a security policy
  • <resource> Defines the resource on which you want to revoke the permissions.
  • <role> Defines the role you want to revoke the permissions.

Examples

  • Revoke permission to delete records on any cluster to the role backoffice:

    orientdb> REVOKE DELETE ON database.cluster.* FROM backoffice
    
  • Revoke a security policy previously assigned to backoffice profile on Person class:

    orientdb> REVOKE POLICY ON database.class.Person FROM backoffice
    

For more information, see

Supported Permissions

Using this command, you can grant the following permissions to a role.

Permission Description
NONE Revokes no permissions on the resource.
CREATE Revokes create permissions on the resource, such as the CREATE CLASS or CREATE CLUSTER commands.
READ Revokes read permissions on the resource, such as the SELECT query.
UPDATE Revokes update permissions on the resource, such as the UPDATE or UPDATE EDGE commands.
DELETE Revokes delete permissions on the resource, such as the DROP INDEX or DROP SEQUENCE commands.
ALL Revokes all permissions on the resource.

Supported Resources

Using this command, you can grant permissions on the following resources.

Resource Description
database Revokes access on the current database.
database.class.<class> Revokes access on records contained in the indicated class. Use ** to indicate all classes.
database.class.<class>.<property> intended only for security policies. Revokes policies assigned to a specific class property for a role. Use ** to indicate all classes and/or all properties.
database.cluster.<cluster> Revokes access to records contained in the indicated cluster. Use ** to indicate all clusters.
database.query Revokes the ability to execute a query, (READ is sufficient).
database.command.<command> Revokes the ability to execute the given command. Use CREATE for INSERT, READ for SELECT, UPDATE for UPDATE and DELETE for DELETE.
database.config.<permission> Revokes access to the configuration. Valid permissions are READ and UPDATE.
database.hook.record Revokes the ability to set hooks.
server.admin Revokes the ability to access server resources.

results matching ""

    No results matching ""