top of page
CerebroSQL

MySQL: 

REVOKE

Syntax:
REVOKE
priv_type [(column_list)]
[, priv_type [(column_list)]] ...
ON [object_type] priv_level
FROM user_or_role [, user_or_role] ...

REVOKE ALL [PRIVILEGES], GRANT OPTION
FROM user_or_role [, user_or_role] ...

REVOKE PROXY ON user_or_role
FROM user_or_role [, user_or_role] ...

REVOKE role [, role ] ...
FROM user_or_role [, user_or_role ] ...

user_or_role: {
user (see https://dev.mysql.com/doc/refman/8.0/en/account-names.html)
| role (see https://dev.mysql.com/doc/refman/8.0/en/role-names.html.
}

The REVOKE statement enables system administrators to revoke privileges
and roles, which can be revoked from user accounts and roles.

For details on the levels at which privileges exist, the permissible
priv_type, priv_level, and object_type values, and the syntax for
specifying users and passwords, see [HELP GRANT].

For information about roles, see
https://dev.mysql.com/doc/refman/8.0/en/roles.html.

When the read_only system variable is enabled, REVOKE requires the
CONNECTION_ADMIN or privilege (or the deprecated SUPER privilege), in
addition to any other required privileges described in the following
discussion.

REVOKE either succeeds for all named users and roles or rolls back and
has no effect if any error occurs. The statement is written to the
binary log only if it succeeds for all named users and roles.

Each account name uses the format described in
https://dev.mysql.com/doc/refman/8.0/en/account-names.html. Each role
name uses the format described in
https://dev.mysql.com/doc/refman/8.0/en/role-names.html. For example:

REVOKE INSERT ON *.* FROM 'jeffrey'@'localhost';
REVOKE 'role1', 'role2' FROM 'user1'@'localhost', 'user2'@'localhost';
REVOKE SELECT ON world.* FROM 'role3';

The host name part of the account or role name, if omitted, defaults to
'%'.

To use the first REVOKE syntax, you must have the GRANT OPTION
privilege, and you must have the privileges that you are revoking.

To revoke all privileges, use the second syntax, which drops all
global, database, table, column, and routine privileges for the named
users or roles:

REVOKE ALL PRIVILEGES, GRANT OPTION
FROM user_or_role [, user_or_role] ...

REVOKE ALL PRIVILEGES, GRANT OPTION does not revoke any roles.

To use this REVOKE syntax, you must have the global CREATE USER
privilege, or the UPDATE privilege for the mysql system schema.

The syntax for which the REVOKE keyword is followed by one or more role
names takes a FROM clause indicating one or more users or roles from
which to revoke the roles.

Roles named in the mandatory_roles system variable value cannot be
revoked.

A revoked role immediately affects any user account from which it was
revoked, such that within any current session for the account, its
privileges are adjusted for the next statement executed.

Revoking a role revokes the role itself, not the privileges that it
represents. Suppose that an account is granted a role that includes a
given privilege, and is also granted the privilege explicitly or
another role that includes the privilege. In this case, the account
still possesses that privilege if the first role is revoked. For
example, if an account is granted two roles that each include SELECT,
the account still can select after either role is revoked.

REVOKE ALL ON *.* (at the global level) revokes all granted static
global privileges and all granted dynamic privileges.

User accounts and roles from which privileges and roles are to be
revoked must exist, but the privileges and roles to be revoked need not
be currently granted to them.

A revoked privilege that is granted but not known to the server is
revoked with a warning. This situtation can occur for dynamic
privileges. For example, a dynamic privilege can be granted while the
component that registers it is installed, but if that component is
subsequently uninstalled, the privilege becomes unregistered, although
accounts that possess the privilege still possess it and it can be
revoked from them.

Example

bottom of page