SQL - REVOKE
Changes permissions of a role, revoking access to one or more resources. To give access to a resource to the role, see the GRANT
command.
Syntax
REVOKE [ <permission> | POLICY <policyName> ] ON <resource> FROM <role>
<permission>
Defines the permission you want to revoke from the role.<policyName>
Defines the name of a security policy<resource>
Defines the resource on which you want to revoke the permissions.<role>
Defines the role you want to revoke the permissions.
Examples
-
Revoke permission to delete records on any cluster to the role
backoffice
:orientdb>
REVOKE DELETE ON database.cluster.* FROM backoffice
-
Revoke a security policy previously assigned to
backoffice
profile on Person class:orientdb>
REVOKE POLICY ON database.class.Person FROM backoffice
For more information, see
Supported Permissions
Using this command, you can grant the following permissions to a role.
Permission | Description |
---|---|
NONE | Revokes no permissions on the resource. |
CREATE | Revokes create permissions on the resource, such as the CREATE CLASS or CREATE CLUSTER commands. |
READ | Revokes read permissions on the resource, such as the SELECT query. |
UPDATE | Revokes update permissions on the resource, such as the UPDATE or UPDATE EDGE commands. |
DELETE | Revokes delete permissions on the resource, such as the DROP INDEX or DROP SEQUENCE commands. |
ALL | Revokes all permissions on the resource. |
Supported Resources
Using this command, you can grant permissions on the following resources.
Resource | Description |
---|---|
database | Revokes access on the current database. |
database.class.<class> | Revokes access on records contained in the indicated class. Use ** to indicate all classes. |
database.class.<class>.<property> | intended only for security policies. Revokes policies assigned to a specific class property for a role. Use ** to indicate all classes and/or all properties. |
database.cluster.<cluster> | Revokes access to records contained in the indicated cluster. Use ** to indicate all clusters. |
database.query | Revokes the ability to execute a query, (READ is sufficient). |
database.command.<command> | Revokes the ability to execute the given command. Use CREATE for INSERT , READ for SELECT , UPDATE for UPDATE and DELETE for DELETE . |
database.config.<permission> | Revokes access to the configuration. Valid permissions are READ and UPDATE . |
database.hook.record | Revokes the ability to set hooks. |
server.admin | Revokes the ability to access server resources. |