Sedna LogoBackground Top
 
Home  |  Getting Started  |  Documentation  |  Demo  |  Download  |  Support 

3.4 Revoking privileges

Privileges or roles can be revoked from the user. Roles cannot be revoked from roles, however. Only grantor of the privilege (role) or DBA user can revoke privilege (role).

REVOKE statements are similar to GRANT statements.

To revoke one or more privileges on a database object from one or more users or roles use:

REVOKE "privilege" | ALL  
ON [DOCUMENT|COLLECTION] "database-object-name"  
FROM "user-name|role-name" | PUBLIC

If the kind of the database object (DOCUMENT or COLLECTION) is not specified, database object is considered to be a document.

To revoke one or more privileges on a database from one or more users or roles use:

REVOKE "privilege" | ALL  
ON DATABASE  
FROM "user-name|role-name" | PUBLIC

To revoke a role from one or more users use:

REVOKE "role-name"  
FROM "user-name" | PUBLIC

As mentioned above DBA user is a user that has a ”DBA” role. Thus, ”DBA” is a reserved name for a role: a role with name ”DBA” can not be created, privileges or roles cannot be granted to ”DBA” role.

A DBA user can grant ”DBA” role to another user, thus making that user also a DBA user. This is not recommended, as multiple powerful users of a database can lead to hard database administration, and can cause insecure usage of the database and database objects.