3.4 Revoking privileges
Privileges or roles can be revoked from the user. Roles cannot be revoked from roles,
however. Only grantor of the privilege (role) or DBA user can revoke privilege
(role).
REVOKE statements are similar to GRANT statements.
To revoke one or more privileges on a database object from one or more users or
roles use:
REVOKE "privilege" | ALL
ON [DOCUMENT|COLLECTION] "database-object-name"
FROM "user-name|role-name" | PUBLIC
If the kind of the database object (DOCUMENT or COLLECTION) is not specified,
database object is considered to be a document.
To revoke one or more privileges on a database from one or more users or roles
use:
REVOKE "privilege" | ALL
ON DATABASE
FROM "user-name|role-name" | PUBLIC
To revoke a role from one or more users use:
REVOKE "role-name"
FROM "user-name" | PUBLIC
As mentioned above DBA user is a user that has a ”DBA” role. Thus, ”DBA” is a
reserved name for a role: a role with name ”DBA” can not be created, privileges or roles
cannot be granted to ”DBA” role.
A DBA user can grant ”DBA” role to another user, thus making that user also a
DBA user. This is not recommended, as multiple powerful users of a database can lead
to hard database administration, and can cause insecure usage of the database and
database objects.
|