REVOKE
Remove privileges or roles. Learn how to withdraw previously granted permissions from users or roles to restrict access and secure the database.
The REVOKE statement enables system administrators to revoke privileges (or roles - see ) from MariaDB accounts. Each account is named using the same format as for the GRANT statement; for example, jeffrey@localhost. If you specify only the user name part of the account name, a host name part of % is used. For details on the levels at which privileges exist, the available priv_type and priv_level values, and the syntax for specifying users and passwords, see .
To use the first syntax (REVOKE ... ON ... FROM ...), you must have the GRANT OPTION privilege, and you must have the privileges that you are revoking. Also, remember to specify the ON clause (in many cases, ON *.* to revoke privileges for all objects):
This leaves the USAGE privilege, and can leave other privileges, too. For that reason, the second syntax (REVOKE ALL PRIVILEGES, GRANT OPTION FROM ...) is preferable, which drops all global, database, table, column, and routine privileges for the named user or users:
To use this REVOKE syntax, you must have the global privilege or the privilege for the mysql database. See . For that syntax, the ON *.* clause must not be used (it yields an error).
Revoking a particular privilege (SUPER):
Revoking all privileges (on all objects – note you must specify ON *.*):
Revoking all privileges and the GRANT option (note that ON *.* cannot be specified here):
REVOKE is also used to remove a from a user or another role that it's previously been assigned to. If a role has previously been set as a , REVOKE does not remove the record of the default role from the table. If the role is subsequently granted again, it will again be the user's default. Use to explicitly remove this.
REVOKE role is also permitted in .
REVOKE role is not permitted in .
The REVOKE PROXY syntax removes the ability for one user to proxy as another.
This page is licensed: GPLv2, originally from