REVOKE
- Capella Operational
- reference
The REVOKE statement allows revoking of any RBAC roles from specific users or groups.
Roles can be of the following two types:
- simple
-
Roles which apply generically to all keyspaces/resources in the cluster.
For example:
cluster_adminorbucket_admin - parameterized by a keyspace
-
Roles which are defined for the context of the specified keyspace only. Specify the keyspace name after the keyword ON.
The keyspace must be fully qualified and must include the bucket, scope, and collection names. Even if you’re revoking a role from an entire bucket, you must specify the default scope (
_default) and default collection (_default). Using only the bucket name is not sufficient.For example:
data_reader ON `travel-sample`.`_default`.`_default`
orquery_select ON `travel-sample`.`inventory`.`airline`
To run the REVOKE statement, you must be an Organization Owner or Project Owner.
|
Syntax
revoke ::= revoke-user | revoke-group
revoke-user ::= 'REVOKE' role ( ',' role )* ( 'ON' keyspace-ref ( ',' keyspace-ref )* )?
'FROM' ( 'USER' | 'USERS' )? user ( ',' user )*
revoke-group ::= 'REVOKE' role ( ',' role )* ( 'ON' keyspace-ref ( ',' keyspace-ref )* )?
'FROM' ( 'GROUP' | 'GROUPS' ) group ( ',' group )*
| role |
One of the RBAC role names predefined by Couchbase Capella. For the following roles, you can use their short forms as well:
|
| keyspace-ref | |
| user |
A user name created by the Couchbase Capella RBAC system. |
Keyspace Reference
keyspace-ref ::= keyspace-path | keyspace-partial
keyspace-path ::= ( namespace ':' )? bucket ( '.' scope '.' collection )?
keyspace-partial ::= collection
The simple name or fully qualified name of a keyspace. For more information about the syntax, see the CREATE INDEX statement.
Examples
REVOKE cluster_admin FROM david, michael, robinREVOKE query_select, query_update
ON `travel-sample`.`_default`.`_default`
FROM debbyREVOKE query_update
ON `travel-sample`.`inventory`.`hotel`
FROM GROUP sales