A newer version of this documentation is available.

View Latest


    The REVOKE statement allows revoking of any RBAC roles from specific users.

    Roles can be of the following two types:


    Roles which apply generically to all buckets/resources in the cluster.

    For example: ClusterAdmin or BucketAdmin

    parameterized by a bucket

    Roles which are defined for the scope of the specified bucket only. The bucket name is specified after ON.

    For example: BucketReader ON `travel-sample`

    or Query_Select ON `travel-sample`

    Only Full Administrators can run the REVOKE statement. For more details about user roles, see Authorization.


    REVOKE role1 [, role2, ...]
        ON bucket1 [, bucket2, ...]
      FROM user1 [, user2, ...]


    RBAC-role is one of the RBAC role names predefined by Couchbase Server.

    RBAC-user is the user name created by the Couchbase Server RBAC system.

    The following roles have short forms that can be used as well:

    • query_select → select

    • query_insert → insert

    • query_update → update

    • query_delete → delete


    The name of your Couchbase or Memcached bucket or buckets.


    RBAC-user in your bucket.

    Example 1: Revoke the role of ClusterAdmin from three people.

    REVOKE ClusterAdmin FROM david, michael, robin

    Example 2: Revoke the roles of ClusterAdmin and QueryUpdate in the travel sample bucket from debby.

    REVOKE ClusterAdmin, QueryUpdate
        ON `travel-sample`
      FROM debby