A newer version of this documentation is available.

View Latest


The REVOKE statement allows revoking of any RBAC roles from specific users.

Roles can be of the following two types:


Roles which apply generically to all buckets/resources in the cluster.

For example: ClusterAdmin or BucketAdmin

parameterized by a bucket

Roles which are defined for the scope of the specified bucket only. The bucket name is specified after ON.

For example: BucketReader ON `travel-sample`

or Query_Select ON `travel-sample`

Only Full Administrators can run the REVOKE statement. For more details about user roles, see Authorization.


REVOKE role1 [, role2, ...]
    ON bucket1 [, bucket2, ...]
  FROM user1 [, user2, ...]


RBAC-role is one of the RBAC role names predefined by Couchbase Server.

RBAC-user is the user name created by the Couchbase Server RBAC system.

The following roles have short forms that can be used as well:

  • query_select → select

  • query_insert → insert

  • query_update → update

  • query_delete → delete


The name of your Couchbase or Memcached bucket or buckets.


RBAC-user in your bucket.

Example 1: Revoke the role of ClusterAdmin from three people.

REVOKE ClusterAdmin FROM david, michael, robin

Example 2: Revoke the roles of ClusterAdmin and QueryUpdate in the travel sample bucket from debby.

REVOKE ClusterAdmin, QueryUpdate
    ON `travel-sample`
  FROM debby