A newer version of this documentation is available.

View Latest

REVOKE

  • reference
    +
    The REVOKE statement allows revoking of any RBAC roles from specific users.

    Roles can be of the following two types:

    simple

    Roles which apply generically to all keyspaces/resources in the cluster.

    For example: ClusterAdmin or BucketAdmin

    parameterized by a keyspace

    Roles which are defined for the scope of the specified keyspace only. The keyspace name is specified after ON.

    For example: DataReader ON `travel-sample`
    or Query_Select ON `travel-sample`

    Only Full Administrators can run the REVOKE statement. For more details about user roles, see Authorization.

    Syntax

    revoke ::= REVOKE role [ ',' role ]* [ ON keyspace-ref [ ',' keyspace-ref ]* ] FROM user [ ',' user ]*
    'REVOKE' role ( ',' role )* ( 'ON' keyspace-ref ( ',' keyspace-ref )* )? 'FROM' user ( ',' user )*
    role

    One of the RBAC role names predefined by Couchbase Server.

    The following roles have short forms that can be used as well:

    • query_selectselect

    • query_insertinsert

    • query_updateupdate

    • query_deletedelete

    user

    A user name created by the Couchbase Server RBAC system.

    Keyspace Reference

    keyspace-ref ::= keyspace-path | keyspace-partial
    keyspace-path | keyspace-partial
    keyspace-path ::= [ namespace ':' ] bucket [ '.' scope '.' collection ]
    ( namespace ':' )? bucket ( '.' scope '.' collection )?
    keyspace-partial ::= collection
    collection

    The simple name or fully-qualified name of a keyspace. Refer to the CREATE INDEX statement for details of the syntax.

    Examples

    Example 1. Revoke the role of ClusterAdmin from three people
    REVOKE ClusterAdmin FROM david, michael, robin
    Example 2. Revoke the roles of ClusterAdmin and QueryUpdate in the travel-sample keyspace from debby
    REVOKE ClusterAdmin, QueryUpdate
        ON `travel-sample`
      FROM debby