REVOKE

March 16, 2025

+ 12

The REVOKE statement allows revoking of any RBAC roles from specific users.

Roles can be of the following two types:

simple: Roles which apply generically to all keyspaces/resources in the cluster.

For example: ClusterAdmin or BucketAdmin
parameterized by a keyspace: Roles which are defined for the scope of the specified keyspace only. The keyspace name is specified after ON.

For example: DataReader ON `travel-sample`
or Query_Select ON `travel-sample`

Only Full Administrators can run the REVOKE statement. For more details about user roles, see Authorization.

Syntax

ebnf
ViewCopy
revoke ::= 'REVOKE' role ( ',' role )* ( 'ON' keyspace-ref ( ',' keyspace-ref )* )?
           'FROM' user ( ',' user )*

role

One of the RBAC role names predefined by Couchbase Server.

The following roles have short forms that can be used as well:

user

A user name created by the Couchbase Server RBAC system.

ebnf
ViewCopy
keyspace-ref ::= keyspace-path | keyspace-partial

ebnf
ViewCopy
keyspace-path ::= ( namespace ':' )? bucket ( '.' scope '.' collection )?

ebnf
ViewCopy
keyspace-partial ::= collection

The simple name or fully-qualified name of a keyspace. Refer to the CREATE INDEX statement for details of the syntax.

Example 1. Revoke the role of ClusterAdmin from three people

sql++
Copy
REVOKE ClusterAdmin FROM david, michael, robin

Example 2. Revoke the roles of ClusterAdmin and QueryUpdate in the travel-sample keyspace from debby

sql++
Copy
REVOKE ClusterAdmin, QueryUpdate
    ON `travel-sample`
  FROM debby