Please use the form below to provide your feedback. Because your feedback is valuable to us, the information you submit in this form is recorded in our issue tracking system (JIRA), which is publicly available. You can track the status of your feedback using the ticket number displayed in the dialog once you submit the form.

REVOKE

  • reference
    +
    The REVOKE statement allows revoking of any RBAC roles from specific users or groups.

    Roles can be of the following two types:

    simple

    Roles which apply generically to all keyspaces/resources in the cluster.

    For example: cluster_admin or bucket_admin

    parameterized by a keyspace

    Roles which are defined for the context of the specified keyspace only. Specify the keyspace name after the keyword ON.

    The keyspace must be fully qualified and must include the bucket, scope, and collection names. Even if you’re revoking a role from an entire bucket, you must specify the default scope (_default) and default collection (_default). Using only the bucket name is not sufficient.

    For example: data_reader ON `travel-sample`.`_default`.`_default`
    or query_select ON `travel-sample`.`inventory`.`airline`

    Only Full Administrators can run the REVOKE statement. For more details about user roles, see Authorization.

    Syntax

    revoke ::= revoke-user | revoke-group
    Syntax diagram: refer to source code listing 
    revoke-user ::= 'REVOKE' role ( ',' role )* ( 'ON' keyspace-ref ( ',' keyspace-ref )* )?
           'FROM' ( 'USER' | 'USERS' )? user ( ',' user )*
    Syntax diagram: refer to source code listing 
    revoke-group ::= 'REVOKE' role ( ',' role )* ( 'ON' keyspace-ref ( ',' keyspace-ref )* )?
           'FROM' ( 'GROUP' | 'GROUPS' ) group ( ',' group )*
    Syntax diagram: refer to source code listing
    role

    One of the RBAC role names predefined by Couchbase Server.

    For the following roles, you can use their short forms as well:

    • query_selectselect

    • query_insertinsert

    • query_updateupdate

    • query_deletedelete
    keyspace-ref

    Keyspace Reference
    user

    A user name created by the Couchbase Server RBAC system.
    group

    A group name created by the Couchbase Server RBAC system.
    When revoking roles from users, the keyword USER or USERS is optional. However, when revoking roles from groups, you must include the keyword GROUP or GROUPS. You can use either the singular or plural form of these keywords as this does not affect the number of users or groups from which the role is revoked.

    Keyspace Reference

    keyspace-ref ::= keyspace-path | keyspace-partial
    Syntax diagram: refer to source code listing 
    keyspace-path ::= ( namespace ':' )? bucket ( '.' scope '.' collection )?
    Syntax diagram: refer to source code listing 
    keyspace-partial ::= collection
    Syntax diagram: refer to source code listing

    The simple name or fully qualified name of a keyspace. For more information about the syntax, see the CREATE INDEX statement.

    Examples

    Example 1. Revoke the Cluster Admin role from multiple users
    REVOKE cluster_admin FROM david, michael, robin
    Example 2. Revoke Query Select and Query Update roles on a keyspace from a specific user
    REVOKE query_select, query_update
  ON `travel-sample`.`_default`.`_default`
  FROM debby
    Example 3. Revoke the Query Update role on a keyspace from a specific group
    REVOKE query_update
  ON `travel-sample`.`inventory`.`hotel`
  FROM GROUP sales