The REVOKE statement allows revoking of any RBAC roles from specific users.

    Roles can be of the following two types:


    Roles which apply generically to all keyspaces/resources in the cluster.

    For example: ClusterAdmin or BucketAdmin

    parameterized by a keyspace

    Roles which are defined for the scope of the specified keyspace only. The keyspace name is specified after ON.

    For example: DataReader ON `travel-sample`
    or Query_Select ON `travel-sample`

    Only Full Administrators can run the REVOKE statement. For more details about user roles, see Authorization.


    revoke ::= REVOKE role [ ',' role ]* [ ON keyspace-ref [ ',' keyspace-ref ]* ] FROM user [ ',' user ]*
    'REVOKE' role ( ',' role )* ( 'ON' keyspace-ref ( ',' keyspace-ref )* )? 'FROM' user ( ',' user )*

    One of the RBAC role names predefined by Couchbase Server.

    The following roles have short forms that can be used as well:

    • query_selectselect

    • query_insertinsert

    • query_updateupdate

    • query_deletedelete


    A user name created by the Couchbase Server RBAC system.

    Keyspace Reference

    keyspace-ref ::= keyspace-path | keyspace-partial
    keyspace-path | keyspace-partial
    keyspace-path ::= [ namespace ':' ] bucket [ '.' scope '.' collection ]
    ( namespace ':' )? bucket ( '.' scope '.' collection )?
    keyspace-partial ::= collection

    The simple name or fully-qualified name of a keyspace. Refer to the CREATE INDEX statement for details of the syntax.


    Example 1. Revoke the role of ClusterAdmin from three people
    REVOKE ClusterAdmin FROM david, michael, robin
    Example 2. Revoke the roles of ClusterAdmin and QueryUpdate in the travel-sample keyspace from debby
    REVOKE ClusterAdmin, QueryUpdate
        ON `travel-sample`
      FROM debby