REVOKE CALLER¶
Revokes privileges that were previously granted to an executable owner using a caller grant.
Variations of the REVOKE CALLER command are as follows:
REVOKE CALLER — Revoke specific privileges on a specific object.
REVOKE ALL CALLER PRIVILEGES — Revoke all privileges on a specific object. The executable will not be able to run with any privileges from the caller when it tries to access the object.
REVOKE INHERITED CALLER — Revoke caller grants on all current and future objects of the same type when they share a common schema, database, or account. Only privileges in a specified list are revoked.
REVOKE ALL INHERITED CALLER PRIVILEGES — Revoke caller grants on all current and future objects of the same type when they share a common schema, database, or account. All privileges are revoked; the executable will not be able to run with any privileges from the caller.
Syntax¶
REVOKE CALLER <object_privilege> [ , <object_privilege> ... ]
ON <object_type> <object_name>
FROM { ROLE | DATABASE ROLE } <grantee_name>
REVOKE ALL CALLER PRIVILEGES
ON <object_type> <object_name>
FROM { ROLE | DATABASE ROLE } <grantee_name>
REVOKE INHERITED CALLER <object_privilege> [ , <object_privilege> ... ]
ON ALL <object_type_plural>
IN { ACCOUNT | DATABASE <db_name> | SCHEMA <schema_name> | APPLICATION <app_name> | APPLICATION PACKAGE <app_pkg_name> }
FROM { ROLE | DATABASE ROLE } <grantee_name>
REVOKE ALL INHERITED CALLER PRIVILEGES
ON ALL <object_type_plural>
IN { ACCOUNT | DATABASE <db_name> | SCHEMA <schema_name> | APPLICATION <app_name> | APPLICATION PACKAGE <app_pkg_name> }
FROM { ROLE | DATABASE ROLE } <grantee_name>
Parameters¶
object_privilege [ , object_privilege ... ]The object privileges that you want to revoke. Executables owned by the specified role can no longer run with these privileges. For a list of privileges for a specific object type, see Access control privileges.
Use a comma-delimited list to specify more than one object privilege.
ON object_type object_nameThe object, including its type, that you want to revoke privileges for. Use the singular form of
object_type, for example,TABLEorWAREHOUSE.ON ALL object_type_plural IN ACCOUNTor .ON ALL object_type_plural IN DATABASE db_nameor .ON ALL object_type_plural IN SCHEMA schema_nameor .ON ALL object_type_plural IN APPLICATION app_nameor .ON ALL object_type_plural IN APPLICATION PACKAGE app_pkg_nameRevokes privileges on all objects of a certain type. Use the plural form of the object type, for example,
TABLESorWAREHOUSES.You can use the REVOKE statement to revoke access to all objects in the current account or just to objects in the specified database, schema, application, or application package.
FROM ROLE grantee_nameor .FROM DATABASE ROLE grantee_nameExecutable owner who was previously granted a caller grant.
Access control requirements¶
A role used to execute this SQL command must have the following privileges at a minimum:
Privilege |
Object |
Notes |
|---|---|---|
MANAGE CALLER GRANTS |
Account |
The account-level MANAGE CALLER GRANTS privilege pertains to caller grants only. It does not allow you to revoke privileges from roles. |
Any privilege |
All specified objects |
You need at least one privilege on the objects specified in the REVOKE command. For example, revoking a caller grant on a table requires that you have at least one privilege on that table. |
For instructions on creating a custom role with a specified set of privileges, see Creating custom roles.
For general information about roles and privilege grants for performing SQL actions on securable objects, see Overview of Access Control.
Examples¶
Executables owned by owner_role can no longer run with the caller’s privileges when they access views in the current account.
REVOKE ALL INHERITED CALLER PRIVILEGES ON ALL VIEWS IN ACCOUNT FROM ROLE owner_role;
Executables owned by owner_role can no longer run with the USAGE privilege when they access the db.sch1 schema.
REVOKE CALLER USAGE ON SCHEMA db.sch1 FROM ROLE owner_role;