Skip to main content
Skip to main content






The REVOKE command has the following functions:

  1. Revoke the specified permission of a user or a role.
  2. Revoke the specified role previously granted to a user.

Note that.

"Revoke the specified roles previously granted to a user" is supported in versions 2.0 and later

REVOKE privilege_list ON db_name[.tbl_name] FROM user_identity [ROLE role_name]

REVOKE privilege_list ON RESOURCE resource_name FROM user_identity [ROLE role_name]

REVOKE role_list FROM user_identity


The user_identity syntax here is the same as CREATE USER. And must be a user_identity created with CREATE USER. The host in user_identity can be a domain name. If it is a domain name, the revocation time of permissions may be delayed by about 1 minute.

It is also possible to revoke the permissions of the specified ROLE, the executed ROLE must exist.

role_list is the list of roles to be revoked, separated by commas. The specified roles must exist.


  1. Revoke the permission of user jack database testDb

    REVOKE SELECT_PRIV ON db1.* FROM 'jack'@'192.%';
  2. Revoke user jack resource spark_resource permission

    REVOKE USAGE_PRIV ON RESOURCE 'spark_resource' FROM 'jack'@'192.%';
  3. Revoke the roles role1 and role2 previously granted to jack

    REVOKE 'role1','role2' FROM 'jack'@'192.%';



Best Practice​