Skip to main content



The REVOKE command has the following functions:

  1. Revoke the specified permission of a user or a role.
  2. Revoke the specified role previously granted to a user.

Related Commands


Revoke the specified permission of a user or a role

REVOKE <privilege_list> 
ON { <priv_level>
| RESOURCE <resource_name>
| WORKLOAD GROUP <workload_group_name>
FROM { <user_identity> | ROLE <role_name> }

Revoke the specified role previously granted to a user

REVOKE <role_list> FROM <user_identity> 

Required Parameters​

1. <privilege_list>

A comma-separated list of privileges to be revoked. Supported privileges include:

  • NODE_PRIV: Cluster node operation permissions
  • ADMIN_PRIV: Administrator privileges
  • GRANT_PRIV: Authorization privileges
  • SELECT_PRIV: Query privileges
  • LOAD_PRIV: Data import privileges
  • ALTER_PRIV: Modify privileges
  • CREATE_PRIV: Create privileges
  • DROP_PRIV: Delete privileges
  • USAGE_PRIV: Usage privileges
  • SHOW_VIEW_PRIV: View definition privileges

2. <priv_level>

Specifies the scope of the privileges. Supported formats include:

  • ..*: All catalogs, databases, and tables
  • catalog_name..: Specifies all databases and tables in the specified catalog
  • catalog_name.db.*: Specifies all tables in the specified database
  • catalog_name.db.tbl: Specifies a specific table in the specified database

3. <resource_name>

Specifies the resource name. Supports % (matches any string) and _ (matches any single character) wildcard characters.

4. <workload_group_name>

Specifies the workload group name. Supports % (matches any string) and _ (matches any single character) wildcard characters.

5. <user_identity>

Specifies the user identity. The user must be a user created with the CREATE USER statement. The host part of the user identity can be a domain name, and the permission revocation time may have a delay of 1 minute for domain names.

6. <role_name>

Specifies the role name. The role must exist.

7. <role_list>

A comma-separated list of roles to be revoked. All specified roles must exist.

Access Control Requirements​

Users executing this SQL command must have at least the following privileges:

GRANT_PRIVUser or RoleOnly users or roles with the GRANT_PRIV privilege can perform the GRANT operation.


  • Revoke the SELECT privilege on a specific database from a user:

    REVOKE SELECT_PRIV ON db1.* FROM 'jack'@'192.%';
  • Revoke the usage privilege on a specific resource from a user:

    REVOKE USAGE_PRIV ON RESOURCE 'spark_resource' FROM 'jack'@'192.%';
  • Revoke roles from a user:

    REVOKE 'role1','role2' FROM 'jack'@'192.%';
  • Revoke the usage privilege on a specific workload group from a user:

  • Revoke the usage privilege on all workload groups from a user:

  • Revoke roles from a user:

    REVOKE 'role1','role2' FROM ROLE 'test_role';