[postgresql] / doc / src / sgml / ref / revoke.sgml

<!--
$Header: /cvsroot/pgsql/doc/src/sgml/ref/revoke.sgml,v 1.19 2001/12/08 03:24:39 thomas Exp $
PostgreSQL documentation
-->

<refentry id="SQL-REVOKE">
 <refmeta>
  <refentrytitle id="sql-revoke-title">REVOKE</refentrytitle>
  <refmiscinfo>SQL - Language Statements</refmiscinfo>
 </refmeta>

 <refnamediv>
  <refname>REVOKE</refname>
  <refpurpose>remove access privileges</refpurpose>
 </refnamediv>

 <refsynopsisdiv>
<synopsis>
REVOKE { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER } [,...] | ALL [ PRIVILEGES ] }
    ON [ TABLE ] <replaceable class="PARAMETER">object</replaceable> [, ...]
    FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
</synopsis>
 </refsynopsisdiv>

 <refsect1 id="SQL-REVOKE-description">
  <title>Description</title>

  <para>
   <command>REVOKE</command> allows the creator of an object to revoke
   previously granted permissions from one or more users or groups of users.
   The key word <literal>PUBLIC</literal> refers to the implicitly defined
   group of all users.
  </para>

  <para>
   Note that any particular user will have the sum
   of privileges granted directly to him, privileges granted to any group he
   is presently a member of, and privileges granted to
   <literal>PUBLIC</literal>.  Thus, for example, revoking SELECT privilege
   from <literal>PUBLIC</literal> does not necessarily mean that all users
   have lost SELECT privilege on the object: those who have it granted
   directly or via a group will still have it.
  </para>

  <para>
   See the description of the <xref linkend="sql-grant" endterm="sql-grant-title"> command for
   the meaning of the privilege types.
  </para>
 </refsect1>

 <refsect1 id="SQL-REVOKE-notes">
  <title>Notes</title>

  <para>
   Use <xref linkend="app-psql">'s <command>\z</command> command to
   display the privileges granted on existing objects.  See also <xref
   linkend="sql-grant"> for information about the format.
  </para>
 </refsect1>

 <refsect1 id="SQL-REVOKE-examples">
  <title>Examples</title>

  <para>
   Revoke insert privilege for the public on table
   <literal>films</literal>:

<programlisting>
REVOKE INSERT ON films FROM PUBLIC;
</programlisting>
  </para>

  <para>
   Revoke all privileges from user <literal>manuel</literal> on view <literal>kinds</literal>:

<programlisting>  
REVOKE ALL PRIVILEGES ON kinds FROM manuel;
</programlisting>
  </para>
 </refsect1>

 <refsect1 id="SQL-REVOKE-compatibility">
  <title>Compatibility</title>

  <refsect2>
   <title>SQL92</title>

   <para>
    The compatibility notes of the <xref linkend="sql-grant" endterm="sql-grant-title"> command
    apply analogously to <command>REVOKE</command>.  The syntax summary is:

<synopsis>
REVOKE [ GRANT OPTION FOR ] { SELECT | INSERT | UPDATE | DELETE | REFERENCES }
    ON <replaceable class="parameter">object</replaceable> [ ( <replaceable class="parameter">column</replaceable> [, ...] ) ]
    FROM { PUBLIC | <replaceable class="parameter">username</replaceable> [, ...] }
    { RESTRICT | CASCADE }
</synopsis>
   </para>

   <para> 
    If user1 gives a privilege WITH GRANT OPTION to user2,
    and user2 gives it to user3 then user1 can revoke
    this privilege in cascade using the CASCADE keyword.
    If user1 gives a privilege WITH GRANT OPTION to user2,
    and user2 gives it to user3, then if user1 tries to revoke
    this privilege it fails if he specifies the RESTRICT
    keyword.
   </para>
  </refsect2>
 </refsect1>

 <refsect1>
  <title>See Also</title>

  <simpara>
   <xref linkend="sql-grant">
  </simpara>
 </refsect1>

</refentry>

<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:nil
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
sgml-parent-document:nil
sgml-default-dtd-file:"../reference.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:"/usr/lib/sgml/catalog"
sgml-local-ecat-files:nil
End:
-->