REVOKE FROM USER

Access to Dremio objects can be managed by revoking privileges from users. A privilege is the right to perform a specific action on an object.

Syntax

REVOKE { objectPrivilege | ALL } ON { <object_type> <object_name> }
FROM USER <username>

Syntax for revoking privileges on all folders in an Arctic catalog

REVOKE { objectPrivilege } ON ALL FOLDERS IN CATALOG { <object_name> }
FROM USER <username>

Syntax for revoking privileges on all tables and views in an Arctic catalog

REVOKE { objectPrivilege } ON ALL DATASETS IN CATALOG { <object_name> }
FROM USER <username>

note

The DELETE, INSERT, TRUNCATE, and UPDATE privileges are supported only for Iceberg tables.

The CREATE TABLE and DROP privileges are supported only for sources that support mutability.

objectPrivilege

-- On Organizations
{ CONFIGURE SECURITY | CONFIGURE BILLING | CREATE CATALOG | CREATE CLOUD | CREATE PROJECT | CREATE ROLE | CREATE USER | MANAGE GRANTS } [, ...]
-- On Clouds
{ MANAGE GRANTS | MODIFY | MONITOR } [, ...]
-- On Projects
{ ALTER | ALTER REFLECTION | CREATE SOURCE | CREATE TABLE | DELETE | DROP | EXTERNAL QUERY | INSERT | MANAGE GRANTS | MODIFY | MONITOR | OPERATE | SELECT | UPDATE | USAGE | VIEW JOB HISTORY | VIEW REFLECTION } [, ...]
-- On Engines
{ MANAGE GRANTS | MODIFY | MONITOR | OPERATE | USAGE } [, ...]
-- On Identity and Token Providers
{ MODIFY | MONITOR | OPERATE } [, ...]
-- On non-Arctic Sources
{ ALTER | ALTER REFLECTION | CREATE TABLE | DELETE | DROP | EXTERNAL QUERY | INSERT | MANAGE GRANTS | MODIFY | SELECT | TRUNCATE | UPDATE | VIEW REFLECTION } [, ...]
-- On Folders
{ ALTER | ALTER REFLECTION | CREATE TABLE | DELETE | DROP | INSERT | MANAGE GRANTS | OWNERSHIP | SELECT | SHOW | TRUNCATE | UPDATE | VIEW REFLECTION } [, ...]
-- On Tables in non-Arctic sources
{ ALTER | DELETE | INSERT | MANAGE GRANTS | OWNERSHIP | SELECT | TRUNCATE | UPDATE } [, ...]
-- On Views in non-Arctic sources
{ ALTER | DELETE | INSERT | MANAGE GRANTS | OWNERSHIP | SELECT | TRUNCATE | UPDATE } [, ...]
-- On Scripts
{ VIEW | MODIFY | DELETE | MANAGE GRANTS }
-- On Arctic catalogs and sources
{ COMMIT | CREATE BRANCH | CREATE TAG | MANAGE GRANTS | OWNERSHIP | USAGE | MODIFY }
-- On Tables in Arctic catalogs
{ ALTER REFLECTION | MANAGE GRANTS | SELECT | VIEW REFLECTION | WRITE }
-- On Views in Arctic catalogs
{ ALTER REFLECTION | MANAGE GRANTS | SELECT | VIEW REFLECTION | WRITE }

Parameters

<objectPrivilege> String

The privilege(s) to be revoked from the user. A comma-separated list of privileges can be specified. For more information, read Privileges.

<object_type> String

The name of the type of object for which the specified privilege is being revoked.

<object_name> String

The name of the object for which the privilege is being revoked. Object names need to be qualified with the path if they are nested.

note

For <object_type> ORG or PROJECT, the <object_name> is inferred and should be omitted from the statement.

AT { REF[ERENCE] | BRANCH | TAG | COMMIT } <refValue> String Optional

For tables and views in an Arctic catalog, reference to the specific branch, tag, or commit in the catalog where you want to run the SQL command. If you do not specify a reference value in the command for a table or view in an Arctic catalog, the command runs on the catalog's default branch

<username> String

The username of the user from which the privilege is being revoked.

Examples

Revoke SELECT privilege on the project from the user

REVOKE SELECT
ON PROJECT
FROM USER "user@dremio.com"

Revoke SELECT and EXTERNAL QUERY privileges on a source from a user

REVOKE SELECT, EXTERNAL QUERY
ON SOURCE rdbms
FROM USER "user@dremio.com"

Revoke VIEW JOB HISTORY privilege from a user

REVOKE VIEW JOB HISTORY ON SYSTEM FROM USER "user@dremio.com"

Revoke OWNERSHIP privilege on an Arctic catalog or source from a user

REVOKE OWNERSHIP ON CATALOG prodCatalog FROM USER "user@dremio.com"

Revoke SHOW privilege on all folders in an Arctic catalog

REVOKE SHOW ON ALL FOLDERS IN CATALOG prodCatalog FROM USER "user@dremio.com"

Revoke SELECT privilege on all tables and views in an Arctic catalog

REVOKE SELECT ON ALL DATASETS IN CATALOG arcticCat1
FROM USER "user@dremio.com"

Parameters​

Examples​

Parameters

Examples