REVOKE FROM ROLE
Access to Dremio objects can be managed by revoking privileges from roles. A privilege is the right to perform a specific action on an object.
SyntaxREVOKE { objectPrivilege | ALL } ON { <object_type> <object_name> }
FROM ROLE <role_name>
-- On Organizations
{ CONFIGURE SECURITY | CREATE CATALOG | CREATE CLOUD | CREATE PROJECT | MANAGE GRANTS } [, ...]
-- On Clouds
{ MANAGE GRANTS | MODIFY | MONITOR } [, ...]
-- On Projects
{ ALTER | ALTER REFLECTION | CREATE TABLE | DROP | EXTERNAL QUERY | MANAGE GRANTS | MODIFY | MONITOR | OPERATE | SELECT | VIEW REFLECTION | USAGE | VIEW JOB HISTORY } [, ...]
-- On Engines
{ MODIFY | MONITOR | OPERATE | USAGE } [, ...]
-- On Identity and Token Providers
{ MODIFY | MONITOR | OPERATE | USAGE } [, ...]
-- On Sources
{ ALTER | ALTER REFLECTION | CREATE TABLE | DROP | EXTERNAL QUERY | MANAGE GRANTS | MODIFY | SELECT } [, ...]
-- On Spaces
{ ALTER | ALTER REFLECTION | MANAGE GRANTS | MODIFY | SELECT } [, ...]
-- On Folders
{ ALTER | ALTER REFLECTION | CREATE TABLE | DROP | MANAGE GRANTS | SELECT } [, ...]
-- On Tables
{ ALTER | MANAGE GRANTS } [, ...]
-- On Views
{ ALTER | MANAGE GRANTS } [, ...]
Parameters
<objectPrivilege>
String
The privilege(s) to be revoked from the role. A comma-separated list of privileges can be specified. For more information, read all supported privileges.
<object_type>
String
The name of the type of object for which the specified privilege is being revoked.
<object_name>
String
The name of the object for which the privilege is being revoked. Object names need to be qualified with the path if they are nested.
note:
For <object_type> ORG or PROJECT, the <object_name> is inferred and should be omitted from the statement.
<role_name>
String
The name of the role from which the privilege is being revoked.
Examples
Revoke MODIFY and MONITOR privileges on a cloud from a roleREVOKE MODIFY, MONITOR
ON CLOUD "Default Cloud"
FROM ROLE "DATA_ENGINEER"
REVOKE CREATE CLOUD
ON ORG
FROM ROLE "DATA_ENGINEER"