postgres/doc/src/sgml/ref/revoke.sgml

<!--
$Header: /cvsroot/pgsql/doc/src/sgml/ref/revoke.sgml,v 1.13 2000/12/25 23:15:26 petere Exp $
Postgres documentation
-->

<refentry id="SQL-REVOKE">
 <refmeta>
  <refentrytitle id="SQL-REVOKE-TITLE">
   REVOKE
  </refentrytitle>
  <refmiscinfo>SQL - Language Statements</refmiscinfo>
 </refmeta>
 <refnamediv>
  <refname>
   REVOKE
  </refname>
  <refpurpose>
   Revokes access privilege from a user, a group or all users.
  </refpurpose>
 </refnamediv>
 <refsynopsisdiv>
  <refsynopsisdivinfo>
   <date>1999-07-20</date>
  </refsynopsisdivinfo>
  <synopsis>
REVOKE <replaceable class="PARAMETER">privilege</replaceable> [, ...]
    ON <replaceable class="PARAMETER">object</replaceable> [, ...]
    FROM { PUBLIC | GROUP <replaceable class="PARAMETER">groupname</replaceable> | <replaceable class="PARAMETER">username</replaceable> }
  </synopsis>

  <refsect2 id="R2-SQL-REVOKE-1">
   <refsect2info>
    <date>1998-09-24</date>
   </refsect2info>
   <title>
    Inputs
   </title>
   <para>

    <variablelist>
     <varlistentry>
      <term><replaceable class="PARAMETER">privilege</replaceable></term>
      <listitem>
       <para>
	The possible privileges are:

	<variablelist>
	 <varlistentry>
	  <term>SELECT</term>
	  <listitem>
	   <para>
	    Privilege to access all of the columns of a specific
	    table/view.
	   </para>
	  </listitem>
	 </varlistentry>

	 <varlistentry>
	  <term>INSERT</term>
	  <listitem>
	   <para>
	    Privilege to insert data into all columns of a
	    specific table.
	   </para>
	  </listitem>
	 </varlistentry>

	 <varlistentry>
	  <term>UPDATE</term>
	  <listitem>
	   <para>
	    Privilege to update all columns of a specific
	    table.
	   </para>
	  </listitem>
	 </varlistentry>

	 <varlistentry>
	  <term>DELETE</term>
	  <listitem>
	   <para>
	    Privilege to delete rows from a specific table.
	   </para>
	  </listitem>
	 </varlistentry>

	 <varlistentry>
	  <term>RULE</term>
	  <listitem>
	   <para>
	    Privilege to define rules on table/view.
	    (See 
	    <xref linkend="sql-createrule" endterm="sql-createrule-title">).
	   </para>
	  </listitem>
	 </varlistentry>

	 <varlistentry>
	  <term>ALL</term>
	  <listitem>
	   <para>
	    Rescind all privileges.
	   </para>
	  </listitem>
	 </varlistentry>
	</variablelist>
       </para>
      </listitem>
     </varlistentry>

     <varlistentry>
      <term><replaceable class="PARAMETER">object</replaceable></term>
      <listitem>
       <para>
	The name of an object from which to revoke access.

	The possible objects are:
	<itemizedlist spacing="compact" mark="bullet">
	 <listitem>
	  <para>
	   table 
	  </para>
	 </listitem>

	 <listitem>
	  <para>
	   view 
	  </para>
	 </listitem>

	 <listitem>
	  <para>
	   sequence
	  </para>
	 </listitem>

	</itemizedlist>
       </para>
      </listitem>
     </varlistentry>

     <varlistentry>
      <term><replaceable class="PARAMETER">group</replaceable></term>
      <listitem>
       <para>
	The name of a group from whom to revoke privileges.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry>
      <term><replaceable class="PARAMETER">username</replaceable></term>
      <listitem>
       <para>
	The name of a user from whom revoke privileges. Use the PUBLIC keyword
	to specify all users.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry>
      <term>PUBLIC</term>
      <listitem>
       <para>
	Rescind the specified privilege(s) for all users.
       </para>
      </listitem>
     </varlistentry>
    </variablelist>
   </para>
  </refsect2>

  <refsect2 id="R2-SQL-REVOKE-2">
   <refsect2info>
    <date>1998-09-24</date>
   </refsect2info>
   <title>
    Outputs
   </title>
   <para>

    <variablelist>
     <varlistentry>
      <term><computeroutput>
CHANGE
       </computeroutput></term>
      <listitem>
       <para>
	Message returned if successfully.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry>
      <term><computeroutput>
ERROR
       </computeroutput></term>
      <listitem>
       <para>
	Message returned if object is not available or impossible
	to revoke privileges from a group or users.
       </para>
      </listitem>
     </varlistentry>		  
    </variablelist>
   </para>
  </refsect2>
 </refsynopsisdiv>

 <refsect1 id="R1-SQL-REVOKE-1">
  <refsect1info>
   <date>1998-09-24</date>
  </refsect1info>
  <title>
   Description
  </title>
  <para>
   <command>REVOKE</command> allows creator of an object to revoke permissions granted
   before, from all users (via PUBLIC) or a certain user or group.
  </para>

  <refsect2 id="R2-SQL-REVOKE-3">
   <refsect2info>
    <date>1998-09-24</date>
   </refsect2info>
   <title>
    Notes
   </title>
   <para>
    Refer to psql \z command for further information about permissions 
    on existing objects:

    <programlisting>
Database    = lusitania
+------------------+---------------------------------------------+
|  Relation        |        Grant/Revoke Permissions             |
+------------------+---------------------------------------------+
| mytable          | {"=rw","miriam=arwR","group todos=rw"}      |
+------------------+---------------------------------------------+
Legend:
     uname=arwR -- privileges granted to a user
     group gname=arwR -- privileges granted to a GROUP
     =arwR -- privileges granted to PUBLIC
		  
     r -- SELECT
     w -- UPDATE/DELETE
     a -- INSERT
     R -- RULE
     arwR -- ALL
    </programlisting>
   </para>
   <tip>
    <para>
     Currently, to create a GROUP you have to insert 
     data manually into table pg_group as:

     <programlisting>
INSERT INTO pg_group VALUES ('todos');
CREATE USER miriam IN GROUP todos;
     </programlisting>
    </para>
   </tip>

  </refsect2>
 </refsect1>

 <refsect1 id="R1-SQL-REVOKE-2">
  <title>
   Usage
  </title>
  <para>
   Revoke insert privilege from all users on table
   <literal>films</literal>:

   <programlisting>
REVOKE INSERT ON films FROM PUBLIC;
  </programlisting>
  </para>

  <para>
   Revoke all privileges from user <literal>manuel</literal> on view <literal>kinds</literal>:

   <programlisting>  
REVOKE ALL ON kinds FROM manuel;
   </programlisting>
  </para>
 </refsect1>

 <refsect1 id="R1-SQL-REVOKE-3">
  <title>
   Compatibility
  </title>

  <refsect2 id="R2-SQL-REVOKE-4">
   <refsect2info>
    <date>1998-09-01</date>
   </refsect2info>
   <title>
    SQL92
   </title>

   <para>
    The SQL92 syntax for <command>REVOKE</command>
    has additional capabilities for rescinding
    privileges, including those on individual columns in tables:

    <variablelist>
     <varlistentry>
      <term>
       <synopsis>
REVOKE { SELECT | DELETE | USAGE | ALL PRIVILEGES } [, ...]
    ON <replaceable class="parameter">object</replaceable>
    FROM { PUBLIC | <replaceable class="parameter">username</replaceable> [, ...] } { RESTRICT | CASCADE }
REVOKE { INSERT | UPDATE | REFERENCES } [, ...] [ ( <replaceable class="parameter">column</replaceable> [, ...] ) ]
    ON <replaceable class="parameter">object</replaceable>
    FROM { PUBLIC | <replaceable class="parameter">username</replaceable> [, ...] } { RESTRICT | CASCADE }
       </synopsis>
      </term>
      <listitem>
       <para>
	Refer to
	<xref linkend="sql-grant" endterm="sql-grant-title">
	for details on individual fields.
       </para>
      </listitem>
     </varlistentry>

     <varlistentry>
      <term>
       <synopsis>
REVOKE GRANT OPTION FOR <replaceable class="parameter">privilege</replaceable> [, ...]
    ON <replaceable class="parameter">object</replaceable>
    FROM { PUBLIC | <replaceable class="parameter">username</replaceable> [, ...] } { RESTRICT | CASCADE }
       </synopsis>
      </term>
      <listitem>
       <para>
	Rescinds authority for a user to grant the specified privilege
	to others.
	Refer to
	<xref linkend="sql-grant" endterm="sql-grant-title">
	for details on individual fields.
       </para>
      </listitem>
     </varlistentry>
    </variablelist>
   </para>

   <para>
    The possible objects are:
    <simplelist>
     <member>
      [ TABLE ] table/view
     </member>
     <member>
      CHARACTER SET character-set
     </member>
     <member>
      COLLATION collation
     </member>
     <member>
      TRANSLATION translation
     </member>
     <member>
      DOMAIN domain
     </member>
    </simplelist>
   </para>

   <para> 
    If user1 gives a privilege WITH GRANT OPTION to user2,
    and user2 gives it to user3 then user1 can revoke
    this privilege in cascade using the CASCADE keyword.
   </para>

   <para>
    If user1 gives a privilege WITH GRANT OPTION to user2,
    and user2 gives it to user3, then if user1 tries to revoke
    this privilege it fails if he specify the RESTRICT
    keyword.
   </para>
  </refsect2>
 </refsect1>
</refentry>

<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:nil
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
sgml-parent-document:nil
sgml-default-dtd-file:"../reference.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:"/usr/lib/sgml/catalog"
sgml-local-ecat-files:nil
End:
-->