Rechercher dans le manuel MySQL
13.7.1.8 REVOKE Syntax
- priv_type [(column_list)]
- [, priv_type [(column_list)]] ...
- user_or_role: {
- | role (see Section 6.2.5, “Specifying Role Names”.
- }
The REVOKE
statement enables
system administrators to revoke privileges and roles, which can
be revoked from user accounts and roles.
For details on the levels at which privileges exist, the
permissible priv_type
,
priv_level
, and
object_type
values, and the syntax
for specifying users and passwords, see Section 13.7.1.6, “GRANT Syntax”.
For information about roles, see Section 6.2.10, “Using Roles”.
When the read_only
system
variable is enabled, REVOKE
requires the CONNECTION_ADMIN
or
SUPER
privilege in addition to
any other required privileges described in the following
discussion.
REVOKE
either succeeds for all
named users and roles or rolls back and has no effect if any
error occurs. The statement is written to the binary log only if
it succeeds for all named users and roles.
Each account name uses the format described in Section 6.2.4, “Specifying Account Names”. Each role name uses the format described in Section 6.2.5, “Specifying Role Names”. For example:
The host name part of the account or role name, if omitted,
defaults to '%'
.
To use the first REVOKE
syntax,
you must have the GRANT OPTION
privilege, and you must have the privileges that you are
revoking.
To revoke all privileges, use the second syntax, which drops all global, database, table, column, and routine privileges for the named users or roles:
REVOKE ALL PRIVILEGES, GRANT OPTION
does not
revoke any roles.
To use this REVOKE
syntax, you
must have the global CREATE USER
privilege, or the UPDATE
privilege for the mysql
system database.
The syntax for which the REVOKE
keyword is followed by one or more role names takes a
FROM
clause indicating one or more users or
roles from which to revoke the roles.
Roles named in the
mandatory_roles
system variable
value cannot be revoked.
A revoked role immediately affects any user account from which it was revoked, such that within any current session for the account, its privileges are adjusted for the next statement executed.
Revoking a role revokes the role itself, not the privileges that
it represents. Suppose that an account is granted a role that
includes a given privilege, and is also granted the privilege
explicitly or another role that includes the privilege. In this
case, the account still possesses that privilege if the first
role is revoked. For example, if an account is granted two roles
that each include SELECT
, the
account still can select after either role is revoked.
REVOKE ALL ON *.*
(at the global level)
revokes all granted static global privileges and all granted
dynamic privileges.
User accounts and roles from which privileges and roles are to be revoked must exist, but the privileges and roles to be revoked need not be currently granted to them.
A revoked privilege that is granted but not known to the server is revoked with a warning. This situtation can occur for dynamic privileges. For example, a dynamic privilege can be granted while the component that registers it is installed, but if that component is subsequently uninstalled, the privilege becomes unregistered, although accounts that possess the privilege still possess it and it can be revoked from them.
REVOKE
removes privileges, but
does not remove rows from the mysql.user
system table. To remove a user account entirely, use
DROP USER
. See
Section 13.7.1.5, “DROP USER Syntax”.
If the grant tables hold privilege rows that contain mixed-case
database or table names and the
lower_case_table_names
system
variable is set to a nonzero value,
REVOKE
cannot be used to revoke
these privileges. It will be necessary to manipulate the grant
tables directly. (GRANT
will not
create such rows when
lower_case_table_names
is set,
but such rows might have been created prior to setting the
variable. The
lower_case_table_names
setting
can only be configured when initializing the server.)
When successfully executed from the mysql
program, REVOKE
responds with
Query OK, 0 rows affected
. To determine what
privileges remain after the operation, use
SHOW GRANTS
. See
Section 13.7.6.21, “SHOW GRANTS Syntax”.
Document created the 26/06/2006, last modified the 26/10/2018
Source of the printed document:https://www.gaudry.be/en/mysql-rf-revoke.html
The infobrol is a personal site whose content is my sole responsibility. The text is available under CreativeCommons license (BY-NC-SA). More info on the terms of use and the author.
References
These references and links indicate documents consulted during the writing of this page, or which may provide additional information, but the authors of these sources can not be held responsible for the content of this page.
The author This site is solely responsible for the way in which the various concepts, and the freedoms that are taken with the reference works, are presented here. Remember that you must cross multiple source information to reduce the risk of errors.