REVOKE
The REVOKE statement allows revoking of any RBAC roles from specific users.
Roles can be of the following two types:
simple |
Roles which apply generically to all buckets/resources in the cluster. For example: |
parameterized by a bucket |
Roles which are defined for the scope of the specified bucket only. The bucket name is specified after ON. For example: or |
Only Full Administrators can run the REVOKE statement. For more details about user roles, see Authorization. |
Syntax
REVOKE role1 [, role2, ...] ON bucket1 [, bucket2, ...] FROM user1 [, user2, ...]
- role
-
RBAC-role[(bucket_name)]
RBAC-role
is one of the RBAC role names predefined by Couchbase Server.RBAC-user
is the user name created by the Couchbase Server RBAC system.The following roles have short forms that can be used as well:
-
query_select → select
-
query_insert → insert
-
query_update → update
-
query_delete → delete
-
- bucket
-
The name of your Couchbase or Memcached bucket or buckets.
- user
-
RBAC-user
in your bucket.
Example 1: Revoke the role of ClusterAdmin from three people.
REVOKE ClusterAdmin FROM david, michael, robin
Example 2: Revoke the roles of ClusterAdmin and QueryUpdate in the travel sample bucket from debby.
REVOKE ClusterAdmin, QueryUpdate
ON `travel-sample`
FROM debby