1 REVOKE Removes privileges from or entirely deletes an entry in the Oracle Rdb access control list (ACL) for a database object. Each entry in an access control list consists of an identifier (or role) and a list of privileges assigned to the identifier. o Each identifier specifies a user or a set of users. o The list of privileges specifies which operations that user or user group can perform on the database, table, column, module, procedure, function or sequence. When a user tries to perform an operation on a database, SQL reads the associated ACL from top to bottom, comparing the identifier of the user with each entry. As soon as SQL finds the first match, it grants the rights listed in that entry and stops the search. All identifiers that do not match a previous entry are compared with the subsequent entry, and if no match occurs, they receive the rights of ("fall through" to) the entry [*,*], if it exists. If no entry has the user identifier [*,*], then unmatched user identifiers are denied all access to the database, table, or column. For this reason, both the entries and their order in the list are important. To create an entry or add privileges to an entry in the Oracle Rdb access control list for a database object, see the GRANT statement. 2 Environment You can use the REVOKE statement: o In interactive SQL o Embedded in host language programs to be precompiled o As part of a nonstored procedure in a nonstored SQL module o In dynamic SQL as a statement to be dynamically executed 2 Format (B)0REVOKE qqqqqqqqqqqqqqqqqqqqqqqk    lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj    mwq> db-privs qqqqqqqq> ON DATABASE ALIAS qwwq> <alias> wwqqqqqqqqqqwqk   x  xmqqqqq , * qqqqj  x x  tq> table-privs qqqqq> ON qwqqqqqqqqqqqwqqwwqwq> <table-name> wqwwqu x   x mq> TABLE qqj  xx mq> <view-name> qj xx x x   x  xmqqqqqqq , * qqqqqqqqqqqj x x  tq> column-privs qqqq> ON COLUMN qqqwq> <column-name> qwqqqqqqqqqqqu x   x mqqqqqqqq , module-privs qqqq> ON MODULE qqwwq> <module-name> qwwqqqqqqqqqqu x   x xmqqqqqqqq , * qqqqqqqqj x x  tq> ext-routine-privs qwq> ON FUNCTION qqwwwq> <ext-rout-name> qwwqu x  x mq> ON PROCEDURE qjxmqqqqqqqqqqq , * qqqqqqqj x x   mq> sequence-privs qq> ON SEQUENCE qwwq><sequence-name> qwwqqqqqqqqj x   xmqqqqqqq , * qqqqqqqqqqj x lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj  mq> revoke-from qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq> (B)0db-privs=    qqqqwqqqwqwq> SELECT qqqqqwqwqqqqwq>  x x tq> INSERT qqqqqu x x   x x tq> OPERATOR qqqu x x   x x tq> DELETE qqqqqu x x   x x tq> CREATE qqqqqu x x   x x tq> ALTER qqqqqqu x x   x x tq> DROP qqqqqqqu x x   x x tq> DBCTRL qqqqqu x x   x x tq> DBADM qqqqqqu x x   x x tq> SHOW qqqqqqqu x x   x x tq> REFERENCES qu x x   x x tq> UPDATE qqqqqu x x   x x tq> SECURITY qqqu x x   x x mq> DISTRIBTRAN j x x   x mqqqqqqq , ALL PRIVILEGES qwqqj   mqqq> ENTRY qqqqqqqqqqj  (B)0table-privs=    qwqqwqwq> SELECT qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqwqwqwqq>  x x tq> INSERT qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu x x   x x tq> DELETE qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu x x   x x tq> CREATE qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu x x   x x tq> ALTER qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu x x   x x tq> DROP qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu x x   x x tq> DBCTRL qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu x x   x x tq> SHOW qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu x x   x x tq> REFERENCES wqqqqqqqqqqqqqqqqqqqqqqqqqqu x x   x x x m> ( w> <column-name> w> ) u x x   x x x mqqqqq , UPDATE wqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu x x   x x m> ( w> <column-name> qqwqq> ) j x x   x x mqqqqq , ALL PRIVILEGES qqwqqqqqqqqqqqqqqqqqqqqqqqqj   mqq> ENTRY qqqqqqqqqqqj    (B)0column-privs =    qqqwqwqwq> UPDATE qqqqqwqwqqwqq>  x x mq> REFERENCES qj x x   x mqqqqqqq , ALL PRIVILEGES qwj   mq> ENTRY qqqqqqqqqqj  (B)0module-privs =    qwqqwqwq> ALTER qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqwqwqqwqq>  x x tq> DBCTRL qqqqqqqqqqqqqqqqqqqqqqqqqqqqqu x x   x x tq> DROP qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu x x   x x tq> EXECUTE qqqqqqqqqqqqqqqqqqqqqqqqqqqqu x x   x x tq> REFERENCES qqqqqqqqqqqqqqqqqqqqqqqqqu x x  x x mq> SHOW qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj x x   x mqqqqqqqqqqqqqqqqqqq , ALL PRIVILEGES qqqqqwqqqqqqqqqqqqqqqqqqqqj  mqqq> ENTRY qqqqqqqqqqqqqqj (B)0ext-routine-privs =    qwqqwqwq> ALTER qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqwqwqqwqq>  x x tq> DBCTRL qqqqqqqqqqqqqqqqqqqqqqqqqqqqqu x x   x x tq> DROP qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu x x   x x tq> EXECUTE qqqqqqqqqqqqqqqqqqqqqqqqqqqqu x x  x x tq> REFERENCES qqqqqqqqqqqqqqqqqqqqqqqqqu x x    x x mq> SHOW qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj x x   x mqqqqqqqqqqqqqqqqqqq , ALL PRIVILEGES qqqwqqqqqqqqqqqqqqqqqqqqqqj  mqqq> ENTRY qqqqqqqqqqqqj  (B)0sequence-privs = qwqwqwq> ALTER qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqwqwqqwqq> x x tq> DBCTRL qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu x  x x x tq> DROP qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu x  x x x tq> REFERENCES qqqqqqqqqqqqqqqqqqqqqqqqqqu x x x x tq> SELECT qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu x  x x x mq> SHOW qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj x x x mqqqqqqq ,  ALL PRIVILEGES qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj (B)0revoke-from = qq> FROM qqwqqwq> identifier qqqwqwqqqqqqqqqqqqqqqqqqqqqqqqqqqwwqqqqqq>   x mq> PUBLIC qqqqqqqj tq> AFTER wq> identifier qqqux   x x mq> PUBLIC qqqqqqqux   x mq> POSITION <n> qqqqqqqqqqqjx   mqqqqqqqqqqqqqqqqqqqqqq , user-identifier qqqqwqwq>   x tq> general-identifier qu x   x tq> system-identifier qu x   x mq> role-name qqqqqqqqqqj x   mqqqqqqqqqqqq + attach 'filename DB$:MF_PERSONNEL'; SQL> SQL> -- examine current privileges SQL> show protection on database RDB$DBHANDLE; Protection on Alias RDB$DBHANDLE (IDENTIFIER=SQLNET4RDB,ACCESS=SELECT+INSERT+UPDATE+DELETE+SHOW+CREATE+ALTER+ DROP+DBCTRL+OPERATOR+DBADM+SECURITY+DISTRIBTRAN) (IDENTIFIER=[DOC,DOC_READER],ACCESS=SELECT+CREATE) (IDENTIFIER=[DOC,DOC_WRITER],ACCESS=SELECT+INSERT+UPDATE+DELETE+SHOW+CREATE+ ALTER+DROP+DBCTRL+OPERATOR+DBADM+REFERENCES) (IDENTIFIER=[*,*],ACCESS=SELECT+INSERT+UPDATE+DELETE+SHOW+CREATE+ALTER+DROP+ OPERATOR+DBADM+REFERENCES) SQL> SQL> -- revoke selected privileges SQL> revoke CREATE on database alias RDB$DBHANDLE from DOC_WRITER; SQL> revoke DISTRIBTRAN on database alias RDB$DBHANDLE from DOC_REVIEWER; SQL> show protection on database RDB$DBHANDLE; Protection on Alias RDB$DBHANDLE (IDENTIFIER=SQLNET4RDB,ACCESS=SELECT+INSERT+UPDATE+DELETE+SHOW+CREATE+ALTER+ DROP+DBCTRL+OPERATOR+DBADM+SECURITY+DISTRIBTRAN) (IDENTIFIER=[DOC,DOC_READER],ACCESS=SELECT) (IDENTIFIER=[DOC,DOC_WRITER],ACCESS=SELECT+INSERT+UPDATE+DELETE+SHOW+ALTER+ DROP+DBCTRL+OPERATOR+DBADM+REFERENCES) (IDENTIFIER=[*,*],ACCESS=SELECT+INSERT+UPDATE+DELETE+SHOW+CREATE+ALTER+DROP+ OPERATOR+DBADM+REFERENCES) SQL> SQL> -- No longer all access to DOC_REVIEWER, use wildcard for all tables SQL> revoke ALL PRIVILEGES on table * from DOC_REVIEWER; SQL> commit; Example 2: Revoking DROP Sequence Privileges from a User SQL> CREATE SEQUENCE EMPID; SQL> SHOW PROTECTION ON SEQUENCE EMPID Protection on Sequence EMPID (IDENTIFIER=[RDB,STUART],ACCESS=SELECT+SHOW+ALTER+DROP+DBCTRL) (IDENTIFIER=[*,*],ACCESS=NONE) SQL> GRANT SELECT ON SEQUENCE EMPID TO PUBLIC; SQL> SHOW PROTECTION ON SEQUENCE EMPID; Protection on Sequence EMPID (IDENTIFIER=[RDB,STUART],ACCESS=SELECT+SHOW+ALTER+DROP+DBCTRL) (IDENTIFIER=[*,*],ACCESS=SELECT) SQL> REVOKE DROP ON SEQUENCE EMPID FROM STUART; SQL> SHOW PROTECTION ON SEQUENCE EMPID; Protection on Sequence EMPID (IDENTIFIER=[RDB,STUART],ACCESS=SELECT+SHOW+ALTER+DBCTRL) (IDENTIFIER=[*,*],ACCESS=SELECT)