Home Explore Blog CI



postgresql
4th chunk of `doc/src/sgml/ref/revoke.sgml`
72f504e68dae3f863f3c99cca68ca6688b64b7a89b118f460000000100000bd9
  When revoking membership in a role, <literal>GRANT OPTION</literal> is instead
   called <literal>ADMIN OPTION</literal>, but the behavior is similar.
   Note that, in releases prior to <productname>PostgreSQL</productname> 16,
   dependent privileges were not tracked for grants of role membership,
   and thus <literal>CASCADE</literal> had no effect for role membership.
   This is no longer the case.
   Note also that this form of the command does not
   allow the noise word <literal>GROUP</literal>
   in <replaceable class="parameter">role_specification</replaceable>.
  </para>

  <para>
   Just as <literal>ADMIN OPTION</literal> can be removed from an existing
   role grant, it is also possible to revoke <literal>INHERIT OPTION</literal>
   or <literal>SET OPTION</literal>.  This is equivalent to setting the value
   of the corresponding option to <literal>FALSE</literal>.
  </para>
 </refsect1>

 <refsect1 id="sql-revoke-notes">
  <title>Notes</title>

  <para>
   A user can only revoke privileges that were granted directly by
   that user.  If, for example, user A has granted a privilege with
   grant option to user B, and user B has in turn granted it to user
   C, then user A cannot revoke the privilege directly from C.
   Instead, user A could revoke the grant option from user B and use
   the <literal>CASCADE</literal> option so that the privilege is
   in turn revoked from user C.  For another example, if both A and B
   have granted the same privilege to C, A can revoke their own grant
   but not B's grant, so C will still effectively have the privilege.
  </para>

   <para>
    When a non-owner of an object attempts to <command>REVOKE</command> privileges
    on the object, the command will fail outright if the user has no
    privileges whatsoever on the object.  As long as some privilege is
    available, the command will proceed, but it will revoke only those
    privileges for which the user has grant options.  The <command>REVOKE ALL
    PRIVILEGES</command> forms will issue a warning message if no grant options are
    held, while the other forms will issue a warning if grant options for
    any of the privileges specifically named in the command are not held.
    (In principle these statements apply to the object owner as well, but
    since the owner is always treated as holding all grant options, the
    cases can never occur.)
   </para>

   <para>
    If a superuser chooses to issue a <command>GRANT</command> or <command>REVOKE</command>
    command, the command is performed as though it were issued by the
    owner of the affected object.  (Since roles do not have owners, in the
    case of a <command>GRANT</command> of role membership, the command is
    performed as though it were issued by the bootstrap superuser.)
    Since all privileges ultimately come
    from the object owner (possibly indirectly via chains of grant options),
    it is possible for a superuser to revoke all privileges, but this might
    require use of <literal>CASCADE</literal>
Title: Notes on REVOKE Command: Privileges, Ownership, and Superusers
Summary
This section delves into specific notes regarding the REVOKE command. It explains the behavior of ADMIN OPTION when revoking role membership and the ability to revoke INHERIT OPTION or SET OPTION. It clarifies that a user can only revoke privileges they directly granted. The section outlines how the command behaves when a non-owner attempts to revoke privileges, emphasizing the importance of grant options. Finally, it details how superusers can use GRANT or REVOKE commands as if they were the object owner, giving them the power to revoke all privileges, potentially requiring the use of CASCADE.