## Synopsis Use the `REVOKE PERMISSION` statement to revoke a permission (or all the granted permissions) from a role. When a database object is deleted (keyspace, table, or role), all the permissions on that object are automatically deleted. This statement is enabled by setting the YB-TServer flag [--use_cassandra_authentication](../../../reference/configuration/yb-tserver/#ycql) to `true`. ## Syntax ### Diagram #### revoke_permission REVOKEall_permissionspermissionONresourceFROMrole_name #### all_permissions ALLPERMISSIONS #### permission CREATEALTERDROPSELECTMODIFYAUTHORIZEDESCRIBEEXECUTEPERMISSION #### resource ALLKEYSPACESROLESKEYSPACEkeyspace_nameTABLEtable_nameROLErole_name ### Grammar ```ebnf revoke_permission := REVOKE all_permission | permission ON resource FROM role_name; all_permissions := ALL [ PERMISSIONS ] permission := ( CREATE | ALTER | DROP | SELECT | MODIFY | AUTHORIZE | DESCRIBE | EXECUTE ) [ PERMISSION ] resource := ALL ( KEYSPACES | ROLES ) | KEYSPACE keyspace_name | [ TABLE ] table_name | ROLE role_name; ``` Where - `keyspace_name`, `table_name`, and `role_name` are text identifiers (`table_name` may be qualified with a keyspace name). ## Semantics Permission `AUTHORIZE` on `ALL ROLES` or on the role being used in the statement is necessary. Otherwise, an unauthorized error will be returned. ## Examples ```sql ycqlsh:example> REVOKE CREATE ON KEYSPACE qa FROM fred; ``` ## See also - [`ALTER ROLE`](../ddl_alter_role) - [`DROP ROLE`](../ddl_drop_role) - [`CREATE ROLE`](../ddl_create_role) - [`GRANT ROLE`](../ddl_grant_role) - [`REVOKE ROLE`](../ddl_revoke_role) - [`GRANT PERMISSION`](../ddl_grant_permission)