Rules for Revoking Privileges - Analytics Database - Teradata Vantage

SQL Data Control Language

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2023-07-11
dita:mapPath
sgu1628111251052.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
dvv1472243528022
lifecycle
latest
Product Category
Teradata Vantageā„¢
  • Implicit privileges are governed by ownership and cannot be revoked. You can affect implicit privileges by using the GIVE statement to change ownership.

    For more information, see GIVE.

  • Any combination of privileges can be revoked by a user who has those privileges, either implicitly or explicitly, WITH GRANT OPTION.
  • ZONE (includes both the CREATE ZONE and DROP ZONE privileges) cannot be combined with any other privilege when you use REVOKE. Similarly, the ZONE OVERRIDE privilege cannot be combined with any other privilege.
  • The system does not automatically revoke privileges previously granted by a user after that user is dropped from the system.
  • Revoked privileges do not cascade through the hierarchy unless you specify the ALL user_name option.

    Conversely, if a privilege that was granted to ALL users and databases is revoked from user_name, the privilege is not granted automatically to future users and databases that are owned by user_name.

  • If the object is a view, procedure, or macro, the requesting user also must have WITH GRANT OPTION and all other applicable privileges on the objects referenced by that view, procedure, or macro.
  • If a REVOKE statement removes explicit privileges that were granted at the database or user level, the privileges are revoked for all objects, regardless of when they were created.

    A REVOKE statement at the object level cannot remove a privilege from that object that was granted at the database or user level.

    See Privileges Level for a Revoke.

  • If a user receives the same privilege from one or more grantors, any user who has the necessary privileges can revoke that privilege from the user and from other grantees. A person who revokes a privilege from another does not have to be the grantor of that privilege.
  • If a privilege was granted to PUBLIC, the privilege can only be revoked from PUBLIC, not from individual users.
  • Revocation of a column-level privilege is only allowed if there is a row in DBC.AccessRights for the columns on which the privilege is to be revoked. If the user has INSERT, REFERENCES, SELECT, or UPDATE privileges at the table level, revoking those privileges on individual columns is not allowed.