16.20 - Rules for Revoking Privileges - Teradata Vantage NewSQL Engine

Teradata Vantageā„¢ SQL Data Control Language

prodname
Teradata Database
Teradata Vantage NewSQL Engine
vrm_release
16.20
created_date
March 2019
category
Programming Reference
featnum
B035-1149-162K
  • Implicit privileges are governed by ownership and cannot be revoked. You can affect implicit privileges by using the GIVE statement to change ownership.

    For more information, see GIVE.

  • Any combination of privileges can be revoked by a user who has those privileges, either implicitly or explicitly, WITH GRANT OPTION.
  • ZONE (includes both the CREATE ZONE and DROP ZONE privileges) cannot be combined with any other privilege when you use REVOKE. Similarly, the ZONE OVERRIDE privilege cannot be combined with any other privilege.
  • The system does not automatically revoke privileges previously granted by a user after that user is dropped from the system.
  • Revoked privileges do not cascade through the hierarchy unless you specify the ALL user_name option.

    Conversely, if a privilege that was granted to ALL users and databases is revoked from user_name, the privilege is not granted automatically to future users and databases that are owned by user_name.

  • If the object is a view, procedure, or macro, the requesting user also must have WITH GRANT OPTION and all other applicable privileges on the objects referenced by that view, procedure, or macro.
  • If a REVOKE statement removes explicit privileges that were granted at the database or user level, the privileges are revoked for all objects, regardless of when they were created.

    A REVOKE statement at the object level cannot remove a privilege from that object that was granted at the database or user level.

    See Privileges Level for a Revoke.

  • If a user receives the same privilege from one or more grantors, any user who has the necessary privileges can revoke that privilege from the user and from other grantees. A person who revokes a privilege from another does not have to be the grantor of that privilege.
  • If a privilege was granted to PUBLIC, the privilege can only be revoked from PUBLIC, not from individual users.
  • Revocation of a column-level privilege is only allowed if there is a row in DBC.AccessRights for the columns on which the privilege is to be revoked. If the user has INSERT, REFERENCES, SELECT, or UPDATE privileges at the table level, revoking those privileges on individual columns is not allowed.