Rules for Revoking Privileges - Advanced SQL Engine

Rules for Revoking Privileges - Advanced SQL Engine - Teradata Database

SQL Data Control Language

Product

Advanced SQL Engine

Teradata Database

Release Number

17.05

17.00

Published

June 2020

Language

English (United States)

Last Update

2021-01-24

dita:mapPath

lmb1556233084626.ditamap

dita:ditavalPath

lze1555437562152.ditaval

dita:id

B035-1149

lifecycle

Product Category

Teradata® Vantage™ NewSQLEngine

Implicit privileges are governed by ownership and cannot be revoked. You can affect implicit privileges by using the GIVE statement to change ownership.
For more information, see GIVE.
Any combination of privileges can be revoked by a user who has those privileges, either implicitly or explicitly, WITH GRANT OPTION.
ZONE (includes both the CREATE ZONE and DROP ZONE privileges) cannot be combined with any other privilege when you use REVOKE. Similarly, the ZONE OVERRIDE privilege cannot be combined with any other privilege.
The system does not automatically revoke privileges previously granted by a user after that user is dropped from the system.
Revoked privileges do not cascade through the hierarchy unless you specify the ALL user_name option.
Conversely, if a privilege that was granted to ALL users and databases is revoked from user_name, the privilege is not granted automatically to future users and databases that are owned by user_name.
If the object is a view, procedure, or macro, the requesting user also must have WITH GRANT OPTION and all other applicable privileges on the objects referenced by that view, procedure, or macro.
If a REVOKE statement removes explicit privileges that were granted at the database or user level, the privileges are revoked for all objects, regardless of when they were created.
A REVOKE statement at the object level cannot remove a privilege from that object that was granted at the database or user level.

See Privileges Level for a Revoke.
If a user receives the same privilege from one or more grantors, any user who has the necessary privileges can revoke that privilege from the user and from other grantees. A person who revokes a privilege from another does not have to be the grantor of that privilege.
If a privilege was granted to PUBLIC, the privilege can only be revoked from PUBLIC, not from individual users.
Revocation of a column-level privilege is only allowed if there is a row in DBC.AccessRights for the columns on which the privilege is to be revoked. If the user has INSERT, REFERENCES, SELECT, or UPDATE privileges at the table level, revoking those privileges on individual columns is not allowed.