The SQL REVOKE command changes the permission of a role revoking the access to one or more resources. It works as opposite to the SQL GRANT command.
REVOKE <permission> ON <resource> FROM <role>
Where:
- permission can be:
NONE, no permissionCREATE, to create the indicated resourceREAD, to read the indicated resourceUPDATE, to update the indicated resourceDELETE, to delete the indicated resourceALL, all permissions- resource, the target resource where to change the permissions
database, as the access to the whole databasedatabase.class, as the access to the records contained in a class. Use**to indicate all the classesdatabase.cluster, as the access to the records contained in a cluster. Use**to indicate all the clustersdatabase.query, as the ability to execute query (READ is enought)database.command, as the ability to execute SQL commands. CREATE is for INSERT, READ is for SELECT, UPDATE for UPDATE and DELETE is for DELETEdatabase.config, as the ability to access to the configuration. Valid permissions are READ and UPDATEdatabase.hook.record, as the ability to set hooksserver.admin, as the ability to access to the server resources- role, the role name
Revoke the permission to delete any records in any cluster to the role "backoffice".
REVOKE DELETE ON database.cluster.* TO backoffice
To know more about other SQL commands look at SQL commands.