REVOKE <privileges> … FROM APPLICATION

撤消应用程序对安全对象的一项或多项访问权限。可撤消的权限是特定于对象的。

For more details about roles and securable objects, see Overview of Access Control.

Variations:

GRANT <privileges> … TO APPLICATION

语法

REVOKE {  { globalPrivileges } ON ACCOUNT
        | { accountObjectPrivileges  | ALL [ PRIVILEGES ] } ON { USER | RESOURCE MONITOR | WAREHOUSE | COMPUTE POOL | DATABASE | INTEGRATION | CONNECTION | FAILOVER GROUP | REPLICATION GROUP | EXTERNAL VOLUME } <object_name>
        | { schemaPrivileges         | ALL [ PRIVILEGES ] } ON { SCHEMA <schema_name> | ALL SCHEMAS IN DATABASE <db_name> }
        | { schemaObjectPrivileges   | ALL [ PRIVILEGES ] } ON { <object_type> <object_name> | ALL <object_type_plural> IN { DATABASE <db_name> | SCHEMA <schema_name> }
       }
     FROM APPLICATION <name>

其中:

globalPrivileges ::=
  {
      CREATE {
       COMPUTE POOL | DATABASE | WAREHOUSE
      }
      | BIND SERVICE ENDPOINT
      | EXECUTE MANAGED TASK
      | MANAGE WAREHOUSES
      | READ SESSION
  }
  [ , ... ]
accountObjectPrivileges ::=
-- For COMPUTE POOL
   { MODIFY | MONITOR | OPERATE | USAGE } [ , ... ]
-- For CONNECTION
   { FAILOVER } [ , ... ]
-- For DATABASE
   { APPLYBUDGET | CREATE { DATABASE ROLE | SCHEMA }
   | IMPORTED PRIVILEGES | MODIFY | MONITOR | USAGE } [ , ... ]
-- For EXTERNAL VOLUME
   { USAGE } [ , ... ]
-- For FAILOVER GROUP
   { FAILOVER | MODIFY | MONITOR | REPLICATE } [ , ... ]
-- For INTEGRATION
   { USAGE | USE_ANY_ROLE } [ , ... ]
-- For REPLICATION GROUP
   { MODIFY | MONITOR | REPLICATE } [ , ... ]
-- For RESOURCE MONITOR
   { MODIFY | MONITOR } [ , ... ]
-- For USER
   { MONITOR } [ , ... ]
-- For WAREHOUSE
   { APPLYBUDGET | MODIFY | MONITOR | USAGE | OPERATE } [ , ... ]
schemaPrivileges ::=
ADD SEARCH OPTIMIZATION
| CREATE {
    ALERT | EXTERNAL TABLE | FILE FORMAT | FUNCTION
    | IMAGE REPOSITORY | MATERIALIZED VIEW | PIPE | PROCEDURE
    | { AGGREGATION | MASKING | PASSWORD | PROJECTION | ROW ACCESS | SESSION } POLICY
    | SECRET | SEMANTIC VIEW | SEQUENCE | SERVICE | SNAPSHOT | STAGE | STREAM
    | TAG | TABLE | TASK | VIEW
  }
| MODIFY | MONITOR | USAGE
[ , ... ]
schemaObjectPrivileges ::=
  -- For ALERT
     { MONITOR | OPERATE } [ , ... ]
  -- For DYNAMIC TABLE
     OPERATE, SELECT [ , ...]
  -- For EVENT TABLE
     { INSERT | SELECT } [ , ... ]
  -- For FILE FORMAT, FUNCTION (UDF or external function), PROCEDURE, SECRET, SEQUENCE, SNAPSHOT, or TYPE
     USAGE [ , ... ]
  -- For IMAGE REPOSITORY
     { READ, WRITE } [ , ... ]
  -- For PIPE
     { APPLYBUDGET | MONITOR | OPERATE } [ , ... ]
  -- For { MASKING | PACKAGES | PASSWORD | ROW ACCESS | SESSION } POLICY or TAG
     APPLY [ , ... ]
  -- For SECRET
     READ, USAGE [ , ... ]
  -- For SEMANTIC VIEW
     REFERENCES [ , ... ]
  -- For SERVICE
     { MONITOR | OPERATE } [ , ... ]
  -- For external STAGE
     USAGE [ , ... ]
  -- For internal STAGE
     READ [ , WRITE ] [ , ... ]
  -- For STREAM
     SELECT [ , ... ]
  -- For TABLE
     { APPLYBUDGET | DELETE | EVOLVE SCHEMA | INSERT | REFERENCES | SELECT | TRUNCATE | UPDATE } [ , ... ]
  -- For TAG
     READ
  -- For TASK
     { APPLYBUDGET | MONITOR | OPERATE } [ , ... ]
  -- For VIEW
     { REFERENCES | SELECT } [ , ... ]
  -- For MATERIALIZED VIEW
     { APPLYBUDGET | REFERENCES | SELECT } [ , ... ]

For more information about the privileges supported for each object type, see Access control privileges.

必填参数

object_name

为授予权限的对象指定标识符。

object_type

为架构级对象指定对象的类型。

  • ALERT
  • DYNAMIC TABLE
  • EVENT TABLE
  • EXTERNAL TABLE
  • FILE FORMAT
  • FUNCTION
  • MASKING POLICY
  • MATERIALIZED VIEW
  • NETWORK RULE
  • PACKAGES POLICY
  • PASSWORD POLICY
  • PIPE
  • PROCEDURE
  • ROW ACCESS POLICY
  • SECRET
  • SEMANTIC VIEW
  • SESSION POLICY
  • SEQUENCE
  • STAGE
  • STREAM
  • TABLE
  • TAG
  • TASK
  • TYPE
  • VIEW
object_type_plural

Plural form of object_type (e.g. TABLES, VIEWS).

不允许对管道进行批量授权。

name

指定接收者应用程序(授予权限的角色)的标识符。

安全要求

Revoking privileges on individual objects:

You can use an active role that meets either of the following criteria, or a higher role, to revoke privileges on an object from other application roles:

  • The role is identified as the grantor of the privilege in the GRANTED_BY column in the SHOW GRANTS output.

如果授予了对指定对象的多个权限实例,则仅会撤消由活跃授予者角色授予的实例。

  • 该角色具有全局 MANAGE GRANTS 权限。

    If you have multiple instances of a privilege grant on the specified object, all instances are revoked.

请注意,默认情况下,只有 SECURITYADMIN 系统角色及更高级别的角色才具有 MANAGE GRANTS 权限;不过,可以将该权限授予自定义角色。

在托管访问架构(使用 CREATE SCHEMA …WITH MANAGED ACCESS 语法创建的架构)中,只有架构所有者(具有对架构的 OWNERSHIP 权限的角色)、具有全局 MANAGE GRANTS 权限的角色或更高级别的角色可以撤消对架构中对象的权限。

使用说明

  • Privileges cannot be granted or revoked directly on any class. You can, however, create an instance of a class and revoke instance roles from an account role. Revoke the CREATE <class_name> privilege on the schema to prevent a role from creating an instance of a class.

  • A privilege can be granted to a role multiple times by different grantors. A REVOKE <privilege> statement only revokes grants for which the active role, or a lower role in a hierarchy, is the grantor. Any additional grants of a specified privilege by other grantors are ignored.

    Also note that a REVOKE <privilege> statement is successful even if no privileges are revoked. A REVOKE <privilege> statement only returns an error if a specified privilege has dependent grants and the CASCADE clause is omitted in the statement.

  • Multiple privileges can be specified for the same object type in a single GRANT statement (with each privilege separated by commas), or the special ALL [ PRIVILEGES ] keyword can be used to grant all applicable privileges to the specified object type. Note, however, that only privileges held and grantable by the role executing the GRANT command are actually granted to the target role. A warning message is returned for any privileges that could not be granted.

不得为标签指定此关键字。

  • For databases, the IMPORTED PRIVILEGES privilege only applies to shared databases (i.e. databases created from a share). For more details, see Consume imported data.
  • For schemas and objects in schemas, an option is provided to grant privileges on all objects of the same type within the container (database or schema). This is a convenience option; internally, the command is expanded into a series of individual GRANT commands on each object. Only objects that currently exist within the container are affected.

但请注意,在 Snowflake 模型中,不建议批量授予权限。相反,Snowflake 建议创建一个共享角色,并使用该角色创建可供所有被授予该角色的用户自动访问的对象。

  • 对于暂存区:

    • USAGE 仅适用于外部暂存区。
    • READ | WRITE only applies to internal stages. In addition, to grant the WRITE privilege on an internal stage, the READ privilege must first be granted on the stage.

    For more details about external and internal stages, see CREATE STAGE.

  • When granting privileges on an individual UDF, you must specify the data types for the arguments, if any, for the UDF in the form of udf_name ( [ arg_data_type , ... ] ). This is required because Snowflake uses argument data types to resolve UDFs that have the same name within a schema. For more details, see User-defined functions overview.

  • When granting privileges on an individual stored procedure, you must specify the data types for the arguments, if any, for the procedure in the form of procedure_name ( [ arg_data_type , ... ] ). This is required because Snowflake uses argument data types to resolve stored procedures that have the same name within a schema.

    For more information, see managed access schemas.

示例

撤消应用程序对视图的 SELECT 权限:

REVOKE SELECT ON VIEW data.views.credit_usage
  FROM APPLICATION app_snowflake_credits;