revoke role

Revokes a role from a group, login, login profile, or role:

Syntax

revoke role {role_name [, role_list ...]} from 
	{grantee [, grantee ...]}

Parameters

Examples

Usage

  • You can revoke a role from a user while the user is logged in. The SAP ASE server verifies a user’s activated roles before performing access checks.

  • If you revoke a role from a login profile, the SAP ASE server revokes the role from all users assigned to that profile, including users currently logged in to the SAP ASE server.

See also:
  • proc_role in Reference Manual: Building Blocks

  • sp_activeroles, sp_adduser, sp_changedbowner, sp_changegroup, sp_displaylogin, sp_displayroles, sp_dropgroup, sp_dropuser, sp_helpgroup, sp_helprotect, sp_helpuser in Reference Manual: Procedures

Standards

ANSI SQL – Compliance level: Transact-SQL extension.

Permissions

The permission checks for revoke role differ based on your granular permissions settings.

SettingDescription
Enabled

When granular permissions is enabled, you must be a user with manage roles privilege.

Disabled

With granular permissions enabled:, you can revoke roles only from the master database. Only a system security officer can revoke sso_role, oper_role, or a user-defined role from a user or a role. Only system administrators can revoke sa_role from a user or a role. Only a user who has both sa_role and sso_role can revoke a role that includes sa_role.

Auditing

Values in event and extrainfo columns of sysaudits are:

InformationValues
Event

85

Audit option

role

Command or access audited

create role, drop role, alter role, grant role, or revoke role

Information in extrainfo
  • Roles – current active roles

  • Keywords or options – Full command text of revoke role statement.

  • Previous value – NULL

  • Current value – NULL

  • Other information – NULL

  • Proxy information – original login name, if set proxy is in effect

Related reference
grant
setuser
set