REVOKE ROLE
Description
Revoke a role on a specified Onehouse resource. See the permissions documentation for more details.
To revoke privileges on data objects, use REVOKE PRIVILEGE.
note
The principal (user, group, or service principal) must already be a member of the project before you can revoke a role from them on project-scoped resources such as clusters or jobs.
Syntax
REVOKE ROLE <role> ON <resource_type> <resource_name> FROM <principal_type> <principal_identifier>
Examples
REVOKE ROLE USER ON CLUSTER 'sql-cluster' FROM USER 'woz@apple.com'
Required parameters
role: Specify one of{VIEWER|USER|EDITOR|MANAGER|MEMBER|READER|ADMIN}.resource_type: Specify one of{ACCOUNT|PROJECT|GROUP|SERVICE_PRINCIPAL|CLUSTER|JOB}.resource_name: Specify the name of the resource to revoke the role on.principal_type: Specify one of{USER|GROUP|SERVICE_PRINCIPAL}.principal_identifier: Specify one of{<user_email>|<group_id>|<service_principal_id>}.
Supported combinations by resource_type
Only the following combinations of role and principal_type are supported for each resource_type:
| resource_type | role | principal_type | action |
|---|---|---|---|
| ACCOUNT | ADMIN, MEMBER, READER | SERVICE_PRINCIPAL | Revokes the respective role on the account from the given principal. |
| GROUP | MANAGER, MEMBER | SERVICE_PRINCIPAL, USER | Revokes the respective role on the group from the given principal. |
| SERVICE_PRINCIPAL | MANAGER, MEMBER | GROUP, USER | Revokes the respective role on the service principal from the given principal. |
| PROJECT | ADMIN, MEMBER, READER | USER, GROUP, SERVICE_PRINCIPAL | Revokes the respective role on the project from the given principal. |
| CLUSTER | VIEWER, USER, EDITOR, MANAGER | USER, GROUP, SERVICE_PRINCIPAL | Revokes the respective role on the cluster from the given principal. |
| JOB | VIEWER, USER, EDITOR, MANAGER | USER, GROUP, SERVICE_PRINCIPAL | Revokes the respective role on the job from the given principal. |