v.20.6Improvement

Improved REVOKE Command with Conditional Grant/Admin Option Requirements

Published: November 25, 2025

Improved REVOKE command: now it requires grant/admin option for only access which will be revoked. For example, to execute REVOKE ALL ON . FROM user1 now it does not require to have full access rights granted with grant option. Added command REVOKE ALL FROM user1 - it revokes all granted roles from user1. #12083 (Vitaly Baranov).

Enhanced the REVOKE command to require grant/admin option only for the specific access rights being revoked, and introduced the REVOKE ALL FROM user syntax to revoke all roles from a user.

Why it matters

This feature simplifies privilege management by reducing the need for users to have full access rights with grant option when revoking privileges partially, and provides a convenient command to revoke all roles from a user at once, improving security and usability.

How to use it

To revoke specific privileges, use REVOKE as before, but now you only need grant/admin option on the rights being revoked, for example:

REVOKE ALL ON . FROM user1

To remove all roles granted to a user, use:

REVOKE ALL FROM user1

Related resources

Pull Request #12083