Considerations for REVOKE

  • The inherent privileges held by the owner of an object (ALL WITH GRANT OPTION), can never be revoked. To deny access to an object owned by a certain user, the ownership of the object must be given to another user.

  • If one or more of the privileges being revoked does not exist, the system returns a warning.

  • A user that has access rights because of privilege group membership will lose those access rights when the user is deleted from the privilege group, or when the privilege group is dropped.

  • Individual members cannot revoke privileges granted to a privilege group and vice versa.

  • DML privileges for a schema target apply to all current and future objects in that schema. Revoking a privilege on a schema removes those corresponding access rights on objects in that schema that the grantee holds because of the schema level grant.

  • DDL privileges that are granted individually can be revoked using ALL_DDL on REVOKE and vice versa.

  • ALL [PRIVILEGES] is equivalent to ALL_DML when the target is an individual object, and to the combination of ALL_DML and ALL_DDL when the target is a schema.

  • Privileges that are granted on a schema cannot be revoked on individual objects in that schema and vice versa.