Revokes a single privilege on a zone from a user or role.
REVOKE <privilege> ON ZONE <zone> FROM {USER | ROLE} <grantee>## Overview REVOKE ON ZONE removes a single privilege grant from a user or role. The revoke is idempotent: revoking a grant that was never given succeeds with no error. ## Behavior - The revoke targets the exact (privilege, zone, grantee) tuple. It does not cascade to schemas or tables; revoking USAGE on a zone does not revoke USAGE on schemas underneath. - Existing sessions held by the grantee are not invalidated. Cached permission tokens may continue to grant access until they expire. ## Access Control Requires the `ManageGrants` privilege on the zone. ## Compatibility DeltaForge extension.
| Name | Type | Description |
|---|---|---|
privilege | Specifies the privilege to revoke. | |
zone | Specifies the zone. | |
grantee_type | Specifies the grantee kind: `USER` or `ROLE`. | |
grantee | Specifies the user or role name. |
REVOKE USAGE ON ZONE gold FROM ROLE analyst;