Revokes a role from a user, group, or service principal. Idempotent: revoking a non-existent assignment succeeds without error.
REVOKE ROLE <role_name> FROM [USER | GROUP | SERVICE PRINCIPAL] <grantee>## Overview REVOKE ROLE removes a role assignment from a principal. The principal loses every privilege the role granted (subject to whatever other roles or direct grants the principal still holds). ## Behavior - The Control Plane idempotently removes the assignment. Revoking a role that was never granted to the principal succeeds with no error. - Existing sessions held by the principal are not invalidated by REVOKE ROLE. New requests evaluate the updated role set; previously cached permission tokens may continue to grant access until they expire. - Removing a role from a group affects every member of the group on next evaluation. ## Access Control Requires the `ManageRoles` privilege. ## Compatibility DeltaForge extension.
| Name | Type | Description |
|---|---|---|
role_name | Specifies the role to revoke. | |
grantee_type | Specifies the grantee kind. Valid values: `USER`, `GROUP`, `SERVICE PRINCIPAL`. | |
grantee | Specifies the principal name. |
REVOKE ROLE analyst FROM USER bob;REVOKE ROLE data_engineer FROM GROUP platform_team;REVOKE ROLE pipeline_runner FROM SERVICE PRINCIPAL etl_runner;