box.schema.user.revoke()
object-name[, {options} ]) box.schema.user.revoke(username, permissions, 'universe'[, nil, {options} ]) box.schema.user.revoke(username, role-name[, nil, nil, {options} ])
Revoke privileges from a user or from another role.
Parameters:
-
username(string) — the name of the user -
permissions(string) — one or more permissions to revoke from the user (for example,readorread,write) -
object-type(string) — a database object type to revoke permissions from (for example,space,role, orfunction) -
object-name(string) — the name of a database object to revoke permissions from -
options(table) —if_exists
The user must exist, and the object must exist, but if the option
setting is {if_exists=true} then it is not an error if the user does
not have the privilege.
Variation: instead of object-type, object-name say 'universe'
which means 'all object-types and all objects'.
Variation: instead of permissions, object-type, object-name say
role-name (see section Roles).
Variation: instead of
box.schema.user.revoke('{username}','usage,session','universe',nil, {if_exists=true}) say
box.schema.user.disable('{username}')
(see section box.schema.user.disable).
Example:
box.schema.user.revoke('testuser', 'write', 'space', 'books')box.session.su('testuser')local _, delete_book_error = pcall(function()box.space.books:delete(10)end)t.assert_equals(delete_book_error:unpack().message, "Write access to space 'books' is denied for user 'testuser'")box.session.su('admin')-- Revoke session --box.schema.user.revoke('testuser', 'session', 'universe')-- End: Revoke session --local _, change_user_error = pcall(function()box.session.su('testuser')end)t.assert_equals(change_user_error:unpack().message, "Session access to universe '' is denied for user 'testuser'")end)endg.test_user_dropped = function(cg)cg.server:exec(function()box.schema.user.create('testuser')-- Drop a user --box.schema.user.drop('testuser')-- End: Drop a user --t.assert_equals(box.schema.user.exists('testuser'), false)end)end
See also: access_control_users.