box.schema.role.revoke() | Tarantool
Check out the new release 2.8


box.schema.role.revoke(role-name, privilege, object-type, object-name)

Revoke privileges from a role.

  • role-name (string) – the name of the role.
  • privilege (string) – ‘read’ or ‘write’ or ‘execute’ or ‘create’ or ‘alter’ or ‘drop’ or a combination.
  • object-type (string) – ‘space’ or ‘function’ or ‘sequence’ or ‘role’.
  • object-name (string) – the name of a function or space or sequence or role.

The role must exist, and the object must exist, but it is not an error if the role does not have the privilege.

Variation: instead of object-type, object-name say ‘universe’ which means ‘all object-types and all objects’.

Variation: instead of privilege, object-type, object-name say role-name.


box.schema.role.revoke('Accountant', 'read', 'space', 'tester')
box.schema.role.revoke('Accountant', 'execute', 'function', 'f')
box.schema.role.revoke('Accountant', 'read,write', 'universe')
box.schema.role.revoke('public', 'Accountant')