# REVOKE > For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [cloud-data-platform-full.txt](https://docs.redpanda.com/cloud-data-platform-full.txt) --- title: REVOKE latest-operator-version: v26.1.4 latest-console-tag: v3.7.3 latest-connect-version: 4.93.0 latest-redpanda-tag: v26.1.9 docname: sql/sql-statements/revoke page-component-name: cloud-data-platform page-version: master page-component-version: master page-component-title: Cloud page-relative-src-path: sql/sql-statements/revoke.adoc page-edit-url: https://github.com/redpanda-data/cloud-docs/edit/main/modules/reference/pages/sql/sql-statements/revoke.adoc description: The REVOKE statement removes privileges that were previously granted to a role. Only a superuser can revoke privileges. page-topic-type: reference page-git-created-date: "2026-05-26" page-git-modified-date: "2026-05-26" --- The `REVOKE` statement removes privileges that were previously granted to a role with [GRANT](https://docs.redpanda.com/cloud-data-platform/reference/sql/sql-statements/grant/). Only a superuser can revoke privileges. For the privilege levels and types that apply to each object, see [Privilege levels](https://docs.redpanda.com/cloud-data-platform/reference/sql/sql-statements/grant/#privilege-levels). ## [](#syntax)Syntax ### [](#revoke-on-a-table)Revoke on a table ```sql REVOKE { privilege [, ...] | ALL [PRIVILEGES] } ON TABLE table_name FROM role_name; ``` ### [](#revoke-on-an-external-source)Revoke on an external source ```sql REVOKE { SELECT | ALL [PRIVILEGES] } ON EXTERNAL SOURCE catalog_name FROM role_name; REVOKE { SELECT | ALL [PRIVILEGES] } ON EXTERNAL SOURCE catalog_name => 'pattern' FROM role_name; ``` - `pattern`: A string literal that matches a relation name. The wildcard `*` is only allowed at the end of the pattern. ### [](#revoke-on-a-schema)Revoke on a schema ```sql REVOKE { privilege [, ...] | ALL [PRIVILEGES] } ON SCHEMA schema_name FROM role_name; ``` ### [](#revoke-on-the-database)Revoke on the database Redpanda SQL exposes a single database, `oxla`. ```sql REVOKE CONNECT ON DATABASE oxla FROM role_name; ``` ## [](#behavior)Behavior - **Pattern that matches no existing grant.** When revoking on an external source with a non-wildcard pattern, the statement errors if the pattern does not match any existing grant for the role. List current grants with `SELECT * FROM information_schema.role_external_relation_grants`. - **Catalog-level revoke is idempotent.** The catalog-level form (no pattern) is idempotent and silently no-ops if no grants exist for the role on that source. Cleanup scripts can safely run it. - **Wildcard grants cannot be partially revoked.** If a role has a wildcard grant (for example `'**'**` **or `'orders_`**`'`), you cannot punch a hole in it. Revoke the wildcard grant in full, then re-grant the narrower pattern you want. ## [](#examples)Examples Revoke `SELECT` on a single topic: ```sql REVOKE SELECT ON EXTERNAL SOURCE default_redpanda_catalog => 'orders' FROM "alice@example.com"; ``` Revoke a wildcard grant: ```sql REVOKE SELECT ON EXTERNAL SOURCE default_redpanda_catalog => 'orders_*' FROM "alice@example.com"; ``` Revoke all grants on a catalog: ```sql REVOKE SELECT ON EXTERNAL SOURCE default_redpanda_catalog FROM "alice@example.com"; ``` Revoke `USAGE` on a schema: ```sql REVOKE USAGE ON SCHEMA public FROM "alice@example.com"; ``` ## [](#suggested-reading)Suggested reading - [GRANT](https://docs.redpanda.com/cloud-data-platform/reference/sql/sql-statements/grant/) - [DROP USER](https://docs.redpanda.com/cloud-data-platform/reference/sql/sql-statements/drop-user/) - [Manage access to Redpanda SQL](https://docs.redpanda.com/cloud-data-platform/sql/manage/manage-access/)