The REVOKE statement allows revoking of any RBAC roles from specific users.

Roles can be of the following two types:
simple Roles which apply generically to all buckets/resources in the cluster.

For example: ClusterAdmin or BucketAdmin

parameterized by a bucket Roles which are defined for the scope of the specified bucket only. The bucket name is specified after ON.

For example: BucketReader ON `travel-sample`

or Query_Select ON `travel-sample`

Note: Only Full Administrators can run the REVOKE statement. For more details about user roles, see Authorization.


REVOKE role1 [, role2, ...]
    ON bucket1 [, bucket2, ...]
  FROM user1 [, user2, ...]
RBAC-role is one of the RBAC role names predefined by Couchbase Server.
RBAC-user is the user name created by the Couchbase Server RBAC system.
The following roles have short forms that can be used as well:
  • query_select → select
  • query_insert → insert
  • query_update → update
  • query_delete → delete
The name of your Couchbase or Memcached bucket or buckets.
RBAC-user in your bucket.

Example 1: Revoke the role of ClusterAdmin from three people.

REVOKE ClusterAdmin FROM david, michael, robin
Example 2: Revoke the roles of ClusterAdmin and QueryUpdate in the travel sample bucket from debby.
REVOKE ClusterAdmin, QueryUpdate
    ON `travel-sample`
  FROM debby