How to Revoke Permissions in Snowflake

Galaxy Glossary

How do I safely revoke permissions in Snowflake?

REVOKE removes previously granted privileges or role assignments from users or roles.

Welcome to the Galaxy, Guardian!

Oops! Something went wrong while submitting the form.

Description

Example H2

Example H3

Why would you revoke privileges in Snowflake?

Teams revoke privileges to tighten security, off-board teammates, or clean up overly broad grants. Removing unnecessary access reduces accidental data exposure and follows the principle of least privilege.

Which objects and roles can lose privileges?

You can revoke privileges on warehouses, databases, schemas, tables, views, stages, and more. You can also revoke a role that was granted to another role or to a user.

How do you revoke a single object privilege?

Run REVOKE <privilege> ON <object_type> <object_name> FROM ROLE <role_name>;. Example below shows removing SELECT from one table.

Example: revoke SELECT on Orders

REVOKE SELECT ON TABLE Orders FROM ROLE analyst_role;

How do you revoke multiple privileges at once?

List privileges comma-separated: REVOKE SELECT, INSERT ON TABLE Orders FROM ROLE analyst_role;. This shortens maintenance scripts.

How do you revoke a role grant?

Use REVOKE ROLE <child_role> FROM ROLE <parent_role>; or REVOKE ROLE <role> FROM USER <username>; to trim nested or direct role assignments.

Can REVOKE cascade in Snowflake?

No automatic cascade. You must revoke on each dependent object or use scripts to iterate through children. Plan revokes carefully to avoid orphaned access.

Best practices for safe revokes

Always test in lower environments, capture current grants with SHOW GRANTS, and back them up. Communicate upcoming changes to affected users. Schedule revokes during low-traffic hours.

Why How to Revoke Permissions in Snowflake is important

How to Revoke Permissions in Snowflake Example Usage


-- Remove analyst_role’s read access to high-value order data
REVOKE SELECT ON TABLE Orders FROM ROLE analyst_role;

-- Remove loader_role’s ability to insert order items
REVOKE INSERT ON TABLE OrderItems FROM ROLE loader_role;

How to Revoke Permissions in Snowflake Syntax


REVOKE [ GRANT OPTION FOR ]
       { <privilege_list> | ALL [ PRIVILEGES ] }
       ON { DATABASE | SCHEMA | TABLE | VIEW | WAREHOUSE | STAGE } <object_name>
       FROM ROLE <role_name>;

REVOKE ROLE <role_name>
       FROM { ROLE <parent_role> | USER <username> };

-- Ecommerce examples
REVOKE SELECT ON TABLE Customers FROM ROLE analyst_role;
REVOKE INSERT, UPDATE ON TABLE Orders FROM ROLE loader_role;
REVOKE ROLE reporting_role FROM USER jane_doe;

Common Mistakes

Using REVOKE without saving current grants. If access removal breaks reports, you need the original grants. Fix by running and storing `SHOW GRANTS` before revoking.
Assuming REVOKE cascades to child objects. Snowflake does not cascade; revoke individually or script it. Avoid by listing dependent objects with `SHOW GRANTS TO ROLE`.