Commented by: @dyemanov

Is this statement expected to revoke both granted permissions and roles from the user / role?

Commented by: @AlexPeshkoff

I suppose it should bring a database to the state when removed user(role) is never mentioned in any ACL.

Commented by: Bjoern Reimer (bnreimer)

What about making a difference?

Only removing al User-permissions with above mentioned commands and add:

REVOKE ALL ROLES FROM ...

So a Admin can send two commands, when he wants to remove all permissions but has the choice to remove only direct granted permissions or roles.

Commented by: @AlexPeshkoff

I don't see big use in ability to separately remove roles and all the rest, and it seems to be unneeded over-complication. Remember - we started with a problem: user 'X' is dropped, why keep privileges for him?
But if other people think that such modes are also useful, this can be done.

Commented by: @dyemanov

I tend to agree with Alex here.

Commented by: @AlexPeshkoff

The final syntax for a command I've chosen is:
REVOKE ALL ON ALL FROM { <userlist> | <rolelist> }
The reason to choose that form is very simple - with initially suggested
REVOKE ALL FROM { <userlist> | <rolelist> }
it is very easy to loose all grants if one forgets ON clause.

And - I'm opened to modifying it. May be
REVOKE ALL GRANTS FROM
sounds better?

Commented by: @asfernandes

Alex, I can't understand what is the problem with REVOKE ALL FROM { <userlist> | <rolelist> }.

The meaning of ALL ON ALL is also something I don't understand.

Commented by: @AlexPeshkoff

Adriano, I had a reason to do it. It's too easy to forget ON clause, and instead desired
revoke all ON TABLE Tbl1 from user01;
type
revoke all from user01;
Currently this is syntax error, but with the form you suggest this leads to all rights revoked from user01. With default autocommit of DDL transactions this looks really dangerous to me. Let's better type
revoke all on all from user01;
when needed and be safe.