--- title: "REVOKE Certificate Permissions (Transact-SQL) | Microsoft Docs" ms.custom: "" ms.date: "06/10/2016" ms.prod: "sql-non-specified" ms.reviewer: "" ms.suite: "" ms.technology: - "database-engine" ms.tgt_pltfrm: "" ms.topic: "language-reference" dev_langs: - "TSQL" helpviewer_keywords: - "certificates [SQL Server], permissions" - "permissions [SQL Server], certificates" - "REVOKE statement, certificates" ms.assetid: 2272324a-98f2-42c6-88b1-96a99020c9e9 caps.latest.revision: 24 author: "BYHAM" ms.author: "rickbyh" manager: "jhubbard" --- # REVOKE Certificate Permissions (Transact-SQL) [!INCLUDE[tsql-appliesto-ss2008-asdb-xxxx-xxx_md](../../includes/tsql-appliesto-ss2008-asdb-xxxx-xxx-md.md)] Revokes permissions on a certificate. ![Topic link icon](../../database-engine/configure-windows/media/topic-link.gif "Topic link icon") [Transact-SQL Syntax Conventions](../../t-sql/language-elements/transact-sql-syntax-conventions-transact-sql.md) ## Syntax ``` REVOKE [ GRANT OPTION FOR ] permission [ ,...n ] ON CERTIFICATE :: certificate_name { TO | FROM } database_principal [ ,...n ] [ CASCADE ] [ AS revoking_principal ] ``` ## Arguments GRANT OPTION FOR Indicates that the ability to grant the specified permission will be revoked. The permission itself will not be revoked. > [!IMPORTANT] > If the principal has the specified permission without the GRANT option, the permission itself will be revoked. *permission* Specifies a permission that can be revoked on a certificate. Listed below. ON CERTIFICATE **::***certificate_name* Specifies the certificate on which the permission is being revoked. The scope qualifier "::" is required. *database_principal* Specifies the principal from which the permission is being revoked. One of the following: - database user - database role - application role - database user mapped to a Windows login - database user mapped to a Windows group - database user mapped to a certificate - database user mapped to an asymmetric key - database user not mapped to a server principal. CASCADE Indicates that the permission being revoked is also revoked from other principals to which it has been granted by this principal. > [!CAUTION] > A cascaded revocation of a permission granted WITH GRANT OPTION will revoke both GRANT and DENY of that permission. AS *revoking_principal* Specifies a principal from which the principal executing this query derives its right to revoke the permission. One of the following: - database user - database role - application role - database user mapped to a Windows login - database user mapped to a Windows group - database user mapped to a certificate - database user mapped to an asymmetric key - database user not mapped to a server principal. ## Remarks A certificate is a database-level securable contained by the database that is its parent in the permissions hierarchy. The most specific and limited permissions that can be revoked on a certificate are listed below, together with the more general permissions that include them by implication. |Certificate permission|Implied by certificate permission|Implied by database permission| |----------------------------|---------------------------------------|------------------------------------| |CONTROL|CONTROL|CONTROL| |TAKE OWNERSHIP|CONTROL|CONTROL| |ALTER|CONTROL|ALTER ANY CERTIFICATE| |REFERENCES|CONTROL|REFERENCES| |VIEW DEFINITION|CONTROL|VIEW DEFINITION| ## Permissions Requires CONTROL permission on the certificate. ## See Also [REVOKE (Transact-SQL)](../../t-sql/statements/revoke-transact-sql.md) [Permissions (Database Engine)](../../relational-databases/security/permissions-database-engine.md) [Principals (Database Engine)](../../relational-databases/security/authentication-access/principals-database-engine.md) [CREATE CERTIFICATE (Transact-SQL)](../../t-sql/statements/create-certificate-transact-sql.md) [CREATE ASYMMETRIC KEY (Transact-SQL)](../../t-sql/statements/create-asymmetric-key-transact-sql.md) [CREATE APPLICATION ROLE (Transact-SQL)](../../t-sql/statements/create-application-role-transact-sql.md) [Encryption Hierarchy](../../relational-databases/security/encryption/encryption-hierarchy.md)