revoke_permission
Revoke SQL permissions from a principal on a Fabric warehouse or SQL endpoint. Supports database, schema, and object-level revocation with cascade and grant option control.
Instructions
Revoke permissions on a securable from a principal.
Executes REVOKE <permissions> ON <scope> FROM <principal>.
Blocked by FABRIC_MCP_READONLY. Requires
FABRIC_MCP_ALLOW_DESTRUCTIVE=1 because revoke removes an existing
permission (destructive operation).
Args:
workspace: Workspace name or GUID.
item: Warehouse or SQL endpoint name or GUID.
permissions: Comma-separated permission tokens (e.g. "SELECT,INSERT").
principal: Principal name to revoke from (Entra UPN, app GUID, or role name).
scope: Securable class -- "DATABASE" (default), "SCHEMA", or
"OBJECT".
schema: Schema name (required when scope is "SCHEMA").
object_name: Qualified object name <schema>.<object> (required when
scope is "OBJECT").
columns: Optional list of column names for column-level security
(OBJECT scope only; permissions must be SELECT, UPDATE, or
REFERENCES). Pass None (omit) for no column restriction.
Passing an empty list raises a ToolError.
grant_option_only: When True, revokes only the grant option (adds
GRANT OPTION FOR), leaving the base permission in place.
cascade: When True, cascades the revocation to principals the
grantee has granted the permission to (adds CASCADE).
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| item | Yes | ||
| scope | No | DATABASE | |
| schema | No | ||
| cascade | No | ||
| columns | No | ||
| principal | Yes | ||
| workspace | Yes | ||
| object_name | No | ||
| permissions | Yes | ||
| grant_option_only | No |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||