Denies the permission on a resource, even if the role is directly granted or inherits permissions.

Use RESTRICT to deny access to a role on a data resource, that is a keyspace or table. Restrict denies access even if permission to access the resource has been granted.

Note: RESTRICT permission always take precedence over GRANT permissions.


RESTRICT permission
  ON [keyspace_name.]table_name 
  TO role_name ;
Table 1. Legend
Syntax conventions Description
UPPERCASE Literal keyword.
Lowercase Not literal.
Italics Variable value. Replace with a user-defined value.
[] Optional. Square brackets ( [] ) surround optional command arguments. Do not type the square brackets.
( ) Group. Parentheses ( ( ) ) identify a group to choose from. Do not type the parentheses.
| Or. A vertical bar ( | ) separates alternative elements. Type any one of the elements. Do not type the vertical bar.
... Repeatable. An ellipsis ( ... ) indicates that you can repeat the syntax element as often as required.
'Literal string' Single quotation ( ' ) marks must surround literal strings in CQL statements. Use single quotation marks to preserve upper case.
{ key : value } Map collection. Braces ( { } ) enclose map collections or key value pairs. A colon separates the key and the value.
<datatype1,datatype2> Set, list, map, or tuple. Angle brackets ( < > ) enclose data types in a set, list, map, or tuple. Separate the data types with a comma.
cql_statement; End CQL statement. A semicolon ( ; ) terminates all CQL statements.
[--] Separate the command line options from the command arguments with two hyphens ( -- ). This syntax is useful when arguments might be mistaken for command line options.
' <schema> ... </schema> ' Search CQL only: Single quotation marks ( ' ) surround an entire XML schema declaration.
@xml_entity='xml_entity_type' Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files.
A comma separated list of permissions that the role is prevented from using on the resources even if the permissions is granted. Where the permission types are: ALL PERMISSIONS or ALTER, AUTHORIZE [FOR permission_list], CREATE, DESCRIBE, DROP, MODIFY, and SELECT.
Database object to which the permission is denied. Restriction is applied using modeled hierarchy as follows:
  • ALL KEYSPACES - restricts access to every keyspace and table.
  • KEYSPACE keyspace_name - restricts access on the keyspace and any table it contains
  • TABLE table_name - restricts access on the table and all the data it contains


Prevent the role admin from seeing any data in the cycling keyspace:
TO role_admin;