RESTRICT

Denies the permission on a resource, even if the role is directly granted or inherits permissions.

Use RESTRICT to deny access to a role on a data resource, that is a keyspace or table. Restrict denies access even if permission to access the resource has been granted or inherited.
Attention: However, regardless of how you use RESTRICT, an account with the superuser role has full read/write access to the database. If your goal is that certain database administrators should not be able to see or modify data, do not assign superuser to those accounts. Instead, use RESTRICT to create database administrator accounts that are able to manage database resources and roles, but are unable to see or modify data. See also Restricting access to data.
Note: RESTRICT permission always take precedence over GRANT permissions.

Synopsis

RESTRICT permission
  ON [keyspace_name.]table_name 
  TO role_name ;
Table 1. Legend
Syntax conventions Description
UPPERCASE Literal keyword.
Lowercase Not literal.
Italics Variable value. Replace with a user-defined value.
[] Optional. Square brackets ( [] ) surround optional command arguments. Do not type the square brackets.
( ) Group. Parentheses ( ( ) ) identify a group to choose from. Do not type the parentheses.
| Or. A vertical bar ( | ) separates alternative elements. Type any one of the elements. Do not type the vertical bar.
... Repeatable. An ellipsis ( ... ) indicates that you can repeat the syntax element as often as required.
'Literal string' Single quotation ( ' ) marks must surround literal strings in CQL statements. Use single quotation marks to preserve upper case.
{ key : value } Map collection. Braces ( { } ) enclose map collections or key value pairs. A colon separates the key and the value.
<datatype1,datatype2> Set, list, map, or tuple. Angle brackets ( < > ) enclose data types in a set, list, map, or tuple. Separate the data types with a comma.
cql_statement; End CQL statement. A semicolon ( ; ) terminates all CQL statements.
[--] Separate the command line options from the command arguments with two hyphens ( -- ). This syntax is useful when arguments might be mistaken for command line options.
' <schema> ... </schema> ' Search CQL only: Single quotation marks ( ' ) surround an entire XML schema declaration.
@xml_entity='xml_entity_type' Search CQL only: Identify the entity and literal value to overwrite the XML element in the schema and solrConfig files.
permission
A comma separated list of permissions that the role is prevented from using on the resources even if the permissions is granted. Where the permission types are: ALL PERMISSIONS or ALTER, AUTHORIZE [FOR permission_list], CREATE, DESCRIBE, DROP, MODIFY, and SELECT.
resource
Database object to which the permission is denied. Restriction is applied using modeled hierarchy as follows:
  • ALL KEYSPACES - restricts access to every keyspace and table.
  • KEYSPACE keyspace_name - restricts access on the keyspace and any table it contains
  • TABLE table_name - restricts access on the table and all the data it contains

Examples

Prevent the role admin from seeing any data in the cycling keyspace:
RESTRICT MODIFY, SELECT
ON KEYSPACE cycling
TO role_admin;