Adds **Revoking grants from a user** paragraph (#5161)

AArdeev · web-flow · commit 6406bbd50260 · 2025-06-09T16:45:28.000+03:00
* Adds **Revoking grants from a user** paragraph * New paragraph explains how to revoke privileges manipulating config file * Fixes #5152
diff --git a/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke_all.yaml b/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke_all.yaml
@@ -0,0 +1,7 @@
+# empty permissions array:
+privileges:
+- permissions: [] # !! read permission revoked !!
+  spaces: [books]
+
+# empty privileges array:
+  privileges: [] # !! no privileges at all !!
diff --git a/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke_one.yaml b/doc/code_snippets/snippets/config/instances.enabled/credentials/revoke_one.yaml
@@ -0,0 +1,9 @@
+# grant privileges:
+privileges:
+- permissions: [read, write]
+  spaces: [books]
+
+# revoke a privilege:
+  privileges:
+  - permissions: [read] # !! write permission revoked !!
+    spaces: [books]
diff --git a/doc/platform/connections_and_auth/credentials.rst b/doc/platform/connections_and_auth/credentials.rst
@@ -80,7 +80,38 @@ In this example, ``sampleuser`` gets privileges to select and modify data in the
 
 You can find the full example here: `credentials <https://github.com/tarantool/doc/tree/latest/doc/code_snippets/snippets/config/instances.enabled/credentials>`_.
 
+.. _configuration_credentials_managing_users_roles_revoking_privileges:
 
+Revoking privileges from a user
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To revoke a previously granted privilege, remove it from the configuration.
+
+For example, here is how to grant privileges to a space and how to revoke one of the privileges:
+
+..  literalinclude:: /code_snippets/snippets/config/instances.enabled/credentials/revoke_one.yaml
+    :language: yaml
+    :start-at: # grant privileges
+    :dedent:
+
+If you want to revoke the remaining privilege to from a space, you can remove it, too, thus making ``permissions`` an empty array:
+
+..  literalinclude:: /code_snippets/snippets/config/instances.enabled/credentials/revoke_all.yaml
+    :language: yaml
+    :start-at: # empty permissions array:
+    :end-at: [books]
+    :dedent:
+
+You can revoke all privileges by making the ``privileges`` an empty array:
+
+..  literalinclude:: /code_snippets/snippets/config/instances.enabled/credentials/revoke_all.yaml
+    :language: yaml
+    :start-at: # empty privileges array:
+    :dedent:
+
+..  warning::
+    Do not remove a user or a role from configuration in order to revoke that user's or role's privileges. If a user or a role is entirely 
+    removed from the configuration, it is not tracked by configuration machinery anymore. The user/role is not removed and its privileges are not revoked.
 
 .. _configuration_credentials_loading_secrets:
 
