DB2 10.5 for Linux, UNIX, and Windows

REVOKE (package privileges) statement

This form of the REVOKE statement revokes CONTROL, BIND, and EXECUTE privileges against a package.

Invocation

This statement can be embedded in an application program or issued through the use of dynamic SQL statements. It is an executable statement that can be dynamically prepared only if DYNAMICRULES run behavior is in effect for the package (SQLSTATE 42509).

Authorization

The privileges held by the authorization ID of the statement must include at least one of the following authorities:
  • CONTROL privilege on the referenced package
  • ACCESSCTRL or SECADM authority

ACCESSCTRL or SECADM authority is required to revoke the CONTROL privilege.

Syntax

Read syntax diagramSkip visual syntax diagram
           .-,---------------.                                  
           V                 |              (2)                 
>>-REVOKE----+-BIND--------+-+--ON--PACKAGE------package-name--->
             +-CONTROL-----+                                    
             |         (1) |                                    
             '-EXECUTE-----'                                    

         .-,---------------------------------.               
         V                                   |  .-BY ALL-.   
>--FROM----+-+-------+--authorization-name-+-+--+--------+-----><
           | +-USER--+                     |                 
           | +-GROUP-+                     |                 
           | '-ROLE--'                     |                 
           '-PUBLIC------------------------'                 

Notes:
  1. RUN can be used as a synonym for EXECUTE.
  2. PROGRAM can be used as a synonym for PACKAGE.

Description

BIND
Revokes the privilege to execute BIND or REBIND on-or to add a new version of- the referenced package.

The BIND privilege cannot be revoked from an authorization-name that holds CONTROL privilege on the package, without also revoking the CONTROL privilege.

CONTROL
Revokes the privilege to drop the package and to extend package privileges to other users.

Revoking CONTROL does not revoke the other package privileges.

EXECUTE
Revokes the privilege to execute the package.

The EXECUTE privilege cannot be revoked from an authorization-name that holds CONTROL privilege on the package without also revoking the CONTROL privilege.

ON PACKAGE package-name
Specifies the name of the package on which privileges are to be revoked. The revoking of a package privilege applies to all versions of the package.
FROM
Indicates from whom the privileges are revoked.
USER
Specifies that the authorization-name identifies a user.
GROUP
Specifies that the authorization-name identifies a group name.
ROLE
Specifies that the authorization-name identifies a role name.
authorization-name,...
Lists the authorization IDs of one or more users, groups, or roles.

The list of authorization IDs cannot include the authorization ID of the user issuing the statement (SQLSTATE 42502).

PUBLIC
Revokes the privileges from PUBLIC.
BY ALL
Revokes each named privilege from all named users who were explicitly granted those privileges, regardless of who granted them. This is the default behavior.

Rules

Notes

Examples