REVOKE (variable privileges)
This form of the REVOKE statement revokes privileges on global variables.
Syntax for REVOKE (variable privileges)
Description for REVOKE (variable privileges)
- ALL PRIVILEGES
- Revokes both READ and WRITE privileges on the specified global variable.
- READ
- Revokes the privilege to read the value of the specified global variable.
- WRITE
- Revokes the privilege to assign a value to the specified global variable.
- ON VARIABLE variable-name
- Identifies the global variable from which privileges are revoked. variable-name must identify a global variable that exists at the current server.
- FROM
- Refer to REVOKE statement for a description of the FROM clause.
- BY
- Refer to REVOKE statement for a description of the BY clause.
- RESTRICT
- Prevents the specified privileges from being revoked on a global variable if the following conditions exist:
- A function that is owned by the revokee references (READ or WRITE privilege) the specified global variable
- A view that is owned by the revokee references (READ or WRITE privilege) the specified global variable
- A trigger that is owned by the revokee references (READ or WRITE privilege) the specified global variable
- INCLUDING DEPENDENT PRIVILEGES or NOT INCLUDING DEPENDENT PRIVILEGES
- Specifies
whether revoking a privilege or an authority from an authorization
ID or a role also results in revoking the grants that were made by
that user. The default value is based on the authority that is being
revoked and the REVOKE_DEP_PRIVILEGES system parameter:
- When ACCESSCTRL, DATAACCESS, or system DBADM authority is revoked, NOT INCLUDING DEPENDENT PRIVILEGES is assumed and the clause must be specified on the REVOKE statement.
- When the REVOKE_DEP_PRIVILEGES system parameter is set to NO, NOT INCLUDING DEPENDENT PRIVILEGES is assumed and an error is returned if the statement includes INCLUDING DEPENDENT PRIVILEGES.
- Otherwise, INCLUDING DEPENDENT PRIVILEGES is assumed and the clause must be specified on the REVOKE statement.
- INCLUDING DEPENDENT PRIVILEGES
- Specifies that revoking a privilege or an authority from an authorization
ID or a role also results in revoking dependent privileges. This means
that any grants that were made by the user will continue to be revoked,
until all grants in the chain have been revoked.
INCLUDING DEPENDENT PRIVILEGES cannot be specified if the system parameter REVOKE_DEP_PRIVILEGES is set to NO, which enforces the behavior to not include the dependent privileges.
- NOT INCLUDING DEPENDENT PRIVILEGES
- Specifies that revoking a privilege or an authority from an authorization
ID or a role does not cause the grants that were made by the user
to be revoked. However, for the revoked privileges, all implications
of the privilege being revoked are applied. For example, if the revoked
privileges were required to bind a package successfully, that package
would continue to be invalidated as a result of the package owner
losing these privileges. An object might be dropped if a privilege
is revoked that was used to create the object.
NOT INCLUDING DEPENDENT PRIVILEGES must be specified when ACCESSCTRL, DATAACCESS, or system DBADM authority is revoked.
NOT INCLUDING DEPENDENT PRIVILEGES cannot be specified if the system parameter REVOKE_DEP_PRIVILEGES is set toYES, which enforces the behavior to include dependent privileges in the revoke.
Notes for REVOKE (variable privileges)
Global variables and statements in the dynamic statement cache: If a cached dynamic statement depends on the revoked authorization for the specified global variable and the cache statement is not in use, the cached dynamic statement will be invalidated.