REVOKE (package privileges)
This form of the REVOKE statement revokes privileges on packages.
Syntax for REVOKE (package privileges)
Description for REVOKE (package privileges)
- BIND
- Revokes the privilege to use the BIND and REBIND subcommands for the designated packages. In addition, if the value of field BIND NEW PACKAGE on installation panel DSNTIPP is BIND, the additional BIND privilege of adding new versions of packages is revoked. (For details, see GRANT (package privileges).)
- COPY
- Revokes the privilege to use the COPY option of the BIND subcommand for the designated packages.
- EXECUTE
- Revokes the privilege to run application programs that use the designated packages and to specify the packages following PKLIST for the BIND PLAN and REBIND PLAN commands. RUN is an alternate name for the same privilege.
- ALL
- Revokes all package privileges for which you have authority for the packages named in the ON clause.
- ON PACKAGE collection-id.package-name,...
- Identifies packages for which you are revoking privileges. The revoking of a package privilege applies to all versions of that package. For each package that you identify, you (or the indicated grantors) must have granted at least one of the specified privileges on that package to all identified users (including PUBLIC, if specified). An authorization ID with PACKADM authority over the collection or all collections, SYSADM, or SYSCTRL authority can specify all packages in the collection by using * for package-name. The same package must not be specified more than once.
- FROM
- Refer to REVOKE for a description of the FROM clause.
- BY
- Refer to REVOKE for a description of the BY clause.
- INCLUDING DEPENDENT PRIVILEGES or NOT INCLUDING DEPENDENT PRIVILEGES
- Specifies
whether revoking a privilege or an authority from an authorization
ID or a role also results in revoking the grants that were made by
that user. The default value is based on the authority that is being
revoked and the REVOKE_DEP_PRIVILEGES system parameter:
- When ACCESSCTRL, DATAACCESS, or system DBADM authority is revoked, NOT INCLUDING DEPENDENT PRIVILEGES is assumed and the clause must be specified on the REVOKE statement.
- When the REVOKE_DEP_PRIVILEGES system parameter is set to NO, NOT INCLUDING DEPENDENT PRIVILEGES is assumed and an error is returned if the statement includes INCLUDING DEPENDENT PRIVILEGES.
- Otherwise, INCLUDING DEPENDENT PRIVILEGES is assumed and the clause must be specified on the REVOKE statement.
- INCLUDING DEPENDENT PRIVILEGES
- Specifies that revoking a privilege or an authority from an authorization
ID or a role also results in revoking dependent privileges. This means
that any grants that were made by the user will continue to be revoked,
until all grants in the chain have been revoked.
INCLUDING DEPENDENT PRIVILEGES cannot be specified if the system parameter REVOKE_DEP_PRIVILEGES is set to NO, which enforces the behavior to not include the dependent privileges.
- NOT INCLUDING DEPENDENT PRIVILEGES
- Specifies that revoking a privilege or an authority from an authorization
ID or a role does not cause the grants that were made by the user
to be revoked. However, for the revoked privileges, all implications
of the privilege being revoked are applied. For example, if the revoked
privileges were required to bind a package successfully, that package
would continue to be invalidated as a result of the package owner
losing these privileges. An object might be dropped if a privilege
is revoked that was used to create the object.
NOT INCLUDING DEPENDENT PRIVILEGES must be specified when ACCESSCTRL, DATAACCESS, or system DBADM authority is revoked.
NOT INCLUDING DEPENDENT PRIVILEGES cannot be specified if the system parameter REVOKE_DEP_PRIVILEGES is set toYES, which enforces the behavior to include dependent privileges in the revoke.
Notes for REVOKE (package privileges)
Alternative syntax and synonyms: To provide compatibility with previous releases of Db2 or other products in the Db2 family, Db2 supports specifying PROGRAM as a synonym for PACKAGE.
Examples for REVOKE (package privileges)
Example 1: Revoke the privilege
to copy all packages in collection DSN8CC61 from LEWIS.
REVOKE COPY ON PACKAGE DSN8CC61.* FROM LEWIS;
Example 2: Revoke the privilege to run all packages
in collection DSN9CC13 from role ROLE1:
REVOKE EXECUTE ON PACKAGE DSN9CC13.* FROM ROLE ROLE1;