-556 revoke-target CANNOT HAVE THE privilege PRIVILEGE object-name REVOKED BY revoker-id BECAUSE THE REVOKEE DOES NOT POSSESS THE PRIVILEGE OR THE REVOKER DID NOT MAKE THE GRANT
Explanation
The REVOKE statement was not successful.
- revoke-target
- The authorization ID that the revoke attempt was made against.
- privilege
- The name of the privilege that was to be revoked.
- object-name
- The name of the object that the privilege applies to.
- revoker-id
- The authorization ID that attempted to revoke the privilege.
If
you are using a trusted context, the tokens revoke-target and revoker-id might
return a role instead of an authorization ID. A role is returned
if a role was in effect and the authorization checking is performed
against the role, rather than the authorization ID of the session,
when the condition was encountered. Otherwise an authorization ID
is returned. A role is returned in the following format as a single
token:
ROLE: role-name
A failed revocation attempt is commonly caused by one or more of the following conditions:
- The authorization ID that was the target of the REVOKE statement, revoke-target, does not possess the privilege that was to be revoked.
- The revoking authorization ID, revoker-id, did not explicitly grant the privilege to revoke-target. An authorization ID can revoke only the privileges that it has explicitly granted to other authorization IDs, unless the authorization ID has SECADM or ACCESSCTRL authority and specifies the BY clause.
- The authorization ID revoke-target is the owner of the specified object. No authorization ID, not even SECADM, can revoke privileges on an object from the object owner.
- If privilege is "***": The keyword ALL was used in the REVOKE statement, but revoke-target did not possess any privilege to revoke.
- If revoker-id is "ALL": The BY ALL clause was used in the REVOKE statement, but revoke-target did not possess any privilege to revoke.
- If revoker-id holds SECADM or ACCESSCTRL authority: The BY clause might have been omitted from the REVOKE statement.
System action
The statement was not executed. No privileges were revoked from any authorization ID.
Programmer response
Check the appropriate authorization catalog tables to verify that revoke-target possesses the privilege to be revoked. Issue a query with GRANTEE set to the value in revoke-target and the privilege column not equal to blanks. Correct and reissue the REVOKE statement.
SQLSTATE
42504