Start of change

-556   revoke-target CANNOT HAVE THE privilege PRIVILEGE object-name REVOKED BY revoker-id BECAUSE THE REVOKEE DOES NOT POSSESS THE PRIVILEGE OR THE REVOKER DID NOT MAKE THE GRANT

Explanation

The REVOKE statement was not successful.

revoke-target
The authorization ID that the revoke attempt was made against.
privilege
The name of the privilege that was to be revoked.
object-name
The name of the object that the privilege applies to.
revoker-id
The authorization ID that attempted to revoke the privilege.
If you are using a trusted context, the tokens revoke-target and revoker-id might return a role instead of an authorization ID. A role is returned if a role was in effect and the authorization checking is performed against the role, rather than the authorization ID of the session, when the condition was encountered. Otherwise an authorization ID is returned. A role is returned in the following format as a single token:
ROLE: role-name

A failed revocation attempt is commonly caused by one or more of the following conditions:

  • The authorization ID that was the target of the REVOKE statement, revoke-target, does not possess the privilege that was to be revoked.
  • The revoking authorization ID, revoker-id, did not explicitly grant the privilege to revoke-target. An authorization ID can revoke only the privileges that it has explicitly granted to other authorization IDs, unless the authorization ID has SECADM or ACCESSCTRL authority and specifies the BY clause.
  • The authorization ID revoke-target is the owner of the specified object. No authorization ID, not even SECADM, can revoke privileges on an object from the object owner.
  • If privilege is "***": The keyword ALL was used in the REVOKE statement, but revoke-target did not possess any privilege to revoke.
  • If revoker-id is "ALL": The BY ALL clause was used in the REVOKE statement, but revoke-target did not possess any privilege to revoke.
  • If revoker-id holds SECADM or ACCESSCTRL authority: The BY clause might have been omitted from the REVOKE statement.

System action

The statement was not executed. No privileges were revoked from any authorization ID.

Programmer response

Check the appropriate authorization catalog tables to verify that revoke-target possesses the privilege to be revoked. Issue a query with GRANTEE set to the value in revoke-target and the privilege column not equal to blanks. Correct and reissue the REVOKE statement.

SQLSTATE

42504

End of change