REVOKE DEP PRIV field (REVOKE_DEP_PRIVILEGES subsystem parameter)
The REVOKE_DEP_PRIVILEGES subsystem parameter controls whether revoking a privilege from a user is to cause dependent privileges to be revoked. If dependent privileges are to be revoked, revoking a privilege from a user also revokes the privilege from anyone that the user has granted that privilege to.
Acceptable values: | NO, YES, SQLSTMT |
---|---|
Default: | SQLSTMT |
Update: | option 39 on panel DSNTIPB |
DSNZPxxx: | DSN6SPRM REVOKE_DEP_PRIVILEGES |
Security parameter: | Yes |
- NO
- REVOKE statements do not include dependent privileges. An error occurs if a REVOKE statement contains the INCLUDING DEPENDENT PRIVILEGES clause.
- YES
- REVOKE statements include dependent privileges, except when ACCESSCTRL, DATAACCESS, and system DBADM authorities are revoked. An error occurs if a REVOKE statement contains the NOT INCLUDING DEPENDENT PRIVILEGES clause, except when ACCESSCTRL, DATAACCESS, and system DBADM authorities are revoked.
- SQLSTMT
- Allows revoking of dependent privileges to be controlled at the SQL level, as specified in REVOKE statements. Db2 recognizes the dependent privileges clause (INCLUDING DEPENDENT PRIVILEGES or NOT INCLUDING DEPENDENT PRIVILEGES) of the REVOKE statement
Note: This is a security-related parameter. If it is set to
NO, privileges that were granted by a user are retained even if that
user loses the authority that allowed the user to perform the grant.