Authorization checks for caching of dynamic SQL statements

If authorization checks for dynamic statements are performed by the authorization access control exit routine, the role in effect or the primary authorization ID is cached. Db2 authorization can cache roles or primary authorization IDs for handling dynamic statements. Db2 checks and caches a role if it is in effect and authorized. If a role is not in effect or authorized, Db2 checks and caches the primary authorization ID.

If the privileges that this statement requires are revoked from the authorization ID that is cached with the statement, this cached statement must be invalidated. If the privilege is revoked in the exit routine, you must use the SQL GRANT and REVOKE statements to refresh the specific entry in the cache and invalidate any dependent package. If the privilege is revoked from a RACF® group, you must issue the GRANT and REVOKE statements to refresh the cache information for every user in the RACF group. If the privilege is revoked from a profile name that is specified with generic characters, you must issue the GRANT and REVOKE statements to refresh the cache information for every object in Db2 that matches the generic characters for that object type.