Caching of EXECUTE on plans, packages, and routines
The results of authorization checks on the EXECUTE privilege for plans, packages, and routines are cached if plan, package, and routine authorization caching is enabled on your system.
Db2 authorization can cache roles or primary authorization IDs if authorization checks are performed by the access control authorization exit routine. Db2 checks and caches a role if it is in effect and authorized. If a role is not in effect or the role is not authorized, Db2 checks and caches the primary authorization ID.
If this privilege is revoked in the exit routine, the cached information is not updated to reflect the revoke. You must use the SQL GRANT statement and the REVOKE statements to refresh the specific entry in the cache and invalidate any dependent package. If the privilege is revoked from a RACF® group, you must issue the GRANT and REVOKE statements to refresh the cache information for every user in the RACF group. If the privilege is revoked from a profile name that is specified with generic characters, you must issue the GRANT and REVOKE statements to refresh the cache information for every object in Db2 that matches the generic characters for that object type.
If the AUTHEXIT_CACHEREFRESH subsystem parameter is set to ALL, Db2 refreshes the cache entries of the package authorization, the routine authorization, and the dynamic statement when a user profile or resource access is changed in RACF and the access control authorization exit is active. If the z/OS® release is 2.5 or later, Db2 refreshes the cache entries of the plan authorization when a resource access on the plan object profile is changed in RACF and the access control authorization exit is active. Db2 refreshes the cache entries for DDF user authentication when the user profile is changed in RACF. The DDF user authentication cache is refreshed regardless of whether security is managed with Db2 facilities or with the access control authorization exit.