REVOKE statement (plan privileges)

This form of the REVOKE statement revokes privileges on application plans.

Syntax for REVOKE (plan privileges)

Read syntax diagramSkip visual syntax diagram REVOKE ,BINDEXECUTE ON PLAN ,plan-name FROM ,authorization-nameROLErole-namePUBLICBY,authorization-nameROLErole-nameALLINCLUDING DEPENDENT PRIVILEGESNOT INCLUDING DEPENDENT PRIVILEGES

Description for REVOKE (plan privileges)

BIND
Revokes the privilege to use the BIND, REBIND, and FREE subcommands for the identified plans.
EXECUTE
Revokes the privilege to run application programs that use the identified plans.
ON PLAN plan-name,...
Identifies application plans for which you are revoking privileges. For each plan that you identify, you (or the indicated grantors) must have granted at least one of the specified privileges on that plan to all identified users (including PUBLIC, if specified). The same plan must not be specified more than once.
FROM
Refer to REVOKE statement for a description of the FROM clause.
BY
Refer to REVOKE statement for a description of the BY clause.
INCLUDING DEPENDENT PRIVILEGES or NOT INCLUDING DEPENDENT PRIVILEGES
Specifies whether revoking a privilege or an authority from an authorization ID or a role also results in revoking the grants that were made by that user. The default value is based on the authority that is being revoked and the REVOKE_DEP_PRIVILEGES system parameter:
  • When ACCESSCTRL, DATAACCESS, or system DBADM authority is revoked, NOT INCLUDING DEPENDENT PRIVILEGES is assumed and the clause must be specified on the REVOKE statement.
  • When the REVOKE_DEP_PRIVILEGES system parameter is set to NO, NOT INCLUDING DEPENDENT PRIVILEGES is assumed and an error is returned if the statement includes INCLUDING DEPENDENT PRIVILEGES.
  • Otherwise, INCLUDING DEPENDENT PRIVILEGES is assumed and the clause must be specified on the REVOKE statement.
INCLUDING DEPENDENT PRIVILEGES
Specifies that revoking a privilege or an authority from an authorization ID or a role also results in revoking dependent privileges. This means that any grants that were made by the user will continue to be revoked, until all grants in the chain have been revoked.

INCLUDING DEPENDENT PRIVILEGES cannot be specified if the system parameter REVOKE_DEP_PRIVILEGES is set to NO, which enforces the behavior to not include the dependent privileges.

NOT INCLUDING DEPENDENT PRIVILEGES
Specifies that revoking a privilege or an authority from an authorization ID or a role does not cause the grants that were made by the user to be revoked. However, for the revoked privileges, all implications of the privilege being revoked are applied. For example, if the revoked privileges were required to bind a package successfully, that package would continue to be invalidated as a result of the package owner losing these privileges. An object might be dropped if a privilege is revoked that was used to create the object.

NOT INCLUDING DEPENDENT PRIVILEGES must be specified when ACCESSCTRL, DATAACCESS, or system DBADM authority is revoked.

NOT INCLUDING DEPENDENT PRIVILEGES cannot be specified if the system parameter REVOKE_DEP_PRIVILEGES is set toYES, which enforces the behavior to include dependent privileges in the revoke.

Notes for REVOKE (plan privileges)

For considerations that apply to all REVOKE statement forms, see Notes for REVOKE.

Examples for REVOKE (plan privileges)

Example 1: Revoke authority to bind plan DSN8IP13 from user JONES. 
   REVOKE BIND ON PLAN DSN8IP13 FROM JONES;
Example 2: Revoke authority previously granted to all users at the current server to bind and execute plan DSN8CP13. (Grants to specific users will not be affected.) 
   REVOKE BIND,EXECUTE ON PLAN DSN8CP13 FROM PUBLIC;
Example 3: Revoke authority to execute plan DSN8CP13 from users ADAMSON and BROWN. 
   REVOKE EXECUTE ON PLAN DSN8CP13 FROM ADAMSON,BROWN;
Example 4: Revoke authority to bind plan DSN91PLN from role ROLE1: 
   REVOKE BIND ON PLAN DSN91PLN FROM ROLE ROLE1;