REVOKE (exemption) statement

This form of the REVOKE statement revokes an exemption to a label-based access control (LBAC) access rule.

Invocation

This statement can be embedded in an application program or issued through the use of dynamic SQL statements. It is an executable statement that can be dynamically prepared only if DYNAMICRULES run behavior is in effect for the package (SQLSTATE 42509).

Authorization

The privileges held by the authorization ID of the statement must include SECADM authority.

Syntax

Read syntax diagramSkip visual syntax diagramREVOKE EXEMPTION ON RULEDB2LBACREADARRAYDB2LBACREADSETDB2LBACREADTREEDB2LBACWRITEARRAYWRITEDOWNWRITEUPDB2LBACWRITESETDB2LBACWRITETREEALLFORpolicy-nameFROM ,USERGROUPROLEauthorization-name

Description

EXEMPTION ON RULE
Revokes the exemption on an access rule.
DB2LBACREADARRAY
Revokes an exemption on the predefined DB2LBACREADARRAY rule.
DB2LBACREADSET
Revokes an exemption on the predefined DB2LBACREADSET rule.
DB2LBACREADTREE
Revokes an exemption on the predefined DB2LBACREADTREE rule.
DB2LBACWRITEARRAY
Revokes an exemption on the predefined DB2LBACWRITEARRAY rule.
WRITEDOWN
Specifies that the exemption only applies to write down.
WRITEUP
Specifies that the exemption only applies to write up.
DB2LBACWRITESET
Revokes an exemption on the predefined DB2LBACWRITESET rule.
DB2LBACWRITETREE
Revokes an exemption on the predefined DB2LBACWRITETREE rule.
ALL
Revokes the exemptions on all of the predefined rules.
FOR policy-name
Specifies the name of the security policy on which exemptions are to be revoked.
FROM
Specifies from whom the exemption is revoked.
USER
Specifies that the authorization-name identifies a user.
GROUP
Specifies that the authorization-name identifies a group name.
ROLE
Specifies that the authorization-name identifies a role name.
authorization-name
Lists the authorization IDs of one or more users, groups, or roles.

Rules

  • For each authorization-name specified, if neither USER, GROUP, nor ROLE is specified, then:
    • For all rows for the specified object in the SYSCAT.SECURITYPOLICYEXEMPTIONS catalog view where the grantee is authorization-name:
      • If all rows have a GRANTEETYPE of 'U', USER is assumed.
      • If all rows have a GRANTEETYPE of 'G', GROUP is assumed.
      • If all rows have a GRANTEETYPE of 'R', ROLE is assumed.
      • If all rows do not have the same value for GRANTEETYPE, an error is returned (SQLSTATE 56092).

Examples

  • Example 1: Revoke the exemption on access rule DB2LBACREADSET for security policy DATA_ACCESS from user WALID. 
       REVOKE EXEMPTION ON RULE DB2LBACREADSET FOR DATA_ACCESS 
     FROM USER WALID
  • Example 2: Revoke an exemption on access rule DB2LBACWRITEARRAY with the WRITEDOWN option for security policy DATA_ACCESS from user BOBBY. 
       REVOKE EXEMPTION ON RULE DB2LBACWRITEARRAY WRITEDOWN
     FOR DATA_ACCESS FROM USER BOBBY
  • Example 3: Revoke an exemption on access rule DB2LBACWRITEARRAY with the WRITEUP option for security policy DATA_ACCESS from user BOBBY. 
       REVOKE EXEMPTION ON RULE DB2LBACWRITEARRAY WRITEUP
     FOR DATA_ACCESS FROM USER BOBBY