Revoking an authorization
You can revoke the authority that users have to grant privileges on Db2 objects. You can also revoke the privileges that users have to use those objects. Db2 Admin Tool guides you through the process without requiring you to know the syntax of the REVOKE SQL statements.
Procedure
To revoke authorizations:
- On the DB2 Administration Menu (ADB2) panel, specify option 1, and press Enter.
- On the System Catalog (ADB21) panel, specify the AO command, and press Enter.
-
On the System Catalog (ADB21) panel -
Authorization options, specify the option for the object type for which you want to revoke
authorizations.
For example, specify option GVA for global variable authorizations, and press Enter.
-
On the object authorizations panel, issue the R line command
against the authorization that you want to revoke, and press Enter.
For example, the following figure shows the Global Variable Authorizations (ADBPAGV) panel:
Restriction: You cannot revoke a privilege from a global variable if any of the following conditions exist:- A function that is owned by the revokee references (READ or WRITE privilege) the specified global variable.
- A view that is owned by the revokee references (READ or WRITE privilege) the specified global variable.
- A trigger that is owned by the revokee references (READ or WRITE privilege) the specified global variable.
- A procedure that is owned by the revokee references (READ or WRITE privilege) the specified global variable.
-
On the revoke object privileges panel, specify the privilege that you want to revoke
and any associated information.
For example, the following figure shows the Revoke Variable Privileges (ADBPRGV) panel:
On this panel, specify the privilege that you want to revoke and the FROM, BY, and RESTRICT clause information. For more information about these clauses, see REVOKE (variable privileges) (Db2 12 for z/OS).
- Optional:
Review the revoke impact report:
This report helps you determine how the authorizations and database objects will be affected by revoking an authorization before you actually revoke it.
-
In the Report Revoke Impacts field, specify
Yes, and press Enter.
If the following message is displayed, your user ID does not have the authority to execute the REVOKE statement:
Revoker does not have SYSADM/SYSCTRL/SECADM/ACCESSCTRL
Otherwise, the Revoke Impact Report (ADB2RIP) panel is displayed, as shown in the following figure.
For information about any of these columns and their values, see the online help (PF1).
-
Issue the I line command next to the object for which you
want to display interpretation information, and press Enter.
The Interpretation of revoked privileges (ADB2RIPI) panel is displayed, as shown in the following figure.
- Exit back to the revoke object privileges panel
-
In the Report Revoke Impacts field, specify
Yes, and press Enter.
- In the Report Revoke Impacts field, specify No, and press Enter.
- Specify your preferences on any subsequent confirmation panels to run the REVOKE statement.