The XDB Server syntactically supports the collection, package, and plan classes of GRANT/REVOKE privilege commands. Also syntactically supported are the use class of GRANT/REVOKE privileges, including the USE OF ALL BUFFERPOOLS clause. The XDB Server cannot functionally utilize these types of privileges, although future catalog support is planned. DB2 users should consult their DB2 documentation for information on these four classes of privilege commands.
REVOKE is an executable statement that can be issued interactively, embedded in a host language, or dynamically prepared.
In most instances, the authority needed to revoke a specific privilege must be identical to the authority that originally issued the privilege -- which means that privileges individually granted by a specific AuthID are generally revoked individually by the same AuthID.
This format is used to revoke privileges on specified databases. One or more of the privilege option keywords defined below (separated with commas) may be specified after REVOKE, allowing multiple privileges to be revoked in one statement. In every case, the privileges chosen are revoked only from the logical database(s) named in the REVOKE command.
REVOKE [DBADM[, ]] [DBCTRL[, ]] [DBMAINT[, ]] [CREATETAB[, ]] [CREATETS[, ]] [DROP[, ]] [STARTDB[, ]] [STATS[, ]] [STOPDB[, ]] ON DATABASE database-name[,...] FROM AuthID[,...][PUBLIC] [BY AuthID[,...][ALL]]
This format is used to revoke privileges on specified databases. One or more of the privilege option keywords defined below (separated with commas) may be specified after REVOKE, allowing multiple privileges to be revoked in one statement. In every case, the privileges chosen are revoked only from the logical database(s) named in the REVOKE command.
REVOKE [DBADM[, ]] [DBCTRL[, ]] [DBMAINT[, ]] [CREATETAB[, ]] [CREATETS[, ]] [DROP[, ]] [STARTDB[, ]] [STATS[, ]] [STOPDB[, ]] ON DATABASE database-name[,...] FROM AuthID[,...][PUBLIC] [BY AuthID[,...][ALL]]
DBADM | Database administrator authority. |
DBCTRL | Database control authority. |
DBMAINT | Database maintenance authority. |
CREATETAB | Privilege to create new tables. |
CREATETS | Privilege to create new table spaces. |
DROP | Privilege to issue the DROP or ALTER DATABASE statements for the designated databases. |
STARTDB | Privilege to issue the START DATABASE command. |
STOPDB | Privilege to issue the STOP DATABASE command. |
The DISPLAYDB, IMAGCOPY, LOAD, RECOVERDB, REORG, REPAIR, and STATS database grant/revoke privileges are specific to the DB2 mainframe environment, and control specific authorities for running mainframe utilities (for example, CHECK, RUNSTATS and QUIESCE). The XDB Server does not functionally support these privileges. However, to maintain maximum compatibility with mainframe DB2 operations, the XDB Server syntactically checks these privileges (if encountered) and updates the appropriate catalog tables.
database-name | Identifies a database on which privileges are to be revoked. Each database named must exist at the current location. The XDB Server does not support cascading revoke. |
AuthID | Identifies a user authorization ID from which the specified privilege(s) are being revoked. The PUBLIC keyword option can be specified along with (or in place of) an AuthID (or a list of AuthIDs), revoking the specified privileges from all valid AuthIDs at the current location. |
The following example revokes DBADM authority for a database named PICTURES from the individual(s) with AuthID usera.
REVOKE DBADM ON DATABASE pictures FROM usera
Description
The REVOKE command is used to remove system, database, table, and view privileges from designated AuthID(s). There are three formats for the REVOKE command, depending on the type of privilege being revoked. Database privileges include CREATETAB, DBADM and DROP privileges. Table privileges include ALTER, DELETE, INDEX, INSERT, SELECT, and UPDATE privileges. System privileges that imply other privileges are also characterized as authorities.
For a TEMP database, you cannot revoke the privilege from PUBLIC. When a TEMP database is created, PUBLIC implicitly receives the CREATETAB privilege (without GRANT authority); this privilege is not recorded in the DB2 catalog, and it cannot be revoked.
Individual grants (or groups of grants) are removed from the catalog tables by executing REVOKE command statements. Each individual revoke (as registered in the catalog tables) involves the removal of one privilege by one revoker from one revokee. The removal of privileges with the REVOKE statement is recorded in the system catalog for the current location. The status of each individual granted or revoked privilege (for each AuthID) is recorded in the catalog tables.
Since the same privilege can be granted to a single grantee AuthID by several different grantor AuthIDs, the grantee AuthID retains the privilege as long as one (or more) of these grants remains recorded in the system catalog.
Privileges may be revoked from a specific set of users by listing their AuthIDs in the FROM clause of the REVOKE statement. To revoke privileges from all AuthIDs in the current location, use the keyword PUBLIC in the FROM clause. When a privilege is revoked from PUBLIC, the system catalog continues to maintain the list of AuthIDs that were individually granted the privilege.