DB2 10.5 for Linux, UNIX, and Windows

REVOKE (exemption) statement

This form of the REVOKE statement revokes an exemption to a label-based access control (LBAC) access rule.

Invocation

This statement can be embedded in an application program or issued through the use of dynamic SQL statements. It is an executable statement that can be dynamically prepared only if DYNAMICRULES run behavior is in effect for the package (SQLSTATE 42509).

Authorization

The privileges held by the authorization ID of the statement must include SECADM authority.

Syntax


>>-REVOKE EXEMPTION ON RULE------------------------------------->

>--+-DB2LBACREADARRAY-----------------+--FOR--policy-name------->
   +-DB2LBACREADSET-------------------+                     
   +-DB2LBACREADTREE------------------+                     
   +-DB2LBACWRITEARRAY--+-WRITEDOWN-+-+                     
   |                    '-WRITEUP---' |                     
   +-DB2LBACWRITESET------------------+                     
   +-DB2LBACWRITETREE-----------------+                     
   '-ALL------------------------------'                     

         .-,-----------------------------.   
         V                               |   
>--FROM----+-------+--authorization-name-+---------------------><
           +-USER--+                         
           +-GROUP-+                         
           '-ROLE--'

Description

EXEMPTION ON RULE

Revokes the exemption on an access rule.

DB2LBACREADARRAY

Revokes an exemption on the predefined DB2LBACREADARRAY rule.

DB2LBACREADSET

Revokes an exemption on the predefined DB2LBACREADSET rule.

DB2LBACREADTREE

Revokes an exemption on the predefined DB2LBACREADTREE rule.

DB2LBACWRITEARRAY

Revokes an exemption on the predefined DB2LBACWRITEARRAY rule.

WRITEDOWN: Specifies that the exemption only applies to write down.
WRITEUP: Specifies that the exemption only applies to write up.

DB2LBACWRITESET

Revokes an exemption on the predefined DB2LBACWRITESET rule.

DB2LBACWRITETREE

Revokes an exemption on the predefined DB2LBACWRITETREE rule.

ALL

Revokes the exemptions on all of the predefined rules.

FOR policy-name

Specifies the name of the security policy on which exemptions are to be revoked.

FROM

Specifies from whom the exemption is revoked.

USER: Specifies that the authorization-name identifies a user.
GROUP: Specifies that the authorization-name identifies a group name.
ROLE: Specifies that the authorization-name identifies a role name.
authorization-name,...: Lists the authorization IDs of one or more users, groups, or roles.

Rules

For each authorization-name specified, if neither USER, GROUP, nor ROLE is specified, then:
- For all rows for the specified object in the SYSCAT.SECURITYPOLICYEXEMPTIONS catalog view where the grantee is authorization-name:
  - If all rows have a GRANTEETYPE of 'U', USER is assumed.
  - If all rows have a GRANTEETYPE of 'G', GROUP is assumed.
  - If all rows have a GRANTEETYPE of 'R', ROLE is assumed.
  - If all rows do not have the same value for GRANTEETYPE, an error is returned (SQLSTATE 56092).

Examples

Example 1: Revoke the exemption on access rule DB2LBACREADSET for security policy DATA_ACCESS from user WALID.
```
   REVOKE EXEMPTION ON RULE DB2LBACREADSET FOR DATA_ACCESS 
     FROM USER WALID
```
Example 2: Revoke an exemption on access rule DB2LBACWRITEARRAY with the WRITEDOWN option for security policy DATA_ACCESS from user BOBBY.
```
   REVOKE EXEMPTION ON RULE DB2LBACWRITEARRAY WRITEDOWN
     FOR DATA_ACCESS FROM USER BOBBY
```
Example 3: Revoke an exemption on access rule DB2LBACWRITEARRAY with the WRITEUP option for security policy DATA_ACCESS from user BOBBY.
```
   REVOKE EXEMPTION ON RULE DB2LBACWRITEARRAY WRITEUP
     FOR DATA_ACCESS FROM USER BOBBY
```