DB2 10.5 for Linux, UNIX, and Windows

REVOKE (security label) statement

This form of the REVOKE statement revokes a label-based access control (LBAC) security label.

Invocation

This statement can be embedded in an application program or issued through the use of dynamic SQL statements. It is an executable statement that can be dynamically prepared only if DYNAMICRULES run behavior is in effect for the package (SQLSTATE 42509).

Authorization

The privileges held by the authorization ID of the statement must include SECADM authority.

Syntax

Read syntax diagramSkip visual syntax diagram
>>-REVOKE SECURITY LABEL--security-label-name------------------->

         .-,-----------------------------.   
         V                               |   
>--FROM----+-------+--authorization-name-+---------------------><
           +-USER--+                         
           +-GROUP-+                         
           '-ROLE--'                         

Description

SECURITY LABEL security-label-name
Revokes the security label security-label-name. The name must be qualified with a security policy (SQLSTATE 42704) and must identify a security label that exists at the current server (SQLSTATE 42704), and that is held by authorization-name (SQLSTATE 42504).
FROM
Specifies from whom the specified security label is revoked.
USER
Specifies that the authorization-name identifies a user.
GROUP
Specifies that the authorization-name identifies a group name.
ROLE
Specifies that the authorization-name identifies a role name. The role name must exist at the current server (SQLSTATE 42704).
authorization-name,...
Lists the authorization IDs of one or more users, groups, or roles.

Rules

Example

Revoke the security label EMPLOYEESECLABEL, which is part of the security policy DATA_ACCESS, from user WALID. 
   REVOKE SECURITY LABEL DATA_ACCESS.EMPLOYEESECLABEL
     FROM USER WALID
Related concepts:
Database authorities
Related reference:
GRANT (security label) statement