Processing user revocation information
- revoke_date
- The date from which the user is revoked
- resume_date
- The date on which the user is no longer revoked
- revoked_flag
- A flag indicating if the user has been revoked
At logon or job initiation, RACF compares the current date with the revoke_date and resume_date. If the current date falls between them, the logon or job initiation is not allowed or the connection with the group is not considered valid.
LISTUSER and LISTGRP perform similar checks. For example, if the date on which the LISTUSER command is issued falls between the revoke_date and the resume_date, LISTUSER reports that the user is revoked. If the date on which the LISTUSER command is issued does not fall between the revoke_date and the resume_date, LISTUSER indicates that the user is not revoked even if the revoke_date, resume_date, and revoked_flag are set in the RACF database.
Because IRRDBU00 does not have a reference date such as the current date, it cannot interpret the revoke_date, resume_date, and revoked_flag information with a reference date. IRRDBU00 unloads the values as they are specified in the RACF database. This means that if you write a query that just checks the revoked_flag, the results differ from LISTUSER and LISTGRP.
You can incorporate a date check into your queries that performs the same checks as the LISTUSER and LISTGRP commands. Figure 1 shows a sample of structured query language (SQL) that does this test for the user revoke status. Note that CURRENT DATE can be replaced with any valid DB2® date value.
SELECT * FROM USER01.USER_BD
WHERE
(CURRENT_DATE >= USBD_REVOKE_DATE AND
(USBD_RESUME_DATE IS NULL OR
USBD_RESUME_DATE <= USBD_REVOKE_DATE OR
USBD_RESUME_DATE > CURRENT_DATE))
OR
(USBD_REVOKE = 'Y' AND
(USBD_RESUME_DATE IS NULL OR
NOT (CURRENT_DATE >= USBD_RESUME_DATE AND
(USBD_REVOKE_DATE IS NULL OR
USBD_REVOKE_DATE < USBD_RESUME_DATE OR
USBD_REVOKE_DATE > CURRENT_DATE))))