REVOKE Execution Privilege

The REVOKE Execution Privilege authorization statement removes from one or more users or groups the privilege of executing a specified access module. It is also a CA IDMS extension of the SQL standard.

Authorization

To revoke access module execution privilege, you must own the schema associated with the access module, hold grantable privilege on the access module, or hold DBADMIN privilege on the dictionary that contains the access module.

Syntax

►►─── REVOKE EXECUTE ─────────────────────────────────────────────────────────►

 ►─── ON ACCESS MODULE ─┬────────────────┬─ access-module-name ───────────────►
                        └─ schema-name. ─┘

            ┌─────────────── , ──────────────┐
 ►─── FROM ─▼─┬─ PUBLIC ───────────────────┬─┴────────────────────────────────►◄
              └─ authorization-identifier ─┘

Parameters

ON ACCESS MODULE access-module-name

Specifies the access module to which the EXECUTE privilege applies.

schema-name: Identifies the schema associated with access-module-name. If you do not specify schema-name, it defaults to the current schema in effect for your SQL session.

FROM

Identifies the users from whom you are removing the EXECUTE privilege.

PUBLIC

Specifies all users.

The privilege must previously have been granted to PUBLIC.

authorization-identifier

Identifies a user or group.

The privilege must previously have been granted to authorization-identifier. For expanded authorization-identifier syntax, see Expansion of Authorization-identifier.

Usage

Revoking Privileges

A user can hold a privilege on a resource through multiple resource names (for example, through the use of wildcards) or through multiple authorization identifiers (for example, through two different group identifiers). A REVOKE statement revokes the privileges specified in the statement only on the specified resource name and only from the specified authorization identifier.

For example, suppose:

User PKB is in the group SALES_ADMIN
PKB has been granted the EXECUTE privilege on the access module name SALES_SCH.SALESFCT
SALES_ADMIN has been granted the EXECUTE privilege on all access module named SALES_SCH.SALES* where * is a wildcard character

You can revoke the EXECUTE privilege on SALESFCT from the user identifier PKB. However, PKB can still execute an access module by that name in the SALES_SCH schema because PKB is a member of SALES_ADMIN.

Example

Revoking the EXECUTE Privilege

The following REVOKE EXECUTE statement removes the EXECUTE privilege on all access modules associated with schema HR that begin with 'EMP' from the users in group PER_GRP_2:

revoke execute
   on access module hr.emp*
   from per_grp_2;

More Information

For more information about granting the EXECUTE privilege, see GRANT Access Module Execution Privilege.
For more information about revoking privileges, see your security administrator.