Hi everyone,

A user was removed and now i need to revoke all privileges to that removed user. I executed REVOKE ALL ON DATABASE FROM <DB2user>. The sql completed successfully but when i run my scan report it's still reporting that the user needs to be revoked of all privileges. Is there something else i need to do? Any help would be greatly appreciated. Thanks

PS - I'm running DB2 V8 on Windows NT/2000. Thanks again

You need to revoke one by one DB privileges from that user.

Get the info from syscat.dbauth table.

USER GRANTOR CONNECT CREATETAB LOAD DBA IMPLSCHEMA BIND ROUTINE NOFENCE
---------- ---------- ------- --------- ---- --- ---------- ---- ------- -------
TESTER DBADM N Y Y Y Y Y N N


db2 "revoke createtab on database from tester"...... and SO on...


-Raj

Raj, that is not true.

What you have to do is list only those privileges in REVOKE command that the user actually has. be aware g and U in the TYPE column.

There are other privileges too, such as table, schema, package, etc. - not only database privileges. By revoking only the database privileges you do not affect any other privs, unless you explicitly revoke them too.

Correct, I guess if the original post specified what exactly needs to be revoked we would not discussing it now

All said and done as long as the user does not have connect on the db then the other stuff is more fo a clean up then anything else. Kind of like if I give you a code to a safe but not a key to the house that code has no value to you.

I just reread the original post and it sounds like the wholeproblem could have been deverted from the database to the unix admin or security in the first place.
By granting access to the GROUP vs. an individual user id you are avoid this problem all together. Let someone else worry about it. It should not be a dba problem when people come and go.