Results 1 to 6 of 6
  1. #1
    Join Date
    Dec 2007
    Posts
    78

    Unanswered: Revoking privileges

    Hi everyone,

    A user was removed and now i need to revoke all privileges to that removed user. I executed REVOKE ALL ON DATABASE FROM <DB2user>. The sql completed successfully but when i run my scan report it's still reporting that the user needs to be revoked of all privileges. Is there something else i need to do? Any help would be greatly appreciated. Thanks

    PS - I'm running DB2 V8 on Windows NT/2000. Thanks again

  2. #2
    Join Date
    Sep 2004
    Posts
    111
    You need to revoke one by one DB privileges from that user.

    Get the info from syscat.dbauth table.

    USER GRANTOR CONNECT CREATETAB LOAD DBA IMPLSCHEMA BIND ROUTINE NOFENCE
    ---------- ---------- ------- --------- ---- --- ---------- ---- ------- -------
    TESTER DBADM N Y Y Y Y Y N N


    db2 "revoke createtab on database from tester"...... and SO on...


    -Raj

  3. #3
    Join Date
    Nov 2005
    Location
    IL
    Posts
    557
    Raj, that is not true.

    What you have to do is list only those privileges in REVOKE command that the user actually has. be aware g and U in the TYPE column.
    --
    IBM Certified DBA on DB2 for Linux, UNIX, and Windows

    DB2 v9.7.0.6 os 6.1.0.0

  4. #4
    Join Date
    Jun 2003
    Location
    Toronto, Canada
    Posts
    5,516
    Provided Answers: 1
    There are other privileges too, such as table, schema, package, etc. - not only database privileges. By revoking only the database privileges you do not affect any other privs, unless you explicitly revoke them too.
    ---
    "It does not work" is not a valid problem statement.

  5. #5
    Join Date
    Nov 2005
    Location
    IL
    Posts
    557
    Quote Originally Posted by n_i
    There are other privileges too, such as table, schema, package, etc. - not only database privileges. By revoking only the database privileges you do not affect any other privs, unless you explicitly revoke them too.
    Correct, I guess if the original post specified what exactly needs to be revoked we would not discussing it now

    All said and done as long as the user does not have connect on the db then the other stuff is more fo a clean up then anything else. Kind of like if I give you a code to a safe but not a key to the house that code has no value to you.
    --
    IBM Certified DBA on DB2 for Linux, UNIX, and Windows

    DB2 v9.7.0.6 os 6.1.0.0

  6. #6
    Join Date
    Nov 2005
    Location
    IL
    Posts
    557
    I just reread the original post and it sounds like the wholeproblem could have been deverted from the database to the unix admin or security in the first place.
    By granting access to the GROUP vs. an individual user id you are avoid this problem all together. Let someone else worry about it. It should not be a dba problem when people come and go.
    --
    IBM Certified DBA on DB2 for Linux, UNIX, and Windows

    DB2 v9.7.0.6 os 6.1.0.0

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •