REVOKE Physical Database Definition Privileges

Revokes from one or more users or groups the privilege of executing the DMCL, DBTABLE, and SEGMENT physical DDL statements.
idms
Revokes from one or more users or groups the privilege of executing the DMCL, DBTABLE, and SEGMENT physical DDL statements.
Authorization
To revoke a definition privilege on a DMCL or DBTABLE, you must hold one of these privileges:
  • The corresponding grantable privilege
  • DBADMIN on DB SYSTEM
  • SYSADMIN
To revoke a physical definition privilege on a database, you must hold one of these privileges:
  • The corresponding grantable privilege
  • DBADMIN on the database
  • SYSADMIN
You must be connected to the system dictionary when you issue the statement.
Syntax
►►─── REVOKE ─┬─ DEFINE ───────────┬──────────────────────────────────────────►               │ ┌─────── , ──────┐ │               └─▼─┬─ ALTER ────┬─┴─┘                   ├─ CREATE ───┤                   ├─ DISPLAY ──┤                   ├─ DROP ─────┤                   └─ USE ──────┘    ►─── ON ─┬─ DMCL 
dmcl-name
 ───────┬──────────────────────────────────────────►           ├─ DBTABLE 
dbtable-name
 ─┤           └─ DB 
database-name
 ─────┘               ┌─────────────── , ──────────────┐  ►─── FROM ─▼─┬─ PUBLIC ───────────────────┬─┴────────────────────────────────►◄               └─ 
authorization-identifier
 ─┘
Parameters
 
  • DEFINE
    Revokes the ALTER, CREATE, DISPLAY, DROP, and USE privileges on the resource identified in the ON parameter from the users or groups identified in the FROM parameter.
  • ALTER
    Revokes the ALTER privilege on the resource identified in the ON parameter from the users or groups identified in the FROM parameter.
  • CREATE
    Revokes the CREATE privilege on the resource identified in the ON parameter from the users or groups identified in the FROM parameter.
  • DISPLAY
    Revokes the DISPLAY privilege on the resource identified in the ON parameter from the users or groups identified in the FROM parameter.
  • DROP
    Revokes the DROP privilege on the resource identified in the ON parameter from the users or groups identified in the FROM parameter.
  • USE
    Revokes the USE privilege on the resource identified in the ON parameter from the users or groups identified in the FROM parameter.
  • ON
    Specifies the resource to which the definition privileges apply.
  • DMCL
    dmcl-name
    Identifies a DMCL.
    You can wildcard
    dmcl-name
    .
    For more information on wildcarding, see Using a Wildcard.
  • DBTABLE
    dbtable-name
    Identifies a database name table.
    You can wildcard
    dbtable-name
    .
    For more information on wildcarding, see Using a Wildcard. .
  • DB
    database-name
    Identifies a segment or a name in the database name table.
    You can wildcard
    database-name
    .
    For more information on wildcarding, see Using a Wildcard.
  • FROM
    Specifies the users or groups from whom you are revoking definition privileges.
  • PUBLIC
    Specifies all users.
    The privileges must have been previously given to PUBLIC by means of the GRANT statement.
  • authorization-identifier
    Identifies a user or group.
    The privileges must have been previously given to
    authorization-identifier
    by means of the GRANT statement.
    Expanded syntax for
    authorization-identifier
    is presented in Notes on Security Statement Syntax.
Usage
The DEFINE Keyword
When you use the DEFINE keyword with a GRANT statement, you grant a set of definition privileges on a resource to one or more users or groups.
When you use the DEFINE keyword with a REVOKE statement, you revoke all definition privileges that have been previously granted on the resource from the specified users or groups.
This means that if you GRANT CREATE privilege on a resource, you can revoke the privilege with either a REVOKE CREATE statement or a REVOKE DEFINE statement. Using REVOKE DEFINE is an efficient technique when you intend to revoke all definition privileges on the resource from a user or group, whether the privileges were granted singly or as a set.
Similarly, you can GRANT DEFINE on a resource to a user and then REVOKE DROP on the resource from the same user as a way to grant all but one definition privilege.
Revoking Privilege to Issue DMCL Statements
The following statement revokes from the user the privilege to issue DMCL definition statements for DMCL99:
revoke define   on dmcl dmcl99   from ryan;
More Information
For more information
about granting privilege to define physical database resources
, see GRANT Physical Database Definition Privileges.