Generate Grant and Revoke Statements for Access Control Privileges
If access to an object is accidentally granted or revoked, use the DDL Activity Report to generate statements to restore the correct access control privileges.
GRANT and REVOKE statements provide access control to Db2 objects. These privileges and authorities can be granted or revoked for different combinations of authorization IDs and roles. Only an explicitly granted privilege can be revoked.
If you accidentally grant or revoke a privilege, you can use the DDL Activity Report to generate a corresponding GRANT or REVOKE statement to restore the access control privilege to the correct state.
When the REVOKE_DEP_PRIVILEGES system parameter is set to YES, REVOKE statements that are generated by the DDL Activity Report REDO/UNDO option
do not include the keywords INCLUDING DEPENDENT PRIVILEGES and NOT INCLUDING DEPENDENT PRIVILEGES except for the following system privileges:
- Follow these steps:
- SelectProcess Logfrom the CA Log Analyzer for DB2 for z/OS Main Menu.TheProcess Log - Report Specificationpanel (LAPRM) opens.
- SelectDDL Activityand pressEnter.TheDDL Activity Report Optionspanel (LAPRDDL) opens.
- Complete the following fields:
- SpecifyU(to create UNDO DDL) orR(to create REDO DDL) in theOutput Formatfield.
- SpecifyD(Detail) in theLevel of Detailfield.
- (Optional) SpecifyI(Include) in thePrimary Authidsfield underLog Data FilterOptionsand enter the authorization ID of the person that executed the grant or revoke.
- SpecifyO(Only) in theGrant/Revokefield to include only Grant and Revoke records in the report.
- SpecifyX(Exclude) in theBind/Rebindfield to exclude Bind and Rebind records.
- (Optional) Use otherMiscellaneous Optionsto include or exclude other types of data from the DDL report.
- PressPF3until theReport Source Specificationpanel (LAPRLRNG) appears.
- Specify the approximate time range of when the privilege was modified in theLog Processing Rangesection.
- PressPF3(End).TheOutput Specificationpanel (LAPOS14) appears.
- Specify a data set name for the GRANT/REVOKE statements in theDataset Name
- PressPF3until theReport Submission Screenpanel (LAPREPEX) opens.
- SpecifyBorOinExecution Modeand pressEnter.CA Log Analyzer for DB2 for z/OS generates the GRANT/REVOKE statements based on the specified execution mode and saves to the specified destination.