DBSECADM Clause
The REVOKE DBSECADM statement prevents the user to whom the DBSECADM role was granted from issuing DDL statements that can create, alter, rename, or drop security objects, including security policies, security labels, and security components.
Element | Description | Restrictions | Syntax |
---|---|---|---|
user | User from whom the role is to be revoked | Must be the authorization identifier of a user | Owner name |
The DBSECADM role is a built-in role that only the DBSA can revoke. Unlike user-defined roles, whose scope is the database in which the role is created, the scope of the DBSECADM role is all of the databases of the Informix® instance. It is not necessary for DBSA to reissue the REVOKE DBSECADM statement in other databases of the same server.
- ALTER SECURITY LABEL COMPONENT
- CREATE SECURITY LABEL
- CREATE SECURITY LABEL COMPONENT
- CREATE SECURITY POLICY
- DROP SECURITY LABEL
- DROP SECURITY LABEL COMPONENT
- DROP SECURITY POLICY
- RENAME SECURITY LABEL
- RENAME SECURITY LABEL COMPONENT
- RENAME SECURITY POLICY
- ALTER TABLE ... ADD SECURITY POLICY
- ALTER TABLE ... ADD ... IDSSECURITYLABEL [DEFAULT label]
- ALTER TABLE ... ADD ... [COLUMN] SECURED WITH
- ALTER TABLE ... DROP SECURITY POLICY
- ALTER TABLE ... MODIFY ... [COLUMN] SECURED WITH
- ALTER TABLE ... MODIFY ... DROP COLUMN SECURITY
- CREATE TABLE ... COLUMN SECURED WITH
- CREATE TABLE ... IDSSECURITYLABEL [DEFAULT label]
- CREATE TABLE ... SECURITY POLICY
- GRANT EXEMPTION
- GRANT SECURITY LABEL
- GRANT SETSESSIONAUTH
- REVOKE EXEMPTION
- REVOKE SECURITY LABEL
- REVOKE SETSESSIONAUTH
The USER keyword that can follow the FROM keyword is optional, and has no effect, but any authorization identifier that the DBSA specifies in the REVOKE DBSECADM statement must be the identifier of an individual user, rather than the identifier of a role. The user cannot be the DBSA who issues this REVOKE DBSECADM statement.
REVOKE DBSECADM FROM niccolo;
If
this statement executes successfully, user niccolo can no longer
perform the operations listed above.After the DBSECADM role is revoked, only the DBSA can grant it again to the user from whom it was revoked.