Security Policies and Grantees of Exemptions
An exemption applies only to the rules of a single security policy. whose name follows the FOR keyword. Because a protected table can have multiple security labels, but no more than one security policy, revocation of an exemption can prevent a user with insufficient security credentials from accessing data in tables that are protected by the specified security policy.
The REVOKE EXEMPTION statement fails with an error if the specified policy does not exist in the database.
The USER keyword that can follow the FROM keyword is optional, and has no effect, but any authorization identifier specified in the REVOKE EXEMPTION statement must be the identifier of an individual user, rather than the identifier of a role. This user cannot be the DBSECADM who issues the same REVOKE EXEMPTION statement.
REVOKE EXEMPTION ON RULE IDSLBACREADARRAY FOR MegaCorp FROM lynette;
This exemption restores the read access rules for all array components
for subsequent read operations that user lynette attempts
on tables protected by security labels of the specified policy.When the REVOKE EXEMPTION statement successfully cancels an exemption of a user, the database server updates the syssecpolicyexemptions table of the system catalog to unregister the revoked exemption (or multiple exemptions, if several users are listed after the FROM keyword).