Revoking the Execute privilege from PUBLIC

The REVOKE statement supports the following syntax for revoking access to the specified routine from the PUBLIC group, which includes all users who hold the Connect privilege on the database.

Figure 1: REVOKE EXECUTE TO PUBLIC

1  GRANT  Routine level privileges   FROM PUBLIC?  AS ' revoker '
Element Description Restrictions Syntax
revoker Owner of the UDR Cannot be a role Owner name

This statement prevents the PUBLIC group from receiving Execute privileges on the specified routine by default. (Individual users who hold the DBA privilege, however, or who own the routine, or who were granted Execute privilege on the routine individually or through a role, are not affected by this statement.

Only users who hold the DBA privilege can specify the AS revoker clause. The specified revoker must be the owner of the specified routine, as listed in the owner column of the sysprocedures system catalog table. The name cannot be the name of a role or the PUBLIC keyword.

In an ANSI-compliant database, the AS revoker clause is required, rather than optional, if the DBA who issues the REVOKE EXECUTE statement is not the owner of the specified routine.

In databases where the PUBLIC group holds Execute privilege on owner-privileged routines by default, the REVOKE EXECUTE ON PUBLIC statement must be successfully executed before the discretionary access privilege to execute the specified routine can be granted to a subset of users or to one or more roles. Otherwise, only users with the DBA privilege or the owner of the routine can start it.