DB2 revoke user privileges from a database from multiple users

Question

I want to revoke all privileges from all users but one from a database. DB2 10.5 LUW

I was thinking along the lines of:

 db2 "revoke all on database from user IN (select grantee from syscat.dbauth where grantee not IN 'SAFEUSER')"

but I can't get it to work.

Any ideas?

score 1 · Accepted Answer · answered Oct 28 '19 at 16:18

There is no ALL clause in the REVOKE (database authorities) statement.
You may generate the set of statements needed by the following select statement:

select 
  'REVOKE '
|| SUBSTR 
(
  CASE ACCESSCTRLAUTH WHEN 'N' THEN '' ELSE ', ACCESSCTRL' END 
||CASE BINDADDAUTH WHEN 'N' THEN '' ELSE ', BINDADD' END 
||CASE CONNECTAUTH WHEN 'N' THEN '' ELSE ', CONNECT' END 
--- add here expressions with all other *AUTH columns
, 2)
||' ON DATABASE FROM ' 
|| CASE 
     WHEN GRANTEE = 'PUBLIC' THEN ''
     WHEN GRANTEETYPE = 'U' THEN 'USER' 
     WHEN GRANTEETYPE = 'G' THEN 'GROUP' 
     WHEN GRANTEETYPE = 'R' THEN 'ROLE' 
   END
||' '||GRANTEE
from syscat.dbauth
WHERE 'Y' IN 
(
ACCESSCTRLAUTH, BINDADDAUTH, CONNECTAUTH
--- add here all other *AUTH columns separated by ','
)
AND  grantee <> 'SAFEUSER'
;

Does this remove the user entries or just set all privs to N? — arenginsm na, Oct 29 '19 at 09:41
Db2 will remove entries in `syscat.dbauth` is all the AUTH columns are set to `N`. Also for other privileges, you can generate similar statements from `sysibmadm.privileges` — Paul Vernon, Nov 05 '19 at 21:47

DB2 revoke user privileges from a database from multiple users

1 Answers1