RC/Secure revoke collapse does not remove old grants from SYSIBM.SYSUSERAUTH
search cancel

RC/Secure revoke collapse does not remove old grants from SYSIBM.SYSUSERAUTH

book

Article ID: 268580

calendar_today

Updated On:

Products

RC/Secure for DB2 for z/OS

Issue/Introduction

When using RCS revoke impact with the COLLAPSE option,  the revoke and regrants are executed, however, the old grants are still listed from SYSIBM.SYSUSERAUTH when executing RCQ User reports.

Why are the old grants not removed when the COLLAPSE is executed? 

Environment

Release : 20.0

Resolution

Revoke including dependent privileges is controlled via the DB2 subsystem parameter  "REVOKE_DEP_PRIVILEGES". 

If the SSID has REVOKE_DEP_PRIVILEGES = NO, this means REVOKE cannot have a cascade effect.  Hence the entries are still present. 

With REVOKE_DEP_PRIVILEGES = YES,  the entries are not seen after the  collapse command.  

IBM Documentation: