After doing a TSS REVOKE for a DB2PLAN, the user is still authorized to access the DB2PLAN. Neither the ACID signing off and back on, nor issuing a TSS REFRESH(acid) JOBNAME(*), picks up the REVOKE.

DB2 is caching its security calls, so it doesn't have to issue an external security call to security. This saves I/O and CPU when it doesn't have to make a call.

Since the DB2 cache is not a Top Secret cache, Top Secret is not be able to refresh it.

DB2 must provide the functionality to refresh the cache.