Authority removed from external security definition (RACF), however user is still able to run the SQL statement. Dynamic statement caching is enabled.

Problem
Customer removed user's authority to access a DB2 object from RACF and expects the user to get SQLCODE551, but they do not.

Cause
Dynamic statement caching is enabled.

Solution
This behavior is documented in Appendix B of the DB2 Administration Guide in a section called "Other considerations for using the access control authorization exit". A bullet in this section talks about caching of dynamic SQL statements:

Dynamic statements can be cached when they have passed the authorization checks (assuming that dynamic statement caching is enabled on your system).
If the privileges that this statement requires are revoked from the authorization ID that is cached with the statement, then this cached statement must be invalidated. If the privilege is revoked in the exit routine this does not happen, and you must use the SQL statements GRANT and REVOKE to refresh the cache.

So, when you remove the privilege from RACF, that action is not communicated to DB2® and the cached statement entry is not being invalidated. So, one way you can get this cache entry invalidated is to perform a "dummy" GRANT and then REVOKE of SELECT authority on the table involved for the user who is no longer authorized to it.

P.S. Please pass my address to anyone interested in DB2 HOTLINE - thank you.

With kind regards
Michael Dewert, Software Group
DB2 Information Management Software