You cannot use host language variables in an embedded Revoke statement.
The revoke statement can be executed by a user who is either the owner of the target object or has been granted permission (using WITH GRANT Option) to use the statement on the specific target object by another user. To revoke database privileges, you must be working in a session that is connected to the iidbdb. If the indicated roles have security audit attributes, the session must also have maintain_audit privilege.
The Revoke statement locks pages in the iidbpriv catalog (if revoking database privileges) or iiprotect catalog, plus pages in the system catalogs that correspond to the object type (table, view, database event, or database procedure).
The following are Revoke statement examples:
revoke query_row_limit on database employee
from role review_emp;
revoke grant option for all on payroll
from public cascade;
revoke execute on procedure mgrbonus
from joeb restrict;
revoke select on employees
from harry cascade;
revoke manager from roger