The REVOKE command sets a flag in the user's profile, in principle it does not affect the user's current sessions. The flag (also called REVOKE) is tested whenever a new session is initiated, in other words, an ACEE is created through RACINIT or RACROUTE REQ=VERIFY.
Existing sessions may be hindered when they initiate work in another address space such as HSM recalls, OMVS work and batch job submission.
A REVOKE at the user (profile) level will prevent subsequent logons from the user ID, it will not stop current logons.
A REVOKE at the group level is effected with a CONNECT user GROUP(group) REVOKE command. It removes the user's authorities that were granted by means of this connect group. If the user has only one connect group, logon will be impossible.
Group connect information is loaded at the time of logon and stored in the user's private area, so changes in their connect group information will be ineffective until they logoff and logon again.
Similar changes to the permits that a user has through their user ID (and not by means of a change in connect groups) can be put into effect through a SETROPTS REFRESH GENERIC(class), but changes to the connect groups won't be effective until you logoff and logon.
------------------------------
Rob van Hoboken
------------------------------