SqlGrantOptionWarn

This check warns a user when SQL contains 'GRANT' statements that include the 'WITH GRANT OPTION' clause so that they can ensure that the privilege being granted won't lead to security issues or violate compliance regulations.

About SqlGrantOptionWarn
Liquibase version required 4.6.0+
Scope (--checks-scope) changelog
Default status enabled
Default severity (exit code) 0 ("INFO")
Customizable settings No (static)

Uses

Use the check to warn when changelogs contain WITH GRANT OPTION statements. Unintended or unauthorized GRANTS can lead to security and compliance issues, especially in regulated industries. This policy check alerts users so they can exercise more control over privileges and permission changes, which is especially important in automated data pipelines, before these changes are deployed to your policy checked environments.

Use SqlGrantOptionWarn

Note: SqlGrantOptionWarn only supports unmodeled changeset types. If you use this Policy Check with modeled changesets (XML, JSON, and YAML changelogs as well as all ChangeTypes except sql and sqlFile), a message will appear stating the changeset was skipped.

Prerequisites

  1. Ensure that you have correctly specified your Liquibase Pro license key.
  2. Ensure that the --checks-scope parameter includes the scope of this check.

For example:

--license-key=<string>
--checks-scope=<string>
globalArgs: { license-key: "<string>" }
cmdArgs: { checks-scope: "<string>" }
liquibase.licenseKey: <string>
liquibase.command.checksScope: <string>
liquibase.licenseKey: <string>
liquibase.command.checks.run.checksScope: <string>
JAVA_OPTS=-Dliquibase.licenseKey=<string> -Dliquibase.command.checksScope=<string>
JAVA_OPTS=-Dliquibase.licenseKey=<string> -Dliquibase.command.checks.run.checksScope=<string>
LIQUIBASE_LICENSE_KEY=<string>
LIQUIBASE_COMMAND_CHECKS_SCOPE=<string>
LIQUIBASE_LICENSE_KEY=<string>
LIQUIBASE_COMMAND_CHECKS_RUN_CHECKS_SCOPE=<string>

Enable

This check is enabled by default. To verify that it is currently enabled, run the show command:

liquibase checks show --check-name=<string>

Customize

This check is static, meaning it does not have any customization settings.

Run

To run the check, use the run command:

liquibase checks run --check-name=<string>
stages:
  Default:
    actions:
      - type: liquibase
        command: checks run
        cmdArgs: {check-name: <string>}

And then run the flow command on your flow file:

liquibase flow