SqlGrantSpecificPrivsWarn

This check warns a user when SQL contains GRANT statements that grant specific privileges to a user or role, so that they can ensure that the specific privilege being granted won't lead to security issues or violate compliance regulations.

About SqlGrantSpecificPrivsWarn
Liquibase version required 4.6.0+
Scope (--checks-scope) changelog
Default status disabled
Default severity (exit code) 0 ("INFO")
Customizable settings Yes (dynamic)

Uses

Use the check to warn when changelogs contain Grants with specific privileges statements. Unintended or unauthorized GRANTS of specific privileges can lead to security and compliance issues, especially in regulated industries. This policy check alerts users so they can exercise more control over privileges and permission changes, which is especially important in automated data pipelines, before these changes are deployed to your policy checked environments. This policy check, like other checks, can be configured with a severity level which returns an exit code designed to stop automated jobs, giving your team time to inspect these changes.

Use SqlGrantSpecificPrivsWarn

Note: SqlGrantSpecificPrivsWarn only supports unmodeled changeset types. If you use this Policy Check with modeled changesets (XML, JSON, and YAML changelogs as well as all ChangeTypes except sql and sqlFile), a message will appear stating the changeset was skipped.

Prerequisites

  1. Ensure that you have correctly specified your Liquibase Pro license key.
  2. Ensure that the --checks-scope parameter includes the scope of this check.

For example:

--license-key=<string>
--checks-scope=<string>
globalArgs: { license-key: "<string>" }
cmdArgs: { checks-scope: "<string>" }
liquibase.licenseKey: <string>
liquibase.command.checksScope: <string>
liquibase.licenseKey: <string>
liquibase.command.checks.run.checksScope: <string>
JAVA_OPTS=-Dliquibase.licenseKey=<string> -Dliquibase.command.checksScope=<string>
JAVA_OPTS=-Dliquibase.licenseKey=<string> -Dliquibase.command.checks.run.checksScope=<string>
LIQUIBASE_LICENSE_KEY=<string>
LIQUIBASE_COMMAND_CHECKS_SCOPE=<string>
LIQUIBASE_LICENSE_KEY=<string>
LIQUIBASE_COMMAND_CHECKS_RUN_CHECKS_SCOPE=<string>

Enable

This check is disabled by default. To enable it, run the enable command:

liquibase checks enable --check-name=<string>

When you try to enable the check, Liquibase displays the following message:

This check can not be enabled directly because one or more fields does not have a default value.  Create a copy of this check and initiate the customization workflow.

Liquibase then prompts you to specify a name for the new check. By default, the name of the copy is <CheckName>1. You can use the default value by pressing Enter or you can specify a custom name.

Customize

This check is dynamic, meaning you can customize its settings. See the table on this page for more information.

  1. Once you've enabled the check, follow the steps in the CLI to set new values:
    • Default values are shown in [brackets]. You can use these by pressing Enter. Alternatively, specify custom values.
    • If a customization setting does not have a default value, you must specify custom values.
  2. When finished, verify that your configuration is correct by running the show command:
  3. liquibase checks show --check-name=<string>
  4. If you need to make any other changes, run the customize command:
  5. liquibase checks customize --check-name=<string>

    Note: If you want to create another variant of this check with different settings, use the copy command to create a copy of the original check and then use the customize command to customize it.

Run

To run the check, use the run command:

liquibase checks run --check-name=<string>
stages:
  Default:
    actions:
      - type: liquibase
        command: checks run
        cmdArgs: {check-name: <string>}

And then run the flow command on your flow file:

liquibase flow