MultipleGrantsNotAllowed

Last updated: January 30, 2026

MultipleGrantsNotAllowed is a custom policy check that does not allow Multiple GRANT statements in a Liquibase Pro changeset.

regex: (?is)[\t\r\n\s]*\bgrant\b[\t\r\n\s]+.*[\t\r\n\s]+\bgrant\b[\t\r\n\s]+

Before you begin

Scope

Database

changelog

Relational

  • Liquibase 4.29.0+

  • Python 3.10.14+

  • Configure a valid Liquibase Pro license key

  • Create a Check Settings file

  • Ensure the Liquibase Checks extension is installed. In Liquibase 4.31.0+, it is already installed in the /liquibase/internal/lib directory, so no action is needed.

  • If the checks JAR is not installed, download liquibase-checks-<version>.jar and put it in the liquibase/lib directory.

    • Maven users only:

      Add this dependency to your pom.xml

      file: <dependency> <groupId>org.liquibase.ext</groupId> <artifactId>liquibase-checks</artifactId> <version>2.0.0</version> </dependency>

  • Java Development Kit 17+ (available for Open JDK and Oracle JDK)

  • Linux, macOS, or Windows operating system

Procedure

These steps describe how to create the Custom Policy Check. It does not exist by default in Liquibase Pro.

1

Run this command in the CLI:

liquibase checks customize --check-name=SqlUserDefinedPatternCheck
2

Give your check a short name for easy identification

Use up to 64 alpha-numeric characters only.

In this example we will use:
MultipleGrantsNotAllowed
3

Set the Severity to return a code of 0-4 when triggered.

These severity codes allow you to determine if the job moves forward or stops when this check triggers. Learn more here: Use Policy Checks in Automation: Severity and Exit Code options: 'INFO'=0, 'MINOR'=1, 'MAJOR'=2, 'CRITICAL'=3, 'BLOCKER'=4

4

Set the SEARCH_STRING to this valid regular expression:

Regular expression search string:
(?is)[\t\r\n\s]*\bgrant\b[\t\r\n\s]+.*[\t\r\n\s]+\bgrant\b[\t\r\n\s]+
5

Set the MESSAGE to display when a match for the regular expression <SEARCH_STRING> is found in a Changeset.

In this example we will use:
Error! Multiple GRANT statements not allowed in a single changeset. Only a single GRANT statement is allowed.
6

Set STRIP_COMMENTS to true if you want to remove the comments from the output.

Results

The regex custom policy check is created successfully.

Sample passing script

--changeset amalik:ORACLE_grant GRANT SELECT ON TABLE sales TO appUser1; --changeset amalik:SQLSERVER_grants GRANT CONTROL ON dbo::CustOrderHist TO appUser;

Sample failing scripts

--changeset amalik:ORACLE_grant GRANT SELECT ON TABLE sales TO appUser1; GRANT EXECUTE TO appUser1; --changeset amalik:SQLSERVER_grants GRANT CONTROL ON dbo::CustOrderHist TO appUser; GRANT CONTROL ON dbo::CustOrderHist TO appUser; GRANT SHOWPLAN ON dbo::CustOrderHist TO appUser; GRANT CREATE VIEW ON dbo::CustOrderHist TO appUser;

Sample error message

CHANGELOG CHECKS ---------------- Checks completed validation of the changelog and found the following issues: Check Name:         Check for specific patterns in sql (MultipleGrantsNotAllowed) Changeset ID:       ORACLE_grant Changeset Filepath: changeLogs/1_tables/03_grants.sql Check Severity:     BLOCKER (Return code: 4) Message:            Error! Multiple GRANT statements not allowed in a single                     changeset. Only a single GRANT statement is allowed.