NoGrantAll
Last updated: January 30, 2026
NoGrantAll is a custom policy check that does not allow ALL or ALL PRIVILEGES grants.
Regex: PRIVILEGE_LIST: ALL,"ALL PRIVILEGES"
This example utilizes Oracle. You can use this check as it is or customize it further to fit your needs in your SQL database. All Regex Custom Policy Checks can only run against the changelog, not against the database.
Before you begin
Scope | Database |
changelog | Oracle |
Liquibase 4.29.0+
Configure a valid Liquibase Pro license key
Ensure the Liquibase Checks extension is installed. In Liquibase 4.31.0+, it is already installed in the
/liquibase/internal/libdirectory, so no action is needed.If the checks JAR is not installed, download
liquibase-checks-<version>.jarand put it in theliquibase/libdirectory.Maven users only:
Add this dependency to your pom.xml file:
<dependency>
<groupId>org.liquibase.ext</groupId>
<artifactId>liquibase-checks</artifactId>
<version>2.0.0</version>
</dependency>
Java Development Kit 17+ (available for Open JDK and Oracle JDK)
Linux, macOS, or Windows operating system
Procedure
These steps describe how to create the Custom Policy Check. It does not exist by default in Liquibase Pro.
Run this command in the CLI:
liquibase checks customize --check-name=SqlUserDefinedPatternCheckGive your check a short name for easy identification
Use up to 64 alpha-numeric characters only.
In this example we will use:
NoGrantAllSet the Severity to return a code of 0-4 when triggered.
These severity codes allow you to determine if the job moves forward or stops when this check triggers.
Learn more here: Use Policy Checks in Automation: Severity and Exit Code
options: 'INFO'=0, 'MINOR'=1, 'MAJOR'=2, 'CRITICAL'=3, 'BLOCKER'=4
Set the PRIVILEGE_LIST of database privileges for users and roles, separated by commas.
ALL,"ALL PRIVILEGES"Set the MESSAGE to display when a match for the regular expression <SEARCH_STRING> is found in a Changeset.
In this example we will use:
All DELETE statements must have a WHERE clause.Set STRIP_COMMENTS to true if you want to remove the comments from the output.
Results
The regex custom policy check is created successfully.
Sample Failing Scripts
GRANT ALL PRIVILEGES TO user1;
Sample Error Message
CHANGELOG CHECKS
----------------
Checks completed validation of the changelog and found the following issues:
Check Name: Warn on Grant of Specific Privileges (NoGrantAll)
Changeset ID: grant_all_to_user1
Changeset Filepath: changeLogs/1_tables/03_grants.sql
Check Severity: BLOCKER (Return code: 4)
Message: Change set grant_all_to_user1 contains '"ALL PRIVILEGES"'