Secure 5.0: SQLGrantAdminWarn

SQLGrantAdminWarn

Last updated: January 22, 2026

Identifies highly sensitive GRANT statements that include WITH ADMIN OPTION, which allows recipients to grant and revoke the same administrative privileges to others, helping prevent security risks from uncontrolled admin role distribution.

Uses

Property	Value
Liquibase version required	4.6.0+
Scope (--checks-scope)	changelog
Default status	enabled
Default severity (exit code)	0 ("INFO")
Customizable settings	No (static)

Note: SQLGrantAdminWarn only supports unmodeled changeset types. If you use this Policy Check with modeled changesets (XML, JSON, and YAML changelogs as well as all ChangeTypes except sql and sqlFile), a message will appear stating the changeset was skipped.

Before you begin

Ensure that you have correctly specified your Liquibase Secure license key.
Ensure that the --checks-scope parameter includes the scope of this check.

Changelog checks prerequisites

--license-key=<string>
--checks-scope=<string>

globalArgs: { license-key: "<string>" }
cmdArgs: { checks-scope: "<string>" }

liquibase.licenseKey: <string>
liquibase.command.checksScope: <string>
liquibase.command.checks.run.checksScope: <string>

JAVA_OPTS=-Dliquibase.licenseKey=<string> -Dliquibase.command.checksScope=<string>
JAVA_OPTS=-Dliquibase.licenseKey=<string> -Dliquibase.command.checks.run.checksScope=<string>

LIQUIBASE_LICENSE_KEY=<string>
LIQUIBASE_COMMAND_CHECKS_SCOPE=<string>
LIQUIBASE_COMMAND_CHECKS_RUN_CHECKS_SCOPE=<string>

--license-key=<string>
--checks-scope=<string>

globalArgs: { license-key: "<string>" }
cmdArgs: { checks-scope: "<string>" }

liquibase.licenseKey: <string>
liquibase.command.checksScope: <string>
liquibase.command.checks.run.checksScope: <string>

JAVA_OPTS=-Dliquibase.licenseKey=<string> -Dliquibase.command.checksScope=<string>
JAVA_OPTS=-Dliquibase.licenseKey=<string> -Dliquibase.command.checks.run.checksScope=<string>

LIQUIBASE_LICENSE_KEY=<string>
LIQUIBASE_COMMAND_CHECKS_SCOPE=<string>
LIQUIBASE_COMMAND_CHECKS_RUN_CHECKS_SCOPE=<string>

Procedure

Enable

This check is enabled by default. To verify that it is currently enabled, run the checks show command:

liquibase checks show --check-name=<string>

To run the check, use the checks run command.

liquibase checks run --check-name=<string>

stages:
  Default:
    actions:
      - type: liquibase
        command: checks run
        cmdArgs: {check-name: <string>}

liquibase checks run --check-name=<string>

stages:
  Default:
    actions:
      - type: liquibase
        command: checks run
        cmdArgs: {check-name: <string>}

Note: For flow files you'll need to run liquibase flow to apply your changes.

SQLGrantAdminWarn

Uses

Before you begin

Changelog checks prerequisites

CLI

Flow

liquibase.properties

JAVA_OPTS

Environment variable

Procedure

Enable

To run the check, use the checks run command.

CLI example

Flow example