SqlRevokeWarn
Last updated: January 22, 2026
Flags REVOKE statements in SQL that remove database privileges from users or roles, allowing you to verify that removing these permissions will not accidentally break application functionality or prevent legitimate access to critical data.
Uses
Property | Value |
Liquibase version required | 4.5.0+ |
Scope (--checks-scope) | changelog |
Default status | enabled |
Default severity (exit code) | 0 ("INFO") |
Customizable settings | No (static) |
Note: A REVOKE statement might be used in a lower environment (such as Test or Staging), but should only be used with extreme care in higher environments, such as Production. This check can even be configured to stop automated jobs which contain REVOKE.
Note: SqlRevokeWarn only supports unmodeled changeset types. If you use this Policy Check with modeled changesets (XML, JSON, and YAML changelogs as well as all ChangeTypes except sql and sqlFile), a message will appear stating the changeset was skipped.
Before you begin
Ensure that you have correctly specified your Liquibase Secure license key.
Ensure that the
--checks-scopeparameter includes the scope of this check.
Changelog checks prerequisites
Procedure
Enable
This check is enabled by default. To verify that it is currently enabled, run the checks show command:
liquibase checks show --check-name=<string>
To run the check, use the checks run command.
Note: For flow files you'll need to run liquibase flow to apply your changes.