SQL GRANT / REVOKE β Secure Your Database with Permission Control
Introduction β Why GRANT and REVOKE Matter
In multi-user database environments, not everyone should have unrestricted access. The GRANT and REVOKE statements in SQL are used to assign or revoke privileges to users or roles. This provides precise control over who can read, modify, or administer database objects like tables, views, or stored procedures.
Without proper permission management, your system is vulnerable to accidental data corruption, unauthorized access, and compliance violations.
In this guide, youβll learn:
- What GRANT and REVOKE do
- Syntax and examples for common permissions
- How to manage user roles and access
- Platform-specific differences (MySQL, PostgreSQL, SQL Server)
- Best practices and common pitfalls
1. What Are SQL GRANT and REVOKE?
GRANT
Gives specific users or roles permission to access or modify database objects.
REVOKE
Removes previously granted privileges, effectively restricting access.
2. Common Privileges in SQL
| Privilege | Description |
|---|---|
SELECT | Read data from a table or view |
INSERT | Add new rows |
UPDATE | Modify existing rows |
DELETE | Remove rows |
EXECUTE | Run stored procedures or functions |
ALL PRIVILEGES | Grant everything on the object |
3. GRANT Syntax & Examples
GRANT on Table (MySQL / PostgreSQL)
GRANT SELECT, INSERT ON employees TO 'jane'@'localhost';
Jane can now view and add rows to the employees table.
GRANT in SQL Server
GRANT SELECT, UPDATE ON dbo.employees TO Jane;
Use GO or run as a batch if combining multiple grants.
GRANT EXECUTE on Stored Procedure
GRANT EXECUTE ON get_salary TO 'jane'@'localhost';
4. REVOKE Syntax & Examples
REVOKE in MySQL / PostgreSQL
REVOKE SELECT ON employees FROM 'jane'@'localhost';
Jane can no longer view data from employees.
REVOKE in SQL Server
REVOKE SELECT ON dbo.employees FROM Jane;
Use DENY instead of REVOKE to explicitly forbid access, even if granted by a role.
5. Using Roles for Scalable Access Control
Rather than assigning permissions to individual users, itβs better to group privileges into roles.
PostgreSQL
CREATE ROLE readonly;
GRANT CONNECT ON DATABASE hrdb TO readonly;
GRANT USAGE, SELECT ON ALL TABLES IN SCHEMA public TO readonly;
GRANT readonly TO alice;
SQL Server
CREATE ROLE ReadOnlyRole;
GRANT SELECT ON dbo.employees TO ReadOnlyRole;
EXEC sp_addrolemember 'ReadOnlyRole', 'Alice';
6. Best Practices & Pitfalls
| Best Practices | Avoid This |
|---|---|
| Use roles instead of user-level grants | Granting permissions individually to each user |
| Regularly audit user privileges | Leaving old or unused accounts active |
| Apply least-privilege access principle | Using GRANT ALL by default |
| Document all permission changes | Making changes without change tracking |
Summary β Recap & Real-World Impact
SQL GRANT and REVOKE are essential for securing your database system, enforcing access control, and meeting regulatory compliance requirements.
Key Takeaways:
- Use
GRANTto allow andREVOKEto restrict user actions - Prefer role-based access management
- Be specific with privileges, avoid
ALLunless necessary
Real-World Relevance:
From financial systems to healthcare databases, permission control is vital to ensure data safety and accountability.
FAQ β SQL GRANT / REVOKE
Whatβs the difference between REVOKE and DENY in SQL Server?
REVOKE removes permission, DENY explicitly blocks itβeven if granted elsewhere.
How can I view current permissions?
- PostgreSQL: Use
\zinpsql - MySQL: Run
SHOW GRANTS FOR 'user'@'host'; - SQL Server: Use
fn_my_permissions()or SSMS
Can I revoke a GRANT given by another user?
Only if you have admin option or are a superuser/DBA.
Is it safe to use GRANT ALL?
Avoid it unless absolutely necessaryβviolates the principle of least privilege.
Share Now :
