v.21.4New Features

Add Optional GRANTEES Clause to CREATE/ALTER USER Commands

Published: November 25, 2025

Add new optional clause GRANTEES for CREATE/ALTER USER commands. It specifies users or roles which are allowed to receive grants from this user on condition this user has also all required access granted with grant option. By default GRANTEES ANY is used which means a user with grant option can grant to anyone. Syntax: CREATE USER ... GRANTEES {user | role | ANY | NONE} [,...] [EXCEPT {user | role} [,...]]. #21641 (Vitaly Baranov).

Introduces a new optional GRANTEES clause for CREATE USER and ALTER USER commands to control which users or roles can receive grants from the specified user.

Why it matters

This feature allows tighter control over delegation of privileges by specifying exactly which users or roles are authorized to receive grants from a user who has grant options, enhancing security and preventing unauthorized privilege delegation.

How to use it

Use the GRANTEES clause within the CREATE USER or ALTER USER statements as follows:

CREATE USER ... GRANTEES {user | role | ANY | NONE} [,...] [EXCEPT {user | role} [,...]]

By default, GRANTEES ANY is assumed, allowing the user to grant privileges to anyone. To restrict grantees, specify users or roles explicitly along with optional EXCEPT exclusions.

Related resources

Pull Request #21641