v.24.3Improvement

Improvements to Access Checks for Revoking Unpossessed Rights

Published: November 25, 2025

Improvements for the access checks, allowing to revoke of unpossessed rights in case the target user doesn't have the revoking grants either. Example: GRANT SELECT ON . TO user1; REVOKE SELECT ON system.* FROM user1;. #61115 (pufit).

Enhanced access checks to allow revoking privileges even when the revoking user does not possess the same grants.

Why it matters

This feature addresses the issue where users were unable to revoke privileges they did not themselves have. It enables more flexible and precise privilege management, allowing administrators to revoke permissions from users regardless of their own grant scope. This improves security and access control management in ClickHouse.

How to use it

Users can revoke privileges as usual with the REVOKE statement, regardless of whether they possess the revoked privileges. For example:

GRANT SELECT ON . TO user1;
REVOKE SELECT ON system.* FROM user1;

This behavior is now supported by the improved access checks. No additional configuration is required.

Related resources

Pull Request #61115