Bug #16692 Allow deny in privileges
Submitted: 21 Jan 2006 1:12 Modified: 9 May 2018 10:12
Reporter: Michael Caldwell Email Updates:
Status: Verified Impact on me:
Category:MySQL Server: Security: Privileges Severity:S4 (Feature request)
Version:5.0.16 OS:Windows (Windows)
Assigned to: CPU Architecture:Any

[21 Jan 2006 1:12] Michael Caldwell
I believe the request verification should go through the entire ACL. I have a system where i need an app_admin to create a separate database for each user that is accessed by app_user. app_user needs to have access to all the new databases, but I do not want app_admin to have grant privileges and i don't want either of them to have access to the mysql database.

How to repeat:
I would like to be able to do the following grant create, drop on *.* to app_admin, revoke all on mysql.* from app_admin, grant select, insert, update, delete on *.* to app_user, revoke all on mysql.* from app_user.

Suggested fix:
If the verification system went through user, db, table, and column privileges all the time I could grant at the user level and revoke at the db level.
[21 Mar 2008 20:21] William Finn
I would like to second this request.

I am right now trying to write a script to publish an application.  The old database needs to become read-only.

I would love to be able to do this by just running something similar to

Instead of having to hunt through each grant table to ensure nobody but root has those privs.

Could have a runtime option to swap the allow,deny order similar to Apache.
Have additional 'revoke' tables that limit access instead of granting.
[31 Jan 2023 6:32] MySQL Verification Team
William,  Try --partial-revokes=ON  option.


I'd like it to work for individual tables/columns but it doesn't.