How to fix PostgreSQL 2B000 dependent privilege descriptors still exist?

Use CASCADE to revoke the grant option and all dependent grants: CASCADE causes Postgres to recursively revoke all grants that depended on the grant option being removed.

2B000

PostgreSQLERRORNotableDependent Privilege Descriptors Still ExistHIGH confidence

dependent privilege descriptors still exist

What this means

SQLSTATE 2B000 is raised when a REVOKE GRANT OPTION statement cannot complete because there are dependent grant options — other roles received the privilege through the grant option that is being revoked. Use REVOKE ... CASCADE to propagate the revocation.

Why it happens

1REVOKE GRANT OPTION FOR on a privilege that was further granted by the grantee to other roles

How to reproduce

Revoking grant option where sub-grants exist.

trigger — this will error

-- manager was granted SELECT WITH GRANT OPTION
-- manager then granted SELECT to analyst
REVOKE GRANT OPTION FOR SELECT ON employees FROM manager; -- 2B000: analyst still has it

expected output

ERROR:  dependent privileges exist

Fix

Use CASCADE to revoke the grant option and all dependent grants

WHEN When the full privilege chain should be removed.

Use CASCADE to revoke the grant option and all dependent grants

REVOKE GRANT OPTION FOR SELECT ON employees FROM manager CASCADE;

Why this works

CASCADE causes Postgres to recursively revoke all grants that depended on the grant option being removed.

What not to do

✕ Leave dependent privileges in place and ignore 2B000

Roles downstream in the grant chain will retain access that was intended to be removed.

Sources

Official documentation ↗

Class 2B — Dependent Privilege Descriptors Still Exist

Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev

At a glance

PlatformPostgreSQL SQLSTATE Errors

Code2B000

ClassDependent Privilege Descriptors Still Exist

SeverityERROR

TierNotable

ConfidenceHIGH