Before revoking a grantee's permission, you must identify grantees directly or indirectly granted the permission from the original grantee.
The grant chain traces how a grantee has in turn granted a permission to other grantees.
When you view the object permissions granted to a specific user, user-extended role, or standalone role, you see only the permissions granted. You do not see who the user or role has in turn granted the permissions to.
To determine who the selected user or role has in turn granted an object permission to, note the table, column name (if applicable), and the permission to be traced, then display the permissions list for the table object being traced. See Following the Table Permissions Grant Trail.