Granular permissions are used to grant system privileges, allowing you to construct site-specific roles with privileges to match your requirements, and restrict system administrators and database owners from accessing user data.

Grantable system privileges allow you to enforce “separation of duties,” which requires that, for particular sets of operations no single individual is allowed to execute all operations within the set and “least privilege,” which requires that all users in an information system should be granted as few privileges as are required to do the job.

You cannot revoke or grant one privilege from—or to—another privilege. However, privileges may overlap what the grantee can do. Possessing one privilege may imply possessing another, more granular, privilege.

Enabling granular permissions reconstructs system-defined roles (sa_role, sso_role, oper_role, and replication_role) as privilege containers consisting of a set of explicitly granted privileges. You can revoke explicitly granted system privileges from system-defined roles and regranted them to the roles.