The service account was granted privileges at database level but a new table was created after the GRANT statement — new tables inherit no explicit table-level grants if the original GRANT used a table list rather than db.*. A schema migration (Flyway, Liquibase, dbt) created or renamed a table and the CI/CD pipeline does not include a post-migration GRANT step. The MySQL user connects from a different host than the GRANT specifies — e.g. granted to 'user'@'10.0.0.%' but the ADF integration runtime connects from a public IP outside that range, causing MySQL to fall back to the anonymous user with no privileges. GRANT was issued with a typo in the database or table name (case-sensitive on Linux filesystems) so the privilege exists but does not match the actual object. A partial revoke (MySQL 8.0+) or explicit REVOKE on a specific table overrides a broader database-level grant. The user was created with REQUIRE SSL but the pipeline connector does not negotiate TLS, causing MySQL to reject all statements with a generic permission error

Step 1: Identify the exact user and host MySQL matched — connect as root and run: `SELECT user, host FROM mysql.user WHERE user = 'your_service_account';` then compare with the host shown in the error message.. Step 2: Check current grants for that user+host combination: `SHOW GRANTS FOR 'your_user'@'matched_host';` — look for the missing privilege on the specific table.. Step 3: Grant the missing privilege at the appropriate scope. For a single table: `GRANT SELECT, INSERT, UPDATE ON your_db.your_table TO 'your_user'@'%'; FLUSH PRIVILEGES;` For all tables in the database: `GRANT SELECT, INSERT, UPDATE, DELETE ON your_db.* TO 'your_user'@'%'; FLUSH PRIVILEGES;`. Step 4: If using MySQL 8.0+ with partial revokes enabled, check for explicit revokes: `SELECT * FROM mysql.global_grants WHERE USER = 'your_user'; SELECT * FROM information_schema.table_privileges WHERE GRANTEE LIKE '%your_user%';`. Step 5: Verify the fix by running the exact failing statement as the service account: `mysql -u your_user -p -h host -e "SELECT 1 FROM your_db.your_table LIMIT 1;"`. Step 6: If the error occurs after schema migrations, add a post-migration GRANT step to your CI/CD pipeline. Example for dbt: add a run-operation hook that calls a macro executing `GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER ON {{ target.schema }}.* TO 'dbt_user'@'%';`. Step 7: Re-trigger the failed pipeline run (ADF re-run, dbt retry, Power BI dataset refresh) and confirm the error no longer appears in the activity output.

High severitypermission

MySQL Error:
1142

What does this error mean?

MySQL returns error 1142 when a connected user attempts a SQL statement (SELECT, INSERT, UPDATE, DELETE, DROP, ALTER) on a table where that specific privilege has not been granted. In data-pipeline contexts this typically surfaces when an ADF copy activity, dbt run, or Power BI DirectQuery refresh executes against a table the service account cannot access. The engineer sees the pipeline fail with 'command denied to user 'x'@'host' for table 'y'' — often minutes after a schema migration added new tables or a DBA rotated credentials without replicating grants. The error is deterministic: retries will never succeed until the privilege is explicitly granted.

Common causes

1The service account was granted privileges at database level but a new table was created after the GRANT statement — new tables inherit no explicit table-level grants if the original GRANT used a table list rather than db.*
2A schema migration (Flyway, Liquibase, dbt) created or renamed a table and the CI/CD pipeline does not include a post-migration GRANT step
3The MySQL user connects from a different host than the GRANT specifies — e.g. granted to 'user'@'10.0.0.%' but the ADF integration runtime connects from a public IP outside that range, causing MySQL to fall back to the anonymous user with no privileges
4GRANT was issued with a typo in the database or table name (case-sensitive on Linux filesystems) so the privilege exists but does not match the actual object
5A partial revoke (MySQL 8.0+) or explicit REVOKE on a specific table overrides a broader database-level grant
6The user was created with REQUIRE SSL but the pipeline connector does not negotiate TLS, causing MySQL to reject all statements with a generic permission error

How to fix it

1Step 1: Identify the exact user and host MySQL matched — connect as root and run: `SELECT user, host FROM mysql.user WHERE user = 'your_service_account';` then compare with the host shown in the error message.
2Step 2: Check current grants for that user+host combination: `SHOW GRANTS FOR 'your_user'@'matched_host';` — look for the missing privilege on the specific table.
3Step 3: Grant the missing privilege at the appropriate scope. For a single table: `GRANT SELECT, INSERT, UPDATE ON your_db.your_table TO 'your_user'@'%'; FLUSH PRIVILEGES;` For all tables in the database: `GRANT SELECT, INSERT, UPDATE, DELETE ON your_db.* TO 'your_user'@'%'; FLUSH PRIVILEGES;`
4Step 4: If using MySQL 8.0+ with partial revokes enabled, check for explicit revokes: `SELECT * FROM mysql.global_grants WHERE USER = 'your_user'; SELECT * FROM information_schema.table_privileges WHERE GRANTEE LIKE '%your_user%';`
5Step 5: Verify the fix by running the exact failing statement as the service account: `mysql -u your_user -p -h host -e "SELECT 1 FROM your_db.your_table LIMIT 1;"`
6Step 6: If the error occurs after schema migrations, add a post-migration GRANT step to your CI/CD pipeline. Example for dbt: add a run-operation hook that calls a macro executing `GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER ON {{ target.schema }}.* TO 'dbt_user'@'%';`
7Step 7: Re-trigger the failed pipeline run (ADF re-run, dbt retry, Power BI dataset refresh) and confirm the error no longer appears in the activity output.

Example log output

2026-05-11 08:15:03 [ERROR] mysqld: Access denied for user 'adf_service'@'10.0.1.42' (using password: YES)
ERROR 1142 (42000): SELECT command denied to user 'adf_service'@'10.0.1.42' for table 'dim_customers'
Copy activity 'Copy_MySQL_DimCustomers' failed: ErrorCode=UserErrorDatabaseAccessDenied, Message='command denied to user'

Frequently asked questions

What MySQL privileges does an ADF service account need for a copy activity?

For source (read): SELECT. For sink (write): INSERT, UPDATE, DELETE, and CREATE if ADF manages table creation. Grant these at the database level: `GRANT SELECT, INSERT, UPDATE, DELETE, CREATE ON db.* TO 'adf_user'@'%'; FLUSH PRIVILEGES;`

What MySQL privileges does a dbt service account need?

dbt needs SELECT, CREATE, DROP, INSERT, UPDATE, DELETE, ALTER, and REFERENCES on the target schema. Grant: `GRANT SELECT, CREATE, DROP, INSERT, UPDATE, DELETE, ALTER, REFERENCES ON db.* TO 'dbt_user'@'%'; FLUSH PRIVILEGES;`

Does error 1142 auto-resolve on retry or do I need to fix the grant first?

It never auto-resolves. Error 1142 is deterministic — the privilege check fails every time until you issue an explicit GRANT. Configuring retries in ADF or dbt only delays your alert; the pipeline will fail on every attempt.

Can MetricSign detect when privilege changes break a pipeline?

Yes — MetricSign captures the ADF or dbt failure event, extracts the MySQL error code, and classifies it as a permission incident. You get an alert within minutes specifying which table and privilege triggered 1142, so you can fix it before downstream consumers notice stale data.

Source · dev.mysql.com/doc/mysql-errors/8.0/en/server-error-reference.html