diff --git a/docs/generated/settings/settings-for-tenants.txt b/docs/generated/settings/settings-for-tenants.txt
index 2e534d59dee7..d26e72bb2eac 100644
--- a/docs/generated/settings/settings-for-tenants.txt
+++ b/docs/generated/settings/settings-for-tenants.txt
@@ -167,4 +167,4 @@ trace.debug.enable	boolean	false	if set, traces for recent requests can be seen
 trace.jaeger.agent	string		the address of a Jaeger agent to receive traces using the Jaeger UDP Thrift protocol, as <host>:<port>. If no port is specified, 6381 will be used.
 trace.opentelemetry.collector	string		address of an OpenTelemetry trace collector to receive traces using the otel gRPC protocol, as <host>:<port>. If no port is specified, 4317 will be used.
 trace.zipkin.collector	string		the address of a Zipkin instance to receive traces, as <host>:<port>. If no port is specified, 9411 will be used.
-version	version	21.2-12	set the active cluster version in the format '<major>.<minor>'
+version	version	21.2-14	set the active cluster version in the format '<major>.<minor>'
diff --git a/docs/generated/settings/settings.html b/docs/generated/settings/settings.html
index b58e9981d400..ffa56d38fee7 100644
--- a/docs/generated/settings/settings.html
+++ b/docs/generated/settings/settings.html
@@ -172,6 +172,6 @@
 <tr><td><code>trace.jaeger.agent</code></td><td>string</td><td><code></code></td><td>the address of a Jaeger agent to receive traces using the Jaeger UDP Thrift protocol, as <host>:<port>. If no port is specified, 6381 will be used.</td></tr>
 <tr><td><code>trace.opentelemetry.collector</code></td><td>string</td><td><code></code></td><td>address of an OpenTelemetry trace collector to receive traces using the otel gRPC protocol, as <host>:<port>. If no port is specified, 4317 will be used.</td></tr>
 <tr><td><code>trace.zipkin.collector</code></td><td>string</td><td><code></code></td><td>the address of a Zipkin instance to receive traces, as <host>:<port>. If no port is specified, 9411 will be used.</td></tr>
-<tr><td><code>version</code></td><td>version</td><td><code>21.2-12</code></td><td>set the active cluster version in the format '<major>.<minor>'</td></tr>
+<tr><td><code>version</code></td><td>version</td><td><code>21.2-14</code></td><td>set the active cluster version in the format '<major>.<minor>'</td></tr>
 </tbody>
 </table>
diff --git a/docs/generated/sql/bnf/grant_stmt.bnf b/docs/generated/sql/bnf/grant_stmt.bnf
index c532da5452f9..dc69eb2944ec 100644
--- a/docs/generated/sql/bnf/grant_stmt.bnf
+++ b/docs/generated/sql/bnf/grant_stmt.bnf
@@ -1,6 +1,6 @@
 grant_stmt ::=
-	'GRANT' 'ALL' 'PRIVILEGES' 'ON' targets 'TO' role_spec_list
-	| 'GRANT' 'ALL'  'ON' targets 'TO' role_spec_list
-	| 'GRANT' privilege_list 'ON' targets 'TO' role_spec_list
+	'GRANT' 'ALL' 'PRIVILEGES' 'ON' targets 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' 'ALL'  'ON' targets 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' privilege_list 'ON' targets 'TO' role_spec_list opt_with_grant_option
 	| 'GRANT' privilege_list 'TO' role_spec_list
 	| 'GRANT' privilege_list 'TO' role_spec_list 'WITH' 'ADMIN' 'OPTION'
diff --git a/docs/generated/sql/bnf/revoke_stmt.bnf b/docs/generated/sql/bnf/revoke_stmt.bnf
index 4f23347ed806..a24e96e31624 100644
--- a/docs/generated/sql/bnf/revoke_stmt.bnf
+++ b/docs/generated/sql/bnf/revoke_stmt.bnf
@@ -2,5 +2,8 @@ revoke_stmt ::=
 	'REVOKE' 'ALL' 'PRIVILEGES' 'ON' targets 'FROM' role_spec_list
 	| 'REVOKE' 'ALL'  'ON' targets 'FROM' role_spec_list
 	| 'REVOKE' privilege_list 'ON' targets 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' 'ALL' 'PRIVILEGES' 'ON' targets 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' 'ALL'  'ON' targets 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privilege_list 'ON' targets 'FROM' role_spec_list
 	| 'REVOKE' privilege_list 'FROM' role_spec_list
 	| 'REVOKE' 'ADMIN' 'OPTION' 'FOR' privilege_list 'FROM' role_spec_list
diff --git a/docs/generated/sql/bnf/stmt_block.bnf b/docs/generated/sql/bnf/stmt_block.bnf
index f95a931f3590..e6d71bb4d667 100644
--- a/docs/generated/sql/bnf/stmt_block.bnf
+++ b/docs/generated/sql/bnf/stmt_block.bnf
@@ -74,23 +74,27 @@ discard_stmt ::=
 	'DISCARD' 'ALL'
 
 grant_stmt ::=
-	'GRANT' privileges 'ON' targets 'TO' role_spec_list
+	'GRANT' privileges 'ON' targets 'TO' role_spec_list opt_with_grant_option
 	| 'GRANT' privilege_list 'TO' role_spec_list
 	| 'GRANT' privilege_list 'TO' role_spec_list 'WITH' 'ADMIN' 'OPTION'
-	| 'GRANT' privileges 'ON' 'TYPE' target_types 'TO' role_spec_list
-	| 'GRANT' privileges 'ON' 'SCHEMA' schema_name_list 'TO' role_spec_list
-	| 'GRANT' privileges 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'TO' role_spec_list
+	| 'GRANT' privileges 'ON' 'TYPE' target_types 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' privileges 'ON' 'SCHEMA' schema_name_list 'TO' role_spec_list opt_with_grant_option
+	| 'GRANT' privileges 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'TO' role_spec_list opt_with_grant_option
 
 prepare_stmt ::=
 	'PREPARE' table_alias_name prep_type_clause 'AS' preparable_stmt
 
 revoke_stmt ::=
 	'REVOKE' privileges 'ON' targets 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privileges 'ON' targets 'FROM' role_spec_list
 	| 'REVOKE' privilege_list 'FROM' role_spec_list
 	| 'REVOKE' 'ADMIN' 'OPTION' 'FOR' privilege_list 'FROM' role_spec_list
 	| 'REVOKE' privileges 'ON' 'TYPE' target_types 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privileges 'ON' 'TYPE' target_types 'FROM' role_spec_list
 	| 'REVOKE' privileges 'ON' 'SCHEMA' schema_name_list 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privileges 'ON' 'SCHEMA' schema_name_list 'FROM' role_spec_list
 	| 'REVOKE' privileges 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'FROM' role_spec_list
+	| 'REVOKE' 'GRANT' 'OPTION' 'FOR' privileges 'ON' 'ALL' 'TABLES' 'IN' 'SCHEMA' schema_name_list 'FROM' role_spec_list
 
 savepoint_stmt ::=
 	'SAVEPOINT' name
@@ -321,6 +325,10 @@ targets ::=
 role_spec_list ::=
 	( role_spec ) ( ( ',' role_spec ) )*
 
+opt_with_grant_option ::=
+	'WITH' 'GRANT' 'OPTION'
+	| 
+
 privilege_list ::=
 	( privilege ) ( ( ',' privilege ) )*
 
@@ -2313,10 +2321,6 @@ alter_default_privileges_target_object ::=
 	| 'TYPES'
 	| 'SCHEMAS'
 
-opt_with_grant_option ::=
-	'WITH' 'GRANT' 'OPTION'
-	| 
-
 role_option ::=
 	'CREATEROLE'
 	| 'NOCREATEROLE'
diff --git a/pkg/ccl/importccl/import_table_creation.go b/pkg/ccl/importccl/import_table_creation.go
index 5bcebfeb1825..5cad5966f397 100644
--- a/pkg/ccl/importccl/import_table_creation.go
+++ b/pkg/ccl/importccl/import_table_creation.go
@@ -79,6 +79,7 @@ func MakeTestingSimpleTableDescriptor(
 			Privileges: descpb.NewPrivilegeDescriptor(
 				security.PublicRoleName(),
 				privilege.SchemaPrivileges,
+				privilege.List{},
 				security.RootUserName(),
 			),
 		}).BuildCreatedMutableSchema()
diff --git a/pkg/cli/testdata/doctor/test_recreate_zipdir b/pkg/cli/testdata/doctor/test_recreate_zipdir
index 4ee812f633e6..105cddc706ec 100644
--- a/pkg/cli/testdata/doctor/test_recreate_zipdir
+++ b/pkg/cli/testdata/doctor/test_recreate_zipdir
@@ -8,20 +8,20 @@ SELECT crdb_internal.unsafe_delete_descriptor(id, true) FROM system.descriptor W
 SELECT crdb_internal.unsafe_delete_namespace_entry("parentID", "parentSchemaID", name, id) FROM system.namespace WHERE id >= 50;
 COMMIT;
 BEGIN;
-SELECT crdb_internal.unsafe_upsert_descriptor(50, decode('12340a0964656661756c74646210321a1d0a090a0561646d696e10020a080a04726f6f7410021204726f6f7418012200280140004a00', 'hex'), true);
+SELECT crdb_internal.unsafe_upsert_descriptor(50, decode('12380a0964656661756c74646210321a210a0b0a0561646d696e100218000a0a0a04726f6f74100218001204726f6f7418012200280140004a00', 'hex'), true);
 SELECT crdb_internal.unsafe_upsert_namespace_entry(0, 0, 'defaultdb', 50, true);
-SELECT crdb_internal.unsafe_upsert_descriptor(51, decode('12330a08706f73746772657310331a1d0a090a0561646d696e10020a080a04726f6f7410021204726f6f7418012200280140004a00', 'hex'), true);
+SELECT crdb_internal.unsafe_upsert_descriptor(51, decode('12370a08706f73746772657310331a210a0b0a0561646d696e100218000a0a0a04726f6f74100218001204726f6f7418012200280140004a00', 'hex'), true);
 SELECT crdb_internal.unsafe_upsert_namespace_entry(0, 0, 'postgres', 51, true);
-SELECT crdb_internal.unsafe_upsert_descriptor(53, decode('0ae7040a0575736572731835203428013a0042280a02696410011a0d080e100018003000508617600020003000680070007800800100880100980100422a0a046369747910021a0d0807100018003007509308600020003000680070007800800100880100980100422a0a046e616d6510031a0d0807100018003007509308600020013000680070007800800100880100980100422d0a076164647265737310041a0d080710001800300750930860002001300068007000780080010088010098010042310a0b6372656469745f6361726410051a0d08071000180030075093086000200130006800700078008001008801009801004806525a0a077072696d617279100118012204636974792202696430023001400040004a10080010001a00200028003000380040005a007a0408002000800100880100900101980100a20106080012001800a80100b20100ba0100c0010060026a1d0a090a0561646d696e10020a080a04726f6f7410021204726f6f741801800101880103980100b2013d0a077072696d61727910001a0269641a04636974791a046e616d651a07616464726573731a0b6372656469745f63617264200120022003200420052800b80101c20100e80100f2010408001200f801008002009202009a0200aa02270836100210041802180120352a11666b5f636974795f7265665f75736572733002380040004800aa02270837100210041802180120352a11666b5f636974795f7265665f75736572733002380040004800aa0227083a100110021802180120352a11666b5f636974795f7265665f75736572733002380040004800b20200b80200c0021dc80200e00200f00200', 'hex'), true);
+SELECT crdb_internal.unsafe_upsert_descriptor(53, decode('0aeb040a0575736572731835203428013a0042280a02696410011a0d080e100018003000508617600020003000680070007800800100880100980100422a0a046369747910021a0d0807100018003007509308600020003000680070007800800100880100980100422a0a046e616d6510031a0d0807100018003007509308600020013000680070007800800100880100980100422d0a076164647265737310041a0d080710001800300750930860002001300068007000780080010088010098010042310a0b6372656469745f6361726410051a0d08071000180030075093086000200130006800700078008001008801009801004806525a0a077072696d617279100118012204636974792202696430023001400040004a10080010001a00200028003000380040005a007a0408002000800100880100900101980100a20106080012001800a80100b20100ba0100c0010060026a210a0b0a0561646d696e100218000a0a0a04726f6f74100218001204726f6f741801800101880103980100b2013d0a077072696d61727910001a0269641a04636974791a046e616d651a07616464726573731a0b6372656469745f63617264200120022003200420052800b80101c20100e80100f2010408001200f801008002009202009a0200aa02270836100210041802180120352a11666b5f636974795f7265665f75736572733002380040004800aa02270837100210041802180120352a11666b5f636974795f7265665f75736572733002380040004800aa0227083a100110021802180120352a11666b5f636974795f7265665f75736572733002380040004800b20200b80200c0021dc80200e00200f00200', 'hex'), true);
 SELECT crdb_internal.unsafe_upsert_namespace_entry(52, 29, 'users', 53, true);
-SELECT crdb_internal.unsafe_upsert_descriptor(54, decode('0a8a070a0876656869636c65731836203428013a0042280a02696410011a0d080e100018003000508617600020003000680070007800800100880100980100422a0a046369747910021a0d0807100018003007509308600020003000680070007800800100880100980100422a0a047479706510031a0d0807100018003007509308600020013000680070007800800100880100980100422e0a086f776e65725f696410041a0d080e10001800300050861760002001300068007000780080010088010098010042330a0d6372656174696f6e5f74696d6510051a0d080510001800300050da08600020013000680070007800800100880100980100422c0a0673746174757310061a0d080710001800300750930860002001300068007000780080010088010098010042360a1063757272656e745f6c6f636174696f6e10071a0d080710001800300750930860002001300068007000780080010088010098010042290a0365787410081a0d081210001800300050da1d6000200130006800700078008001008801009801004809525a0a077072696d617279100118012204636974792202696430023001400040004a10080010001a00200028003000380040005a007a0408002000800100880100900101980100a20106080012001800a80100b20100ba0100c001005a80010a2576656869636c65735f6175746f5f696e6465785f666b5f636974795f7265665f75736572731002180022046369747922086f776e65725f6964300230043801400040004a10080010001a00200028003000380040005a007a0408002000800100880100900101980100a20106080012001800a80100b20100ba0100c0010060036a1d0a090a0561646d696e10020a080a04726f6f7410021204726f6f741801800102880103980100b201650a077072696d61727910001a0269641a04636974791a04747970651a086f776e65725f69641a0d6372656174696f6e5f74696d651a067374617475731a1063757272656e745f6c6f636174696f6e1a03657874200120022003200420052006200720082800b80101c20100e80100f2010408001200f801008002009202009a0200a202270836100210041802180120352a11666b5f636974795f7265665f75736572733000380040004800aa02320837100310051802180120362a1c666b5f76656869636c655f636974795f7265665f76656869636c65733002380040004800b20200b80200c0021dc80200e00200f00200', 'hex'), true);
+SELECT crdb_internal.unsafe_upsert_descriptor(54, decode('0a8e070a0876656869636c65731836203428013a0042280a02696410011a0d080e100018003000508617600020003000680070007800800100880100980100422a0a046369747910021a0d0807100018003007509308600020003000680070007800800100880100980100422a0a047479706510031a0d0807100018003007509308600020013000680070007800800100880100980100422e0a086f776e65725f696410041a0d080e10001800300050861760002001300068007000780080010088010098010042330a0d6372656174696f6e5f74696d6510051a0d080510001800300050da08600020013000680070007800800100880100980100422c0a0673746174757310061a0d080710001800300750930860002001300068007000780080010088010098010042360a1063757272656e745f6c6f636174696f6e10071a0d080710001800300750930860002001300068007000780080010088010098010042290a0365787410081a0d081210001800300050da1d6000200130006800700078008001008801009801004809525a0a077072696d617279100118012204636974792202696430023001400040004a10080010001a00200028003000380040005a007a0408002000800100880100900101980100a20106080012001800a80100b20100ba0100c001005a80010a2576656869636c65735f6175746f5f696e6465785f666b5f636974795f7265665f75736572731002180022046369747922086f776e65725f6964300230043801400040004a10080010001a00200028003000380040005a007a0408002000800100880100900101980100a20106080012001800a80100b20100ba0100c0010060036a210a0b0a0561646d696e100218000a0a0a04726f6f74100218001204726f6f741801800102880103980100b201650a077072696d61727910001a0269641a04636974791a04747970651a086f776e65725f69641a0d6372656174696f6e5f74696d651a067374617475731a1063757272656e745f6c6f636174696f6e1a03657874200120022003200420052006200720082800b80101c20100e80100f2010408001200f801008002009202009a0200a202270836100210041802180120352a11666b5f636974795f7265665f75736572733000380040004800aa02320837100310051802180120362a1c666b5f76656869636c655f636974795f7265665f76656869636c65733002380040004800b20200b80200c0021dc80200e00200f00200', 'hex'), true);
 SELECT crdb_internal.unsafe_upsert_namespace_entry(52, 29, 'vehicles', 54, true);
-SELECT crdb_internal.unsafe_upsert_descriptor(55, decode('0a920a0a0572696465731837203428013a0042280a02696410011a0d080e100018003000508617600020003000680070007800800100880100980100422a0a046369747910021a0d080710001800300750930860002000300068007000780080010088010098010042320a0c76656869636c655f6369747910031a0d0807100018003007509308600020013000680070007800800100880100980100422e0a0872696465725f696410041a0d080e10001800300050861760002001300068007000780080010088010098010042300a0a76656869636c655f696410051a0d080e10001800300050861760002001300068007000780080010088010098010042330a0d73746172745f6164647265737310061a0d080710001800300750930860002001300068007000780080010088010098010042310a0b656e645f6164647265737310071a0d080710001800300750930860002001300068007000780080010088010098010042300a0a73746172745f74696d6510081a0d080510001800300050da08600020013000680070007800800100880100980100422e0a08656e645f74696d6510091a0d080510001800300050da08600020013000680070007800800100880100980100422d0a07726576656e7565100a1a0d08031002180a300050a40d600020013000680070007800800100880100980100480b525a0a077072696d617279100118012204636974792202696430023001400040004a10080010001a00200028003000380040005a007a0408002000800100880100900101980100a20106080012001800a80100b20100ba0100c001005a7d0a2272696465735f6175746f5f696e6465785f666b5f636974795f7265665f757365727310021800220463697479220872696465725f6964300230043801400040004a10080010001a00200028003000380040005a007a0408002000800100880100900101980100a20106080012001800a80100b20100ba0100c001005a94010a2d72696465735f6175746f5f696e6465785f666b5f76656869636c655f636974795f7265665f76656869636c657310031800220c76656869636c655f63697479220a76656869636c655f69643003300538023801400040004a10080010001a00200028003000380040005a007a0408002000800100880100900101980100a20106080012001800a80100b20100ba0100c0010060046a1d0a090a0561646d696e10020a080a04726f6f7410021204726f6f741801800103880103980100a201380a1376656869636c655f63697479203d20636974791217636865636b5f76656869636c655f636974795f6369747918002802280330003800b2018a010a077072696d61727910001a0269641a04636974791a0c76656869636c655f636974791a0872696465725f69641a0a76656869636c655f69641a0d73746172745f616464726573731a0b656e645f616464726573731a0a73746172745f74696d651a08656e645f74696d651a07726576656e7565200120022003200420052006200720082009200a2800b80101c20100e80100f2010408001200f801008002009202009a0200a202270837100210041802180120352a11666b5f636974795f7265665f75736572733000380040004800a202320837100310051802180120362a1c666b5f76656869636c655f636974795f7265665f76656869636c65733000380040004800aa02270838100110021802180120372a11666b5f636974795f7265665f72696465733002380040004800b20200b80200c0021dc80200e00200f00200', 'hex'), true);
+SELECT crdb_internal.unsafe_upsert_descriptor(55, decode('0a960a0a0572696465731837203428013a0042280a02696410011a0d080e100018003000508617600020003000680070007800800100880100980100422a0a046369747910021a0d080710001800300750930860002000300068007000780080010088010098010042320a0c76656869636c655f6369747910031a0d0807100018003007509308600020013000680070007800800100880100980100422e0a0872696465725f696410041a0d080e10001800300050861760002001300068007000780080010088010098010042300a0a76656869636c655f696410051a0d080e10001800300050861760002001300068007000780080010088010098010042330a0d73746172745f6164647265737310061a0d080710001800300750930860002001300068007000780080010088010098010042310a0b656e645f6164647265737310071a0d080710001800300750930860002001300068007000780080010088010098010042300a0a73746172745f74696d6510081a0d080510001800300050da08600020013000680070007800800100880100980100422e0a08656e645f74696d6510091a0d080510001800300050da08600020013000680070007800800100880100980100422d0a07726576656e7565100a1a0d08031002180a300050a40d600020013000680070007800800100880100980100480b525a0a077072696d617279100118012204636974792202696430023001400040004a10080010001a00200028003000380040005a007a0408002000800100880100900101980100a20106080012001800a80100b20100ba0100c001005a7d0a2272696465735f6175746f5f696e6465785f666b5f636974795f7265665f757365727310021800220463697479220872696465725f6964300230043801400040004a10080010001a00200028003000380040005a007a0408002000800100880100900101980100a20106080012001800a80100b20100ba0100c001005a94010a2d72696465735f6175746f5f696e6465785f666b5f76656869636c655f636974795f7265665f76656869636c657310031800220c76656869636c655f63697479220a76656869636c655f69643003300538023801400040004a10080010001a00200028003000380040005a007a0408002000800100880100900101980100a20106080012001800a80100b20100ba0100c0010060046a210a0b0a0561646d696e100218000a0a0a04726f6f74100218001204726f6f741801800103880103980100a201380a1376656869636c655f63697479203d20636974791217636865636b5f76656869636c655f636974795f6369747918002802280330003800b2018a010a077072696d61727910001a0269641a04636974791a0c76656869636c655f636974791a0872696465725f69641a0a76656869636c655f69641a0d73746172745f616464726573731a0b656e645f616464726573731a0a73746172745f74696d651a08656e645f74696d651a07726576656e7565200120022003200420052006200720082009200a2800b80101c20100e80100f2010408001200f801008002009202009a0200a202270837100210041802180120352a11666b5f636974795f7265665f75736572733000380040004800a202320837100310051802180120362a1c666b5f76656869636c655f636974795f7265665f76656869636c65733000380040004800aa02270838100110021802180120372a11666b5f636974795f7265665f72696465733002380040004800b20200b80200c0021dc80200e00200f00200', 'hex'), true);
 SELECT crdb_internal.unsafe_upsert_namespace_entry(52, 29, 'rides', 55, true);
-SELECT crdb_internal.unsafe_upsert_descriptor(56, decode('0aba040a1a76656869636c655f6c6f636174696f6e5f686973746f726965731838203428013a00422a0a046369747910011a0d0807100018003007509308600020003000680070007800800100880100980100422d0a07726964655f696410021a0d080e100018003000508617600020003000680070007800800100880100980100422f0a0974696d657374616d7010031a0d080510001800300050da0860002000300068007000780080010088010098010042290a036c617410041a0d080210401800300050bd05600020013000680070007800800100880100980100422a0a046c6f6e6710051a0d080210401800300050bd056000200130006800700078008001008801009801004806526e0a077072696d617279100118012204636974792207726964655f6964220974696d657374616d703001300230034000400040004a10080010001a00200028003000380040005a007a0408002000800100880100900101980100a20106080012001800a80100b20100ba0100c0010060026a1d0a090a0561646d696e10020a080a04726f6f7410021204726f6f741801800102880103980100b2013c0a077072696d61727910001a04636974791a07726964655f69641a0974696d657374616d701a036c61741a046c6f6e67200120022003200420052800b80101c20100e80100f2010408001200f801008002009202009a0200a202270838100110021802180120372a11666b5f636974795f7265665f72696465733000380040004800b20200b80200c0021dc80200e00200f00200', 'hex'), true);
+SELECT crdb_internal.unsafe_upsert_descriptor(56, decode('0abe040a1a76656869636c655f6c6f636174696f6e5f686973746f726965731838203428013a00422a0a046369747910011a0d0807100018003007509308600020003000680070007800800100880100980100422d0a07726964655f696410021a0d080e100018003000508617600020003000680070007800800100880100980100422f0a0974696d657374616d7010031a0d080510001800300050da0860002000300068007000780080010088010098010042290a036c617410041a0d080210401800300050bd05600020013000680070007800800100880100980100422a0a046c6f6e6710051a0d080210401800300050bd056000200130006800700078008001008801009801004806526e0a077072696d617279100118012204636974792207726964655f6964220974696d657374616d703001300230034000400040004a10080010001a00200028003000380040005a007a0408002000800100880100900101980100a20106080012001800a80100b20100ba0100c0010060026a210a0b0a0561646d696e100218000a0a0a04726f6f74100218001204726f6f741801800102880103980100b2013c0a077072696d61727910001a04636974791a07726964655f69641a0974696d657374616d701a036c61741a046c6f6e67200120022003200420052800b80101c20100e80100f2010408001200f801008002009202009a0200a202270838100110021802180120372a11666b5f636974795f7265665f72696465733000380040004800b20200b80200c0021dc80200e00200f00200', 'hex'), true);
 SELECT crdb_internal.unsafe_upsert_namespace_entry(52, 29, 'vehicle_location_histories', 56, true);
-SELECT crdb_internal.unsafe_upsert_descriptor(57, decode('0a8f040a0b70726f6d6f5f636f6465731839203428013a00422a0a04636f646510011a0d080710001800300750930860002000300068007000780080010088010098010042310a0b6465736372697074696f6e10021a0d080710001800300750930860002001300068007000780080010088010098010042330a0d6372656174696f6e5f74696d6510031a0d080510001800300050da0860002001300068007000780080010088010098010042350a0f65787069726174696f6e5f74696d6510041a0d080510001800300050da08600020013000680070007800800100880100980100422b0a0572756c657310051a0d081210001800300050da1d600020013000680070007800800100880100980100480652520a077072696d617279100118012204636f6465300140004a10080010001a00200028003000380040005a007a0408002000800100880100900101980100a20106080012001800a80100b20100ba0100c0010060026a1d0a090a0561646d696e10020a080a04726f6f7410021204726f6f741801800101880103980100b201510a077072696d61727910001a04636f64651a0b6465736372697074696f6e1a0d6372656174696f6e5f74696d651a0f65787069726174696f6e5f74696d651a0572756c6573200120022003200420052800b80101c20100e80100f2010408001200f801008002009202009a0200b20200b80200c0021dc80200e00200f00200', 'hex'), true);
+SELECT crdb_internal.unsafe_upsert_descriptor(57, decode('0a93040a0b70726f6d6f5f636f6465731839203428013a00422a0a04636f646510011a0d080710001800300750930860002000300068007000780080010088010098010042310a0b6465736372697074696f6e10021a0d080710001800300750930860002001300068007000780080010088010098010042330a0d6372656174696f6e5f74696d6510031a0d080510001800300050da0860002001300068007000780080010088010098010042350a0f65787069726174696f6e5f74696d6510041a0d080510001800300050da08600020013000680070007800800100880100980100422b0a0572756c657310051a0d081210001800300050da1d600020013000680070007800800100880100980100480652520a077072696d617279100118012204636f6465300140004a10080010001a00200028003000380040005a007a0408002000800100880100900101980100a20106080012001800a80100b20100ba0100c0010060026a210a0b0a0561646d696e100218000a0a0a04726f6f74100218001204726f6f741801800101880103980100b201510a077072696d61727910001a04636f64651a0b6465736372697074696f6e1a0d6372656174696f6e5f74696d651a0f65787069726174696f6e5f74696d651a0572756c6573200120022003200420052800b80101c20100e80100f2010408001200f801008002009202009a0200b20200b80200c0021dc80200e00200f00200', 'hex'), true);
 SELECT crdb_internal.unsafe_upsert_namespace_entry(52, 29, 'promo_codes', 57, true);
-SELECT crdb_internal.unsafe_upsert_descriptor(58, decode('0aba040a10757365725f70726f6d6f5f636f646573183a203428013a00422a0a046369747910011a0d0807100018003007509308600020003000680070007800800100880100980100422d0a07757365725f696410021a0d080e100018003000508617600020003000680070007800800100880100980100422a0a04636f646510031a0d0807100018003007509308600020003000680070007800800100880100980100422f0a0974696d657374616d7010041a0d080510001800300050da0860002001300068007000780080010088010098010042300a0b75736167655f636f756e7410051a0c08011040180030005014600020013000680070007800800100880100980100480652690a077072696d617279100118012204636974792207757365725f69642204636f64653001300230034000400040004a10080010001a00200028003000380040005a007a0408002000800100880100900101980100a20106080012001800a80100b20100ba0100c0010060026a1d0a090a0561646d696e10020a080a04726f6f7410021204726f6f741801800102880103980100b201440a077072696d61727910001a04636974791a07757365725f69641a04636f64651a0974696d657374616d701a0b75736167655f636f756e74200120022003200420052800b80101c20100e80100f2010408001200f801008002009202009a0200a20227083a100110021802180120352a11666b5f636974795f7265665f75736572733000380040004800b20200b80200c0021dc80200e00200f00200', 'hex'), true);
+SELECT crdb_internal.unsafe_upsert_descriptor(58, decode('0abe040a10757365725f70726f6d6f5f636f646573183a203428013a00422a0a046369747910011a0d0807100018003007509308600020003000680070007800800100880100980100422d0a07757365725f696410021a0d080e100018003000508617600020003000680070007800800100880100980100422a0a04636f646510031a0d0807100018003007509308600020003000680070007800800100880100980100422f0a0974696d657374616d7010041a0d080510001800300050da0860002001300068007000780080010088010098010042300a0b75736167655f636f756e7410051a0c08011040180030005014600020013000680070007800800100880100980100480652690a077072696d617279100118012204636974792207757365725f69642204636f64653001300230034000400040004a10080010001a00200028003000380040005a007a0408002000800100880100900101980100a20106080012001800a80100b20100ba0100c0010060026a210a0b0a0561646d696e100218000a0a0a04726f6f74100218001204726f6f741801800102880103980100b201440a077072696d61727910001a04636974791a07757365725f69641a04636f64651a0974696d657374616d701a0b75736167655f636f756e74200120022003200420052800b80101c20100e80100f2010408001200f801008002009202009a0200a20227083a100110021802180120352a11666b5f636974795f7265665f75736572733000380040004800b20200b80200c0021dc80200e00200f00200', 'hex'), true);
 SELECT crdb_internal.unsafe_upsert_namespace_entry(52, 29, 'user_promo_codes', 58, true);
 COMMIT;
diff --git a/pkg/clusterversion/cockroach_versions.go b/pkg/clusterversion/cockroach_versions.go
index e3eedde9ae03..fc84ca0d45fa 100644
--- a/pkg/clusterversion/cockroach_versions.go
+++ b/pkg/clusterversion/cockroach_versions.go
@@ -286,6 +286,10 @@ const (
 	// table system.table_statistics that contains a new statistic.
 	AlterSystemTableStatisticsAddAvgSizeCol
 
+	// ValidateGrantOption checks whether the current user granting privileges to
+	// another user holds the grant option for those privileges
+	ValidateGrantOption
+
 	// *************************************************
 	// Step (1): Add new versions here.
 	// Do not add new versions to a patch release.
@@ -490,6 +494,10 @@ var versionsSingleton = keyedVersions{
 		Key:     AlterSystemTableStatisticsAddAvgSizeCol,
 		Version: roachpb.Version{Major: 21, Minor: 2, Internal: 12},
 	},
+	{
+		Key:     ValidateGrantOption,
+		Version: roachpb.Version{Major: 21, Minor: 2, Internal: 14},
+	},
 
 	// *************************************************
 	// Step (2): Add new versions here.
diff --git a/pkg/clusterversion/key_string.go b/pkg/clusterversion/key_string.go
index 9714b56f136d..ab083d3b3b0b 100644
--- a/pkg/clusterversion/key_string.go
+++ b/pkg/clusterversion/key_string.go
@@ -49,11 +49,12 @@ func _() {
 	_ = x[DrainingNamesMigration-38]
 	_ = x[TraceIDDoesntImplyStructuredRecording-39]
 	_ = x[AlterSystemTableStatisticsAddAvgSizeCol-40]
+	_ = x[ValidateGrantOption-41]
 }
 
-const _Key_name = "V21_1Start21_1PLUSStart21_2JoinTokensTableAcquisitionTypeInLeaseHistorySerializeViewUDTsExpressionIndexesDeleteDeprecatedNamespaceTableDescriptorMigrationFixDescriptorsDatabaseRoleSettingsTenantUsageTableSQLInstancesTableNewRetryableRangefeedErrorsAlterSystemWebSessionsCreateIndexesSeparatedIntentsMigrationPostSeparatedIntentsMigrationRetryJobsWithExponentialBackoffRecordsBasedRegistryAutoSpanConfigReconciliationJobDefaultPrivilegesZonesTableForSecondaryTenantsUseKeyEncodeForHashShardedIndexesDatabasePlacementPolicyGeneratedAsIdentityOnUpdateExpressionsSpanConfigurationsTableBoundedStalenessDateAndIntervalStylePebbleFormatVersionedMarkerDataKeysRegistryPebbleSetWithDeleteTenantUsageSingleConsumptionColumnSQLStatsTablesSQLStatsCompactionScheduledJobV21_2Start22_1TargetBytesAvoidExcessAvoidDrainingNamesDrainingNamesMigrationTraceIDDoesntImplyStructuredRecordingAlterSystemTableStatisticsAddAvgSizeCol"
+const _Key_name = "V21_1Start21_1PLUSStart21_2JoinTokensTableAcquisitionTypeInLeaseHistorySerializeViewUDTsExpressionIndexesDeleteDeprecatedNamespaceTableDescriptorMigrationFixDescriptorsDatabaseRoleSettingsTenantUsageTableSQLInstancesTableNewRetryableRangefeedErrorsAlterSystemWebSessionsCreateIndexesSeparatedIntentsMigrationPostSeparatedIntentsMigrationRetryJobsWithExponentialBackoffRecordsBasedRegistryAutoSpanConfigReconciliationJobDefaultPrivilegesZonesTableForSecondaryTenantsUseKeyEncodeForHashShardedIndexesDatabasePlacementPolicyGeneratedAsIdentityOnUpdateExpressionsSpanConfigurationsTableBoundedStalenessDateAndIntervalStylePebbleFormatVersionedMarkerDataKeysRegistryPebbleSetWithDeleteTenantUsageSingleConsumptionColumnSQLStatsTablesSQLStatsCompactionScheduledJobV21_2Start22_1TargetBytesAvoidExcessAvoidDrainingNamesDrainingNamesMigrationTraceIDDoesntImplyStructuredRecordingAlterSystemTableStatisticsAddAvgSizeColValidateGrantOption"
 
-var _Key_index = [...]uint16{0, 5, 18, 27, 42, 71, 88, 105, 154, 168, 188, 204, 221, 248, 283, 308, 337, 368, 388, 419, 436, 465, 498, 521, 540, 559, 582, 598, 618, 639, 661, 680, 714, 728, 758, 763, 772, 794, 812, 834, 871, 910}
+var _Key_index = [...]uint16{0, 5, 18, 27, 42, 71, 88, 105, 154, 168, 188, 204, 221, 248, 283, 308, 337, 368, 388, 419, 436, 465, 498, 521, 540, 559, 582, 598, 618, 639, 661, 680, 714, 728, 758, 763, 772, 794, 812, 834, 871, 910, 929}
 
 func (i Key) String() string {
 	if i < 0 || i >= Key(len(_Key_index)-1) {
diff --git a/pkg/sql/alter_default_privileges.go b/pkg/sql/alter_default_privileges.go
index b6b739855cce..875534dc3f6c 100644
--- a/pkg/sql/alter_default_privileges.go
+++ b/pkg/sql/alter_default_privileges.go
@@ -93,10 +93,12 @@ func (n *alterDefaultPrivilegesNode) startExec(params runParams) error {
 	privileges := n.n.Grant.Privileges
 	grantees := n.n.Grant.Grantees
 	objectType := n.n.Grant.Target
+	grantOption := n.n.Grant.WithGrantOption
 	if !n.n.IsGrant {
 		privileges = n.n.Revoke.Privileges
 		grantees = n.n.Revoke.Grantees
 		objectType = n.n.Revoke.Target
+		grantOption = n.n.Revoke.GrantOptionFor
 	}
 
 	granteeSQLUsernames, err := grantees.ToSQLUsernames(params.p.SessionData(), security.UsernameValidation)
@@ -165,11 +167,11 @@ func (n *alterDefaultPrivilegesNode) startExec(params runParams) error {
 	for _, role := range roles {
 		if n.n.IsGrant {
 			defaultPrivs.GrantDefaultPrivileges(
-				role, privileges, granteeSQLUsernames, objectType,
+				role, privileges, granteeSQLUsernames, objectType, grantOption,
 			)
 		} else {
 			defaultPrivs.RevokeDefaultPrivileges(
-				role, privileges, granteeSQLUsernames, objectType,
+				role, privileges, granteeSQLUsernames, objectType, grantOption,
 			)
 		}
 
diff --git a/pkg/sql/catalog/catprivilege/default_privilege.go b/pkg/sql/catalog/catprivilege/default_privilege.go
index a52c022764ed..0fd823592674 100644
--- a/pkg/sql/catalog/catprivilege/default_privilege.go
+++ b/pkg/sql/catalog/catprivilege/default_privilege.go
@@ -71,6 +71,7 @@ func (d *Mutable) GrantDefaultPrivileges(
 	privileges privilege.List,
 	grantees []security.SQLUsername,
 	targetObject tree.AlterDefaultPrivilegesTargetObject,
+	withGrantOption bool,
 ) {
 	defaultPrivilegesForRole := d.defaultPrivilegeDescriptor.FindOrCreateUser(role)
 	for _, grantee := range grantees {
@@ -79,7 +80,7 @@ func (d *Mutable) GrantDefaultPrivileges(
 		// special privilege cases into real privileges on the PrivilegeDescriptor.
 		// foldPrivileges converts the real privileges back into flags.
 		expandPrivileges(defaultPrivilegesForRole, role, &defaultPrivileges, targetObject)
-		defaultPrivileges.Grant(grantee, privileges)
+		defaultPrivileges.Grant(grantee, privileges, withGrantOption)
 		foldPrivileges(defaultPrivilegesForRole, role, &defaultPrivileges, targetObject)
 		defaultPrivilegesForRole.DefaultPrivilegesPerObject[targetObject] = defaultPrivileges
 	}
@@ -91,6 +92,7 @@ func (d *Mutable) RevokeDefaultPrivileges(
 	privileges privilege.List,
 	grantees []security.SQLUsername,
 	targetObject tree.AlterDefaultPrivilegesTargetObject,
+	grantOptionFor bool,
 ) {
 	defaultPrivilegesForRole := d.defaultPrivilegeDescriptor.FindOrCreateUser(role)
 	for _, grantee := range grantees {
@@ -99,7 +101,7 @@ func (d *Mutable) RevokeDefaultPrivileges(
 		// special privilege cases into real privileges on the PrivilegeDescriptor.
 		// foldPrivileges converts the real privileges back into flags.
 		expandPrivileges(defaultPrivilegesForRole, role, &defaultPrivileges, targetObject)
-		defaultPrivileges.Revoke(grantee, privileges, targetObject.ToPrivilegeObjectType())
+		defaultPrivileges.Revoke(grantee, privileges, targetObject.ToPrivilegeObjectType(), grantOptionFor)
 		foldPrivileges(defaultPrivilegesForRole, role, &defaultPrivileges, targetObject)
 
 		defaultPrivilegesForRole.DefaultPrivilegesPerObject[targetObject] = defaultPrivileges
@@ -151,18 +153,22 @@ func (d *immutable) CreatePrivilegesFromDefaultPrivileges(
 		// it as the case where the user has all privileges.
 		defaultPrivilegesForCreatorRole := descpb.InitDefaultPrivilegesForRole(role)
 		for _, user := range GetUserPrivilegesForObject(defaultPrivilegesForCreatorRole, targetObject) {
-			newPrivs.Grant(
+			granularGrant(
+				newPrivs,
 				user.UserProto.Decode(),
 				privilege.ListFromBitField(user.Privileges, targetObject.ToPrivilegeObjectType()),
+				privilege.ListFromBitField(user.WithGrantOption, targetObject.ToPrivilegeObjectType()),
 			)
 		}
 	} else {
 		// If default privileges were defined for the role, we create privileges
 		// using the default privileges.
 		for _, user := range GetUserPrivilegesForObject(*defaultPrivilegesForRole, targetObject) {
-			newPrivs.Grant(
+			granularGrant(
+				newPrivs,
 				user.UserProto.Decode(),
 				privilege.ListFromBitField(user.Privileges, targetObject.ToPrivilegeObjectType()),
+				privilege.ListFromBitField(user.WithGrantOption, targetObject.ToPrivilegeObjectType()),
 			)
 		}
 	}
@@ -173,9 +179,11 @@ func (d *immutable) CreatePrivilegesFromDefaultPrivileges(
 	defaultPrivilegesForAllRoles, found := d.GetDefaultPrivilegesForRole(descpb.DefaultPrivilegesRole{ForAllRoles: true})
 	if found {
 		for _, user := range GetUserPrivilegesForObject(*defaultPrivilegesForAllRoles, targetObject) {
-			newPrivs.Grant(
+			granularGrant(
+				newPrivs,
 				user.UserProto.Decode(),
 				privilege.ListFromBitField(user.Privileges, targetObject.ToPrivilegeObjectType()),
+				privilege.ListFromBitField(user.WithGrantOption, targetObject.ToPrivilegeObjectType()),
 			)
 		}
 	}
@@ -187,11 +195,21 @@ func (d *immutable) CreatePrivilegesFromDefaultPrivileges(
 	//   Issue #67378.
 	if targetObject == tree.Tables || targetObject == tree.Sequences {
 		for _, u := range databasePrivileges.Users {
-			newPrivs.Grant(u.UserProto.Decode(), privilege.ListFromBitField(u.Privileges, privilege.Table))
+			granularGrant(
+				newPrivs,
+				u.UserProto.Decode(),
+				privilege.ListFromBitField(u.Privileges, privilege.Table),
+				privilege.ListFromBitField(u.WithGrantOption, privilege.Table),
+			)
 		}
 	} else if targetObject == tree.Schemas {
 		for _, u := range databasePrivileges.Users {
-			newPrivs.Grant(u.UserProto.Decode(), privilege.ListFromBitField(u.Privileges, privilege.Schema))
+			granularGrant(
+				newPrivs,
+				u.UserProto.Decode(),
+				privilege.ListFromBitField(u.Privileges, privilege.Schema),
+				privilege.ListFromBitField(u.WithGrantOption, privilege.Schema),
+			)
 		}
 	}
 	return newPrivs
@@ -249,6 +267,7 @@ func foldPrivileges(
 			security.PublicRoleName(),
 			privilege.List{privilege.USAGE},
 			privilege.Type,
+			false,
 		)
 	}
 	// ForAllRoles cannot be a grantee, nothing left to do.
@@ -256,8 +275,11 @@ func foldPrivileges(
 		return
 	}
 	if privileges.HasAllPrivileges(role.Role, targetObject.ToPrivilegeObjectType()) {
-		setRoleHasAllOnTargetObject(defaultPrivilegesForRole, true, targetObject)
-		privileges.RemoveUser(role.Role)
+		user := privileges.FindOrCreateUser(role.Role)
+		if user.WithGrantOption == 0 {
+			setRoleHasAllOnTargetObject(defaultPrivilegesForRole, true, targetObject)
+			privileges.RemoveUser(role.Role)
+		}
 	}
 }
 
@@ -273,7 +295,7 @@ func expandPrivileges(
 	targetObject tree.AlterDefaultPrivilegesTargetObject,
 ) {
 	if targetObject == tree.Types && GetPublicHasUsageOnTypes(defaultPrivilegesForRole) {
-		privileges.Grant(security.PublicRoleName(), privilege.List{privilege.USAGE})
+		privileges.Grant(security.PublicRoleName(), privilege.List{privilege.USAGE}, false)
 		setPublicHasUsageOnTypes(defaultPrivilegesForRole, false)
 	}
 	// ForAllRoles cannot be a grantee, nothing left to do.
@@ -281,7 +303,7 @@ func expandPrivileges(
 		return
 	}
 	if GetRoleHasAllPrivilegesOnTargetObject(defaultPrivilegesForRole, targetObject) {
-		privileges.Grant(defaultPrivilegesForRole.GetExplicitRole().UserProto.Decode(), privilege.List{privilege.ALL})
+		privileges.Grant(defaultPrivilegesForRole.GetExplicitRole().UserProto.Decode(), privilege.List{privilege.ALL}, false)
 		setRoleHasAllOnTargetObject(defaultPrivilegesForRole, false, targetObject)
 	}
 }
@@ -297,8 +319,9 @@ func GetUserPrivilegesForObject(
 	}
 	if GetPublicHasUsageOnTypes(&p) && targetObject == tree.Types {
 		userPrivileges = append(userPrivileges, descpb.UserPrivileges{
-			UserProto:  security.PublicRoleName().EncodeProto(),
-			Privileges: privilege.USAGE.Mask(),
+			UserProto:       security.PublicRoleName().EncodeProto(),
+			Privileges:      privilege.USAGE.Mask(),
+			WithGrantOption: privilege.USAGE.Mask(),
 		})
 	}
 	// If ForAllRoles is specified, we can return early.
@@ -310,8 +333,9 @@ func GetUserPrivilegesForObject(
 	userProto := p.GetExplicitRole().UserProto
 	if GetRoleHasAllPrivilegesOnTargetObject(&p, targetObject) {
 		return append(userPrivileges, descpb.UserPrivileges{
-			UserProto:  userProto,
-			Privileges: privilege.ALL.Mask(),
+			UserProto:       userProto,
+			Privileges:      privilege.ALL.Mask(),
+			WithGrantOption: privilege.ALL.Mask(),
 		})
 	}
 	return userPrivileges
@@ -360,6 +384,42 @@ func setPublicHasUsageOnTypes(
 	}
 }
 
+// granularGrant adds new privileges to this descriptor and new grant options which
+// could be different from the privileges. Unlike the normal grant, the privileges
+// and the grant options being granted could be different
+func granularGrant(
+	p *descpb.PrivilegeDescriptor,
+	user security.SQLUsername,
+	privList privilege.List,
+	grantOptionList privilege.List,
+) {
+	userPriv := p.FindOrCreateUser(user)
+	if privilege.ALL.IsSetIn(userPriv.WithGrantOption) {
+		// User already has 'ALL' privilege: no-op.
+		// If userPriv.WithGrantOption has ALL, then userPriv.Privileges must also have ALL.
+		// It is possible however for userPriv.Privileges to have ALL but userPriv.WithGrantOption to not have ALL
+		return
+	}
+
+	privBits := privList.ToBitField()
+	grantBits := grantOptionList.ToBitField()
+	if privilege.ALL.IsSetIn(privBits) {
+		userPriv.Privileges = privilege.ALL.Mask()
+	} else {
+		if !privilege.ALL.IsSetIn(userPriv.Privileges) {
+			userPriv.Privileges |= privBits
+		}
+	}
+
+	if privilege.ALL.IsSetIn(grantBits) {
+		userPriv.WithGrantOption = privilege.ALL.Mask()
+	} else {
+		if !privilege.ALL.IsSetIn(userPriv.WithGrantOption) {
+			userPriv.WithGrantOption |= grantBits
+		}
+	}
+}
+
 func setRoleHasAllOnTargetObject(
 	defaultPrivilegesForRole *descpb.DefaultPrivilegesForRole,
 	roleHasAll bool,
diff --git a/pkg/sql/catalog/catprivilege/default_privilege_test.go b/pkg/sql/catalog/catprivilege/default_privilege_test.go
index 9a98ba7dcd25..d810b3726e6f 100644
--- a/pkg/sql/catalog/catprivilege/default_privilege_test.go
+++ b/pkg/sql/catalog/catprivilege/default_privilege_test.go
@@ -164,7 +164,7 @@ func TestGrantDefaultPrivileges(t *testing.T) {
 		defaultPrivilegeDescriptor := MakeNewDefaultPrivilegeDescriptor()
 		defaultPrivileges := NewMutableDefaultPrivileges(defaultPrivilegeDescriptor)
 
-		defaultPrivileges.GrantDefaultPrivileges(tc.defaultPrivilegesRole, tc.privileges, tc.grantees, tc.targetObject)
+		defaultPrivileges.GrantDefaultPrivileges(tc.defaultPrivilegesRole, tc.privileges, tc.grantees, tc.targetObject, false)
 
 		newPrivileges := defaultPrivileges.CreatePrivilegesFromDefaultPrivileges(
 			nonSystemDatabaseID, tc.objectCreator, tc.targetObject, &descpb.PrivilegeDescriptor{},
@@ -282,8 +282,8 @@ func TestRevokeDefaultPrivileges(t *testing.T) {
 		defaultPrivilegeDescriptor := MakeNewDefaultPrivilegeDescriptor()
 		defaultPrivileges := NewMutableDefaultPrivileges(defaultPrivilegeDescriptor)
 
-		defaultPrivileges.GrantDefaultPrivileges(tc.defaultPrivilegesRole, tc.grantPrivileges, tc.grantees, tc.targetObject)
-		defaultPrivileges.RevokeDefaultPrivileges(tc.defaultPrivilegesRole, tc.revokePrivileges, tc.grantees, tc.targetObject)
+		defaultPrivileges.GrantDefaultPrivileges(tc.defaultPrivilegesRole, tc.grantPrivileges, tc.grantees, tc.targetObject, false)
+		defaultPrivileges.RevokeDefaultPrivileges(tc.defaultPrivilegesRole, tc.revokePrivileges, tc.grantees, tc.targetObject, false)
 
 		newPrivileges := defaultPrivileges.CreatePrivilegesFromDefaultPrivileges(
 			nonSystemDatabaseID, tc.objectCreator, tc.targetObject, &descpb.PrivilegeDescriptor{},
@@ -308,7 +308,7 @@ func TestRevokeDefaultPrivilegesFromEmptyList(t *testing.T) {
 	fooUser := security.MakeSQLUsernameFromPreNormalizedString("foo")
 	defaultPrivileges.RevokeDefaultPrivileges(descpb.DefaultPrivilegesRole{
 		Role: creatorUser,
-	}, privilege.List{privilege.ALL}, []security.SQLUsername{fooUser}, tree.Tables)
+	}, privilege.List{privilege.ALL}, []security.SQLUsername{fooUser}, tree.Tables, false)
 
 	newPrivileges := defaultPrivileges.CreatePrivilegesFromDefaultPrivileges(
 		nonSystemDatabaseID, creatorUser, tree.Tables, &descpb.PrivilegeDescriptor{},
@@ -534,7 +534,7 @@ func TestDefaultPrivileges(t *testing.T) {
 				descpb.DefaultPrivilegesRole{Role: tc.defaultPrivilegesRole},
 				userAndGrant.grants,
 				[]security.SQLUsername{userAndGrant.user},
-				tc.targetObject,
+				tc.targetObject, false,
 			)
 		}
 
@@ -595,7 +595,7 @@ func TestModifyDefaultDefaultPrivileges(t *testing.T) {
 			descpb.DefaultPrivilegesRole{Role: creatorUser},
 			tc.revokeAndGrantPrivileges,
 			[]security.SQLUsername{creatorUser},
-			tc.targetObject,
+			tc.targetObject, false,
 		)
 		if GetRoleHasAllPrivilegesOnTargetObject(defaultPrivilegesForCreator, tc.targetObject) {
 			t.Errorf("expected role to not have ALL privileges on %s", tc.targetObject)
@@ -604,7 +604,7 @@ func TestModifyDefaultDefaultPrivileges(t *testing.T) {
 			descpb.DefaultPrivilegesRole{Role: creatorUser},
 			tc.revokeAndGrantPrivileges,
 			[]security.SQLUsername{creatorUser},
-			tc.targetObject,
+			tc.targetObject, false,
 		)
 		if !GetRoleHasAllPrivilegesOnTargetObject(defaultPrivilegesForCreator, tc.targetObject) {
 			t.Errorf("expected role to have ALL privileges on %s", tc.targetObject)
@@ -628,7 +628,7 @@ func TestModifyDefaultDefaultPrivilegesForPublic(t *testing.T) {
 		descpb.DefaultPrivilegesRole{Role: creatorUser},
 		privilege.List{privilege.USAGE},
 		[]security.SQLUsername{security.PublicRoleName()},
-		tree.Types,
+		tree.Types, false,
 	)
 	if GetPublicHasUsageOnTypes(defaultPrivilegesForCreator) {
 		t.Errorf("expected public to not have USAGE privilege on types")
@@ -637,9 +637,70 @@ func TestModifyDefaultDefaultPrivilegesForPublic(t *testing.T) {
 		descpb.DefaultPrivilegesRole{Role: creatorUser},
 		privilege.List{privilege.USAGE},
 		[]security.SQLUsername{security.PublicRoleName()},
-		tree.Types,
+		tree.Types, false,
 	)
 	if !GetPublicHasUsageOnTypes(defaultPrivilegesForCreator) {
 		t.Errorf("expected public to have USAGE privilege on types")
 	}
 }
+
+// TestGranularGrant tests whether granting potentially different privileges and grant options
+// changes the privilege bits and grant option bits as expected.
+func TestGranularGrant(t *testing.T) {
+	defer leaktest.AfterTest(t)()
+
+	testUser := security.TestUserName()
+
+	testCases := []struct {
+		pd                  *descpb.PrivilegeDescriptor
+		user                security.SQLUsername
+		objectType          privilege.ObjectType
+		grantPrivileges     privilege.List
+		grantGrantOptions   privilege.List
+		expectedPrivileges  privilege.List
+		expectedGrantOption privilege.List
+	}{
+		{descpb.NewPrivilegeDescriptor(testUser, privilege.List{}, privilege.List{}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.SELECT, privilege.INSERT},
+			privilege.List{privilege.SELECT, privilege.INSERT},
+			privilege.List{privilege.SELECT, privilege.INSERT},
+			privilege.List{privilege.SELECT, privilege.INSERT}},
+		{descpb.NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.INSERT}, privilege.List{privilege.INSERT}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.CREATE, privilege.SELECT},
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.CREATE, privilege.SELECT, privilege.INSERT}},
+		{descpb.NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.INSERT}, privilege.List{privilege.CREATE}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.ALL}},
+		{descpb.NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, privilege.List{privilege.CREATE}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.CREATE, privilege.SELECT, privilege.INSERT, privilege.UPDATE},
+			privilege.List{privilege.SELECT},
+			privilege.List{privilege.CREATE, privilege.SELECT, privilege.INSERT, privilege.UPDATE},
+			privilege.List{privilege.CREATE, privilege.SELECT}},
+		{descpb.NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, privilege.List{privilege.CREATE}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.ALL, privilege.CREATE, privilege.SELECT, privilege.INSERT, privilege.UPDATE},
+			privilege.List{privilege.ALL, privilege.SELECT},
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.ALL}},
+	}
+
+	for tcNum, tc := range testCases {
+		granularGrant(tc.pd, tc.user, tc.grantPrivileges, tc.grantGrantOptions)
+		if tc.pd.Users[0].Privileges != tc.expectedPrivileges.ToBitField() {
+			t.Errorf("#%d: Incorrect privileges, returned %v, expected %v",
+				tcNum, privilege.ListFromBitField(tc.pd.Users[0].Privileges, tc.objectType), tc.expectedPrivileges)
+		}
+		if tc.pd.Users[0].WithGrantOption != tc.expectedGrantOption.ToBitField() {
+			t.Errorf("#%d: Incorrect grant option, returned %v, expected %v",
+				tcNum, privilege.ListFromBitField(tc.pd.Users[0].WithGrantOption, tc.objectType), tc.expectedGrantOption)
+		}
+	}
+}
diff --git a/pkg/sql/catalog/catprivilege/fix_test.go b/pkg/sql/catalog/catprivilege/fix_test.go
index f55d7f3e993a..81fc56fc4402 100644
--- a/pkg/sql/catalog/catprivilege/fix_test.go
+++ b/pkg/sql/catalog/catprivilege/fix_test.go
@@ -141,7 +141,7 @@ func TestFixPrivileges(t *testing.T) {
 	for num, testCase := range testCases {
 		desc := &descpb.PrivilegeDescriptor{}
 		for u, p := range testCase.input {
-			desc.Grant(u, p)
+			desc.Grant(u, p, false)
 		}
 
 		MaybeFixPrivileges(
@@ -375,7 +375,7 @@ func TestMaybeFixUsageAndZoneConfigPrivilege(t *testing.T) {
 	for num, tc := range testCases {
 		desc := &descpb.PrivilegeDescriptor{Version: tc.privDescVersion}
 		for u, p := range tc.input {
-			desc.Grant(u, p)
+			desc.Grant(u, p, false)
 		}
 		modified := MaybeFixUsagePrivForTablesAndDBs(&desc)
 
@@ -482,7 +482,7 @@ func TestMaybeFixSchemaPrivileges(t *testing.T) {
 	for num, tc := range testCases {
 		desc := &descpb.PrivilegeDescriptor{}
 		for u, p := range tc.input {
-			desc.Grant(u, p)
+			desc.Grant(u, p, false)
 		}
 		testParentID := descpb.ID(keys.MaxReservedDescID + 1)
 		MaybeFixPrivileges(&desc,
diff --git a/pkg/sql/catalog/descpb/privilege.go b/pkg/sql/catalog/descpb/privilege.go
index 7fff2690bce9..b9937a72f0e3 100644
--- a/pkg/sql/catalog/descpb/privilege.go
+++ b/pkg/sql/catalog/descpb/privilege.go
@@ -18,6 +18,8 @@ import (
 	"github.com/cockroachdb/cockroach/pkg/keys"
 	"github.com/cockroachdb/cockroach/pkg/security"
 	"github.com/cockroachdb/cockroach/pkg/sql/catalog/catconstants"
+	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgcode"
+	"github.com/cockroachdb/cockroach/pkg/sql/pgwire/pgerror"
 	"github.com/cockroachdb/cockroach/pkg/sql/privilege"
 	"github.com/cockroachdb/errors"
 )
@@ -113,10 +115,12 @@ func NewCustomSuperuserPrivilegeDescriptor(
 			{
 				UserProto:  security.AdminRoleName().EncodeProto(),
 				Privileges: priv.ToBitField(),
+				//WithGrantOption: priv.ToBitField(),
 			},
 			{
 				UserProto:  security.RootUserName().EncodeProto(),
 				Privileges: priv.ToBitField(),
+				//WithGrantOption: priv.ToBitField(),
 			},
 		},
 		Version: Version21_2,
@@ -128,21 +132,25 @@ func NewCustomSuperuserPrivilegeDescriptor(
 // used for virtual tables.
 func NewPublicSelectPrivilegeDescriptor() *PrivilegeDescriptor {
 	return NewPrivilegeDescriptor(
-		security.PublicRoleName(), privilege.List{privilege.SELECT}, security.NodeUserName(),
+		security.PublicRoleName(), privilege.List{privilege.SELECT}, privilege.List{}, security.NodeUserName(),
 	)
 }
 
 // NewPrivilegeDescriptor returns a privilege descriptor for the given
 // user with the specified list of privileges.
 func NewPrivilegeDescriptor(
-	user security.SQLUsername, priv privilege.List, owner security.SQLUsername,
+	user security.SQLUsername,
+	priv privilege.List,
+	grantOption privilege.List,
+	owner security.SQLUsername,
 ) *PrivilegeDescriptor {
 	return &PrivilegeDescriptor{
 		OwnerProto: owner.EncodeProto(),
 		Users: []UserPrivileges{
 			{
-				UserProto:  user.EncodeProto(),
-				Privileges: priv.ToBitField(),
+				UserProto:       user.EncodeProto(),
+				Privileges:      priv.ToBitField(),
+				WithGrantOption: grantOption.ToBitField(),
 			},
 		},
 		Version: Version21_2,
@@ -164,32 +172,85 @@ func NewBasePrivilegeDescriptor(owner security.SQLUsername) *PrivilegeDescriptor
 // Here we also add the CONNECT privilege for the database.
 func NewBaseDatabasePrivilegeDescriptor(owner security.SQLUsername) *PrivilegeDescriptor {
 	p := NewBasePrivilegeDescriptor(owner)
-	p.Grant(security.PublicRoleName(), privilege.List{privilege.CONNECT})
+	p.Grant(security.PublicRoleName(), privilege.List{privilege.CONNECT}, true)
 	return p
 }
 
+// ValidateGrantPrivileges returns an error if the current user tries to grant a privilege that
+// it does not possess grant options for
+func (p *PrivilegeDescriptor) ValidateGrantPrivileges(
+	user security.SQLUsername, privList privilege.List,
+) error {
+	// Always allow the command to go through if performed by a superuser.
+	if user == security.RootUserName() || user == security.AdminRoleName() {
+		return nil
+	}
+	userPriv, exists := p.FindUser(user)
+	if !exists {
+		return nil
+	}
+
+	// User has ALL WITH GRANT OPTION so they can grant anything.
+	if privilege.ALL.IsSetIn(userPriv.WithGrantOption) {
+		return nil
+	}
+
+	for _, priv := range privList {
+		if userPriv.WithGrantOption&priv.Mask() == 0 {
+			return pgerror.Newf(pgcode.InvalidGrantOperation,
+				"missing WITH GRANT OPTION privilege type %s", priv.String())
+		}
+	}
+
+	return nil
+}
+
 // Grant adds new privileges to this descriptor for a given list of users.
-func (p *PrivilegeDescriptor) Grant(user security.SQLUsername, privList privilege.List) {
+func (p *PrivilegeDescriptor) Grant(
+	user security.SQLUsername, privList privilege.List, withGrantOption bool,
+) {
 	userPriv := p.FindOrCreateUser(user)
-	if privilege.ALL.IsSetIn(userPriv.Privileges) {
+	if privilege.ALL.IsSetIn(userPriv.WithGrantOption) {
 		// User already has 'ALL' privilege: no-op.
+		// If userPriv.WithGrantOption has ALL, then userPriv.Privileges must also have ALL.
+		// It is possible however for userPriv.Privileges to have ALL but userPriv.WithGrantOption to not have ALL
+		return
+	}
+
+	if privilege.ALL.IsSetIn(userPriv.Privileges) && !withGrantOption {
+		// A user can hold all privileges but not all grant options.
+		// If a user holds all privileges but withGrantOption is False,
+		// there is nothing left to be done
 		return
 	}
 
+	// We only have to modify grant option.
 	bits := privList.ToBitField()
 	if privilege.ALL.IsSetIn(bits) {
 		// Granting 'ALL' privilege: overwrite.
 		// TODO(marc): the grammar does not allow it, but we should
 		// check if other privileges are being specified and error out.
 		userPriv.Privileges = privilege.ALL.Mask()
+		if withGrantOption {
+			userPriv.WithGrantOption = privilege.ALL.Mask()
+		}
 		return
 	}
-	userPriv.Privileges |= bits
+
+	if withGrantOption {
+		userPriv.WithGrantOption |= bits
+	}
+	if !privilege.ALL.IsSetIn(userPriv.Privileges) {
+		userPriv.Privileges |= bits
+	}
 }
 
 // Revoke removes privileges from this descriptor for a given list of users.
 func (p *PrivilegeDescriptor) Revoke(
-	user security.SQLUsername, privList privilege.List, objectType privilege.ObjectType,
+	user security.SQLUsername,
+	privList privilege.List,
+	objectType privilege.ObjectType,
+	grantOptionFor bool,
 ) {
 	userPriv, ok := p.FindUser(user)
 	if !ok || userPriv.Privileges == 0 {
@@ -199,14 +260,17 @@ func (p *PrivilegeDescriptor) Revoke(
 
 	bits := privList.ToBitField()
 	if privilege.ALL.IsSetIn(bits) {
-		// Revoking 'ALL' privilege: remove user.
-		// TODO(marc): the grammar does not allow it, but we should
-		// check if other privileges are being specified and error out.
-		p.RemoveUser(user)
+		userPriv.WithGrantOption = 0
+		if !grantOptionFor {
+			// Revoking 'ALL' privilege: remove user.
+			// TODO(marc): the grammar does not allow it, but we should
+			// check if other privileges are being specified and error out.
+			p.RemoveUser(user)
+		}
 		return
 	}
 
-	if privilege.ALL.IsSetIn(userPriv.Privileges) {
+	if privilege.ALL.IsSetIn(userPriv.Privileges) && !grantOptionFor {
 		// User has 'ALL' privilege. Remove it and set
 		// all other privileges one.
 		validPrivs := privilege.GetValidPrivilegesForObject(objectType)
@@ -218,12 +282,28 @@ func (p *PrivilegeDescriptor) Revoke(
 		}
 	}
 
+	if privilege.ALL.IsSetIn(userPriv.WithGrantOption) {
+		// User has 'ALL' grant option. Remove it and set
+		// all other grant options to one.
+		validPrivs := privilege.GetValidPrivilegesForObject(objectType)
+		userPriv.WithGrantOption = 0
+		for _, v := range validPrivs {
+			if v != privilege.ALL {
+				userPriv.WithGrantOption |= v.Mask()
+			}
+		}
+	}
+
 	// One doesn't see "AND NOT" very often.
-	userPriv.Privileges &^= bits
+	userPriv.WithGrantOption &^= bits
+	if !grantOptionFor {
+		userPriv.Privileges &^= bits
 
-	if userPriv.Privileges == 0 {
-		p.RemoveUser(user)
+		if userPriv.Privileges == 0 {
+			p.RemoveUser(user)
+		}
 	}
+
 }
 
 // ValidateSuperuserPrivileges ensures that superusers have exactly the maximum
diff --git a/pkg/sql/catalog/descpb/privilege.pb.go b/pkg/sql/catalog/descpb/privilege.pb.go
index 819e558c5975..8faa36db5050 100644
--- a/pkg/sql/catalog/descpb/privilege.pb.go
+++ b/pkg/sql/catalog/descpb/privilege.pb.go
@@ -30,7 +30,8 @@ const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
 type UserPrivileges struct {
 	UserProto github_com_cockroachdb_cockroach_pkg_security.SQLUsernameProto `protobuf:"bytes,1,opt,name=user_proto,json=userProto,casttype=github.com/cockroachdb/cockroach/pkg/security.SQLUsernameProto" json:"user_proto"`
 	// privileges is a bitfield of 1<<Privilege values.
-	Privileges uint32 `protobuf:"varint,2,opt,name=privileges" json:"privileges"`
+	Privileges      uint32 `protobuf:"varint,2,opt,name=privileges" json:"privileges"`
+	WithGrantOption uint32 `protobuf:"varint,3,opt,name=with_grant_option,json=withGrantOption" json:"with_grant_option"`
 }
 
 func (m *UserPrivileges) Reset()         { *m = UserPrivileges{} }
@@ -334,55 +335,57 @@ func init() {
 }
 
 var fileDescriptor_9343d951995d5a76 = []byte{
-	// 759 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x55, 0xcf, 0x6b, 0xdb, 0x48,
-	0x18, 0xf5, 0xc4, 0xce, 0xaf, 0x71, 0x1c, 0x16, 0x6d, 0x02, 0x5a, 0x27, 0x91, 0xbd, 0x26, 0x0b,
-	0x66, 0x0f, 0x12, 0xe4, 0xb0, 0x2c, 0x61, 0x09, 0x6b, 0x93, 0x84, 0xc0, 0x6e, 0xb1, 0xab, 0x38,
-	0x3d, 0x94, 0x16, 0x21, 0xcb, 0x5f, 0x64, 0xd5, 0x63, 0x8d, 0x3c, 0x23, 0xa5, 0xf5, 0xb5, 0x7f,
-	0x41, 0x8f, 0x3d, 0x16, 0xfa, 0xc7, 0x34, 0xc7, 0x1c, 0x73, 0x4a, 0x5b, 0xe7, 0xd2, 0x63, 0xcf,
-	0x85, 0xd2, 0x32, 0x92, 0x62, 0x2b, 0x8d, 0xed, 0x34, 0x50, 0x7a, 0x08, 0x8c, 0x32, 0x6f, 0xde,
-	0xfb, 0xde, 0xf7, 0xcb, 0xb8, 0xc4, 0x7b, 0x44, 0xb3, 0x4c, 0xdf, 0x24, 0xd4, 0xd6, 0x5a, 0xc0,
-	0x2d, 0xaf, 0xa9, 0x79, 0xcc, 0x39, 0x71, 0x08, 0xd8, 0xa0, 0x7a, 0x8c, 0xfa, 0x54, 0x5a, 0xb5,
-	0xa8, 0xd5, 0x61, 0xd4, 0xb4, 0xda, 0x2a, 0xef, 0x11, 0xf1, 0xd7, 0x34, 0x39, 0xe4, 0x57, 0x6c,
-	0x6a, 0xd3, 0x10, 0xa1, 0x89, 0x53, 0x04, 0x2e, 0xbd, 0x46, 0x78, 0xf9, 0x88, 0x03, 0xab, 0x5f,
-	0x91, 0x70, 0x09, 0x30, 0x0e, 0x38, 0x30, 0x23, 0x04, 0xc8, 0xa8, 0x88, 0xca, 0x8b, 0xd5, 0xfd,
-	0xd3, 0x8b, 0x42, 0xea, 0xd3, 0x45, 0x61, 0xc7, 0x76, 0xfc, 0x76, 0xd0, 0x54, 0x2d, 0xda, 0xd5,
-	0x86, 0x32, 0xad, 0xe6, 0xe8, 0xac, 0x79, 0x1d, 0x5b, 0xe3, 0x60, 0x05, 0xcc, 0xf1, 0xfb, 0xea,
-	0xe1, 0xfd, 0xff, 0x05, 0xb9, 0x6b, 0x76, 0xa1, 0x2e, 0xd8, 0xf4, 0xc5, 0x20, 0xd4, 0x12, 0x61,
-	0x6e, 0x62, 0x3c, 0x8c, 0x9c, 0xcb, 0x33, 0x45, 0x54, 0xce, 0x55, 0x33, 0x42, 0x46, 0x4f, 0xfc,
-	0x7f, 0x3b, 0xf3, 0xe1, 0x55, 0x01, 0x95, 0xbe, 0x20, 0xfc, 0xeb, 0x30, 0xc2, 0x5d, 0xe0, 0x16,
-	0x73, 0x3c, 0x9f, 0x32, 0xa9, 0x82, 0x67, 0x05, 0x21, 0x97, 0x51, 0x31, 0x5d, 0xce, 0x6e, 0xfd,
-	0xa1, 0x8e, 0xb5, 0xae, 0x5e, 0x37, 0x18, 0xab, 0x44, 0x2f, 0x25, 0x1b, 0x67, 0xe9, 0x53, 0x77,
-	0x68, 0x77, 0xe6, 0x87, 0xda, 0xc5, 0x21, 0x75, 0xe4, 0xf7, 0x2f, 0x3c, 0x7f, 0x02, 0x8c, 0x3b,
-	0xd4, 0x95, 0xd3, 0xa1, 0xd9, 0xf5, 0x58, 0x64, 0xe5, 0x9a, 0xb3, 0x07, 0x11, 0x46, 0xbf, 0x02,
-	0xc7, 0x19, 0x78, 0xb3, 0x88, 0xe5, 0x5d, 0x38, 0x36, 0x03, 0xe2, 0x8f, 0x9c, 0xec, 0x53, 0xa6,
-	0x53, 0x02, 0x92, 0x85, 0x73, 0xf0, 0xcc, 0x23, 0x8e, 0xe5, 0xf8, 0x06, 0xa3, 0x04, 0xe4, 0xa5,
-	0x22, 0x2a, 0x67, 0xb7, 0xfe, 0x99, 0x90, 0x8e, 0x49, 0x3c, 0xea, 0x5e, 0x4c, 0x22, 0x3e, 0x0e,
-	0x52, 0xfa, 0x12, 0x24, 0xbe, 0xa5, 0x0e, 0xce, 0x1d, 0x53, 0x66, 0x98, 0x84, 0x84, 0x1a, 0x5c,
-	0xce, 0x85, 0x22, 0x7b, 0x77, 0x15, 0xd9, 0xa7, 0xac, 0x42, 0x88, 0x38, 0xf2, 0x3a, 0x87, 0xa0,
-	0x45, 0x63, 0xb5, 0xec, 0xf1, 0xe8, 0x42, 0xfa, 0x88, 0xf0, 0x46, 0x2b, 0x62, 0x30, 0x46, 0xdd,
-	0x60, 0x78, 0xc0, 0x0c, 0xda, 0x7c, 0x02, 0x96, 0x2f, 0x2f, 0x87, 0x15, 0xaf, 0xdd, 0x55, 0xfd,
-	0xc6, 0x45, 0x1d, 0x58, 0x2d, 0x64, 0xdc, 0x73, 0x7d, 0xd6, 0xaf, 0x3e, 0x12, 0x45, 0x79, 0xfe,
-	0xb6, 0xd0, 0xf8, 0xbe, 0xca, 0xf7, 0x88, 0xc6, 0xa1, 0xab, 0xf9, 0x0c, 0x40, 0xad, 0x10, 0x1f,
-	0xd8, 0x0d, 0xfe, 0x86, 0xc9, 0x6c, 0xf0, 0x23, 0x09, 0x3d, 0xdf, 0x9a, 0x28, 0x9f, 0xff, 0x9c,
-	0xc6, 0x4b, 0xc9, 0x02, 0xfc, 0xac, 0x39, 0xdc, 0xc1, 0xbf, 0x79, 0x41, 0x93, 0x38, 0x96, 0xd1,
-	0x36, 0xb9, 0x11, 0x70, 0xd3, 0x06, 0x83, 0xba, 0x86, 0xdf, 0xf7, 0x80, 0xcb, 0x99, 0x22, 0x2a,
-	0x2f, 0xc4, 0x03, 0xb3, 0x1a, 0xc1, 0x0e, 0x4c, 0x7e, 0x24, 0x40, 0x35, 0xb7, 0x21, 0x20, 0xd2,
-	0x3d, 0xfc, 0xbb, 0xe8, 0x87, 0xf0, 0xb5, 0x68, 0x8e, 0x44, 0xb9, 0x04, 0x8d, 0xd9, 0x14, 0xbd,
-	0x32, 0x9b, 0xe0, 0x59, 0x17, 0xf0, 0x03, 0x93, 0x57, 0x08, 0x19, 0xe5, 0xa1, 0xe6, 0x36, 0x42,
-	0xa4, 0x74, 0x88, 0x37, 0xa7, 0xd0, 0x71, 0xe8, 0x05, 0xe0, 0x5a, 0xc0, 0xe5, 0xb9, 0x04, 0x63,
-	0x61, 0x3c, 0xe3, 0xe1, 0x15, 0x58, 0xaa, 0xe1, 0xd2, 0x34, 0x52, 0xab, 0x0d, 0x5d, 0x93, 0xcb,
-	0xf3, 0x09, 0xca, 0x8d, 0x09, 0x94, 0x11, 0x54, 0xfa, 0x0f, 0x17, 0xa7, 0x99, 0x0e, 0x73, 0xb7,
-	0x90, 0xa0, 0x5b, 0x9b, 0xe0, 0x59, 0x00, 0xa3, 0x09, 0xcf, 0x3f, 0xc6, 0xab, 0x63, 0x47, 0x63,
-	0x7a, 0x81, 0xb2, 0xb7, 0x16, 0x28, 0xa6, 0xef, 0xe3, 0xc2, 0x2d, 0xbd, 0x2f, 0xfd, 0x82, 0xd3,
-	0x1d, 0xe8, 0x87, 0x9d, 0x96, 0xd3, 0xc5, 0x51, 0xfa, 0x17, 0xcf, 0x9e, 0x98, 0x24, 0x80, 0x70,
-	0x2d, 0x66, 0xb7, 0xfe, 0x9c, 0x30, 0x6d, 0x63, 0x56, 0xb3, 0x1e, 0x3d, 0xdc, 0x9e, 0xf9, 0x1b,
-	0x45, 0x01, 0x54, 0xe7, 0x70, 0x46, 0x24, 0xa1, 0xf4, 0x12, 0xe1, 0xfc, 0xb7, 0x91, 0x24, 0x56,
-	0xba, 0x8f, 0xd7, 0x26, 0x0c, 0x7e, 0xb8, 0xd9, 0xa2, 0x45, 0xaf, 0xdd, 0x71, 0xec, 0xe3, 0x04,
-	0xc9, 0xe3, 0xc6, 0x4f, 0xdc, 0xc7, 0x21, 0x96, 0x4f, 0xdf, 0x2b, 0xa9, 0xd3, 0x81, 0x82, 0xce,
-	0x06, 0x0a, 0x3a, 0x1f, 0x28, 0xe8, 0xdd, 0x40, 0x41, 0x2f, 0x2e, 0x95, 0xd4, 0xd9, 0xa5, 0x92,
-	0x3a, 0xbf, 0x54, 0x52, 0x0f, 0xe7, 0xa2, 0xdf, 0xdc, 0xaf, 0x01, 0x00, 0x00, 0xff, 0xff, 0xd9,
-	0xfb, 0x41, 0x97, 0x88, 0x07, 0x00, 0x00,
+	// 785 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x55, 0x41, 0x6f, 0xe3, 0x44,
+	0x14, 0xce, 0x34, 0x69, 0x77, 0x3b, 0x69, 0x16, 0x30, 0x5b, 0xc9, 0x64, 0xb7, 0x4e, 0x88, 0x8a,
+	0x14, 0x71, 0xb0, 0x51, 0x0f, 0x08, 0x55, 0xa8, 0x22, 0x51, 0x5b, 0x2a, 0x01, 0x4a, 0x70, 0x53,
+	0x0e, 0x08, 0x64, 0x4d, 0x9c, 0x57, 0xc7, 0x64, 0xe2, 0x71, 0x66, 0xc6, 0x2d, 0xb9, 0xf2, 0x0b,
+	0x38, 0x72, 0xe4, 0xdf, 0xd0, 0x63, 0x2f, 0x48, 0x3d, 0x15, 0x48, 0x2f, 0x1c, 0x39, 0x23, 0x21,
+	0xd0, 0xd8, 0x6e, 0xe2, 0xd2, 0x24, 0xa5, 0x12, 0xda, 0x43, 0xa5, 0x71, 0xdf, 0x37, 0xdf, 0xf7,
+	0xde, 0xf7, 0xde, 0x9b, 0xe0, 0x9a, 0x18, 0x51, 0xcb, 0x25, 0x92, 0x50, 0xe6, 0x59, 0x3d, 0x10,
+	0x6e, 0xd8, 0xb5, 0x42, 0xee, 0x9f, 0xf9, 0x14, 0x3c, 0x30, 0x43, 0xce, 0x24, 0xd3, 0x36, 0x5d,
+	0xe6, 0x0e, 0x38, 0x23, 0x6e, 0xdf, 0x14, 0x23, 0xaa, 0xfe, 0xba, 0x44, 0x40, 0xf9, 0xb9, 0xc7,
+	0x3c, 0x16, 0x23, 0x2c, 0x75, 0x4a, 0xc0, 0xb5, 0x9f, 0x11, 0x7e, 0x76, 0x22, 0x80, 0xb7, 0x6f,
+	0x49, 0x84, 0x06, 0x18, 0x47, 0x02, 0xb8, 0x13, 0x03, 0x74, 0x54, 0x45, 0xf5, 0xf5, 0xe6, 0xe1,
+	0xc5, 0x75, 0x25, 0xf7, 0xe7, 0x75, 0x65, 0xcf, 0xf3, 0x65, 0x3f, 0xea, 0x9a, 0x2e, 0x1b, 0x5a,
+	0x53, 0x99, 0x5e, 0x77, 0x76, 0xb6, 0xc2, 0x81, 0x67, 0x09, 0x70, 0x23, 0xee, 0xcb, 0xb1, 0x79,
+	0xfc, 0xf9, 0xa7, 0x8a, 0x3c, 0x20, 0x43, 0x68, 0x2b, 0x36, 0x7b, 0x3d, 0x8a, 0xb5, 0x54, 0x9a,
+	0xdb, 0x18, 0x4f, 0x33, 0x17, 0xfa, 0x4a, 0x15, 0xd5, 0x4b, 0xcd, 0x82, 0x92, 0xb1, 0x33, 0xff,
+	0xd7, 0xde, 0xc3, 0x6f, 0x9c, 0xfb, 0xb2, 0xef, 0x78, 0x9c, 0x04, 0xd2, 0x61, 0xa1, 0xf4, 0x59,
+	0xa0, 0xe7, 0x33, 0xe0, 0xd7, 0x54, 0xf8, 0x63, 0x15, 0x6d, 0xc5, 0xc1, 0xdd, 0xc2, 0xef, 0x3f,
+	0x56, 0x50, 0xed, 0x6f, 0x84, 0xdf, 0x9c, 0xd6, 0xb4, 0x0f, 0xc2, 0xe5, 0x7e, 0x28, 0x19, 0xd7,
+	0x1a, 0x78, 0x55, 0xa5, 0x20, 0x74, 0x54, 0xcd, 0xd7, 0x8b, 0x3b, 0xef, 0x98, 0x73, 0xcd, 0x32,
+	0xef, 0x5a, 0x92, 0x4a, 0x25, 0x37, 0x35, 0x0f, 0x17, 0xd9, 0x79, 0x30, 0x35, 0x68, 0xe5, 0x7f,
+	0x35, 0x08, 0xc7, 0xd4, 0x89, 0x43, 0xef, 0xe3, 0x27, 0x67, 0xc0, 0xc5, 0xac, 0xe2, 0x97, 0xa9,
+	0xc8, 0xf3, 0x3b, 0x95, 0x7d, 0x91, 0x60, 0xec, 0x5b, 0x70, 0xea, 0xc0, 0x4f, 0xeb, 0x58, 0xdf,
+	0x87, 0x53, 0x12, 0x51, 0x39, 0xab, 0xe4, 0x90, 0x71, 0x9b, 0x51, 0xd0, 0x5c, 0x5c, 0x82, 0x6f,
+	0x43, 0xea, 0xbb, 0xbe, 0x74, 0x38, 0xa3, 0xa0, 0x6f, 0x54, 0x51, 0xbd, 0xb8, 0xf3, 0xe1, 0x02,
+	0x3b, 0x16, 0xf1, 0x98, 0x07, 0x29, 0x89, 0xfa, 0x38, 0xca, 0xd9, 0x1b, 0x90, 0xf9, 0xd6, 0x06,
+	0xb8, 0x74, 0xca, 0xb8, 0x43, 0x28, 0x8d, 0x35, 0x84, 0x5e, 0x8a, 0x45, 0x0e, 0x1e, 0x2b, 0x72,
+	0xc8, 0x78, 0x83, 0x52, 0x75, 0x14, 0x6d, 0x01, 0x51, 0x8f, 0xa5, 0x6a, 0xc5, 0xd3, 0x59, 0x40,
+	0xfb, 0x03, 0xe1, 0xad, 0x5e, 0xc2, 0xe0, 0xcc, 0xe6, 0xc7, 0x09, 0x81, 0x3b, 0xac, 0xfb, 0x0d,
+	0xb8, 0x52, 0x7f, 0x16, 0x77, 0xbc, 0xf5, 0x58, 0xf5, 0x7b, 0x81, 0x36, 0xf0, 0x56, 0xcc, 0x78,
+	0x10, 0x48, 0x3e, 0x6e, 0x7e, 0xa5, 0x9a, 0xf2, 0xdd, 0x2f, 0x95, 0xce, 0x7f, 0xeb, 0xfc, 0x88,
+	0x5a, 0x02, 0x86, 0x96, 0xe4, 0x00, 0x66, 0x83, 0x4a, 0xe0, 0xf7, 0xf8, 0x3b, 0x84, 0x7b, 0x20,
+	0x13, 0x09, 0xbb, 0xdc, 0x5b, 0x28, 0x5f, 0xfe, 0x2b, 0x8f, 0x37, 0xb2, 0x0d, 0x78, 0x55, 0x9b,
+	0xbb, 0x87, 0xdf, 0x0a, 0xa3, 0x2e, 0xf5, 0x5d, 0xa7, 0x4f, 0x84, 0x13, 0x09, 0xe2, 0x81, 0xc3,
+	0x02, 0x47, 0x8e, 0x43, 0x10, 0x7a, 0xa1, 0x8a, 0xea, 0x4f, 0xd3, 0x85, 0xd9, 0x4c, 0x60, 0x47,
+	0x44, 0x9c, 0x28, 0x50, 0x2b, 0xe8, 0x28, 0x88, 0xf6, 0x19, 0x7e, 0x5b, 0xcd, 0x43, 0x7c, 0x5b,
+	0x0d, 0x47, 0xa6, 0x5d, 0x8a, 0x86, 0x74, 0xd5, 0xac, 0xac, 0x66, 0x78, 0x5e, 0x2a, 0xf8, 0x11,
+	0x11, 0x0d, 0x4a, 0x67, 0x3e, 0xb4, 0x82, 0x4e, 0x8c, 0xd4, 0x8e, 0xf1, 0xf6, 0x12, 0x3a, 0x01,
+	0xa3, 0x08, 0x02, 0x17, 0x84, 0xbe, 0x96, 0x61, 0xac, 0xcc, 0x67, 0x3c, 0xbe, 0x05, 0x6b, 0x2d,
+	0x5c, 0x5b, 0x46, 0xea, 0xf6, 0x61, 0x48, 0x84, 0xfe, 0x24, 0x43, 0xb9, 0xb5, 0x80, 0x32, 0x81,
+	0x6a, 0x9f, 0xe0, 0xea, 0xb2, 0xa2, 0x63, 0xef, 0x9e, 0x66, 0xe8, 0x5e, 0x2c, 0xa8, 0x59, 0x01,
+	0x93, 0x0d, 0x2f, 0x7f, 0x8d, 0x37, 0xe7, 0xae, 0xc6, 0xf2, 0x06, 0x15, 0x1f, 0x6c, 0x50, 0x4a,
+	0x3f, 0xc6, 0x95, 0x07, 0x66, 0x5f, 0x7b, 0x1d, 0xe7, 0x07, 0x30, 0x8e, 0x27, 0xad, 0x64, 0xab,
+	0xa3, 0xf6, 0x11, 0x5e, 0x3d, 0x23, 0x34, 0x82, 0xf8, 0x59, 0x2c, 0xee, 0xbc, 0xbb, 0x60, 0xdb,
+	0xe6, 0x3c, 0xcd, 0x76, 0x72, 0x71, 0x77, 0xe5, 0x03, 0x94, 0x24, 0xd0, 0x5c, 0xc3, 0x05, 0x65,
+	0x42, 0xed, 0x07, 0x84, 0xcb, 0xff, 0xce, 0x24, 0xf3, 0xa4, 0x4b, 0xfc, 0x62, 0xc1, 0xe2, 0xc7,
+	0x2f, 0x5b, 0xf2, 0xd0, 0x5b, 0x8f, 0x5c, 0xfb, 0xd4, 0x20, 0x7d, 0xde, 0xfa, 0xa9, 0x78, 0x9a,
+	0x62, 0xfd, 0xe2, 0x37, 0x23, 0x77, 0x31, 0x31, 0xd0, 0xe5, 0xc4, 0x40, 0x57, 0x13, 0x03, 0xfd,
+	0x3a, 0x31, 0xd0, 0xf7, 0x37, 0x46, 0xee, 0xf2, 0xc6, 0xc8, 0x5d, 0xdd, 0x18, 0xb9, 0x2f, 0xd7,
+	0x92, 0x5f, 0xe9, 0x7f, 0x02, 0x00, 0x00, 0xff, 0xff, 0x67, 0xe1, 0x73, 0xa0, 0xba, 0x07, 0x00,
+	0x00,
 }
 
 func (this *UserPrivileges) Equal(that interface{}) bool {
@@ -410,6 +413,9 @@ func (this *UserPrivileges) Equal(that interface{}) bool {
 	if this.Privileges != that1.Privileges {
 		return false
 	}
+	if this.WithGrantOption != that1.WithGrantOption {
+		return false
+	}
 	return true
 }
 func (this *PrivilegeDescriptor) Equal(that interface{}) bool {
@@ -647,6 +653,9 @@ func (m *UserPrivileges) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
+	i = encodeVarintPrivilege(dAtA, i, uint64(m.WithGrantOption))
+	i--
+	dAtA[i] = 0x18
 	i = encodeVarintPrivilege(dAtA, i, uint64(m.Privileges))
 	i--
 	dAtA[i] = 0x10
@@ -960,6 +969,7 @@ func (m *UserPrivileges) Size() (n int) {
 	l = len(m.UserProto)
 	n += 1 + l + sovPrivilege(uint64(l))
 	n += 1 + sovPrivilege(uint64(m.Privileges))
+	n += 1 + sovPrivilege(uint64(m.WithGrantOption))
 	return n
 }
 
@@ -1153,6 +1163,25 @@ func (m *UserPrivileges) Unmarshal(dAtA []byte) error {
 					break
 				}
 			}
+		case 3:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field WithGrantOption", wireType)
+			}
+			m.WithGrantOption = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowPrivilege
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.WithGrantOption |= uint32(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
 		default:
 			iNdEx = preIndex
 			skippy, err := skipPrivilege(dAtA[iNdEx:])
diff --git a/pkg/sql/catalog/descpb/privilege.proto b/pkg/sql/catalog/descpb/privilege.proto
index a5ac53137f29..538b88dc1686 100644
--- a/pkg/sql/catalog/descpb/privilege.proto
+++ b/pkg/sql/catalog/descpb/privilege.proto
@@ -21,6 +21,7 @@ message UserPrivileges {
                                   (gogoproto.casttype) = "github.com/cockroachdb/cockroach/pkg/security.SQLUsernameProto"];
   // privileges is a bitfield of 1<<Privilege values.
   optional uint32 privileges = 2 [(gogoproto.nullable) = false];
+  optional uint32 with_grant_option = 3 [(gogoproto.nullable) = false];
 }
 
 // PrivilegeDescriptor describes a list of users and attached
diff --git a/pkg/sql/catalog/descpb/privilege_test.go b/pkg/sql/catalog/descpb/privilege_test.go
index 8cab8880a486..f680ad95299e 100644
--- a/pkg/sql/catalog/descpb/privilege_test.go
+++ b/pkg/sql/catalog/descpb/privilege_test.go
@@ -145,10 +145,10 @@ func TestPrivilege(t *testing.T) {
 	for tcNum, tc := range testCases {
 		if !tc.grantee.Undefined() {
 			if tc.grant != nil {
-				descriptor.Grant(tc.grantee, tc.grant)
+				descriptor.Grant(tc.grantee, tc.grant, false)
 			}
 			if tc.revoke != nil {
-				descriptor.Revoke(tc.grantee, tc.revoke, tc.objectType)
+				descriptor.Revoke(tc.grantee, tc.revoke, tc.objectType, false)
 			}
 		}
 		show := descriptor.Show(tc.objectType)
@@ -177,31 +177,31 @@ func TestCheckPrivilege(t *testing.T) {
 		priv privilege.Kind
 		exp  bool
 	}{
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, privilege.List{}, security.AdminRoleName()),
 			testUser, privilege.CREATE, true},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, privilege.List{}, security.AdminRoleName()),
 			barUser, privilege.CREATE, false},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, privilege.List{}, security.AdminRoleName()),
 			barUser, privilege.DROP, false},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, privilege.List{}, security.AdminRoleName()),
 			testUser, privilege.DROP, false},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, privilege.List{}, security.AdminRoleName()),
 			testUser, privilege.CREATE, true},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, privilege.List{}, security.AdminRoleName()),
 			testUser, privilege.ALL, false},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, privilege.List{}, security.AdminRoleName()),
 			testUser, privilege.ALL, true},
-		{NewPrivilegeDescriptor(testUser, privilege.List{}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{}, privilege.List{}, security.AdminRoleName()),
 			testUser, privilege.ALL, false},
-		{NewPrivilegeDescriptor(testUser, privilege.List{}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{}, privilege.List{}, security.AdminRoleName()),
 			testUser, privilege.CREATE, false},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.DROP},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.DROP}, privilege.List{},
 			security.AdminRoleName()),
 			testUser, privilege.UPDATE, false},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.DROP},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.DROP}, privilege.List{},
 			security.AdminRoleName()),
 			testUser, privilege.DROP, true},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.ALL},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.ALL}, privilege.List{},
 			security.AdminRoleName()),
 			testUser, privilege.DROP, true},
 	}
@@ -225,18 +225,18 @@ func TestAnyPrivilege(t *testing.T) {
 		user security.SQLUsername
 		exp  bool
 	}{
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, privilege.List{}, security.AdminRoleName()),
 			testUser, true},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, privilege.List{}, security.AdminRoleName()),
 			barUser, false},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, privilege.List{}, security.AdminRoleName()),
 			testUser, true},
-		{NewPrivilegeDescriptor(testUser, privilege.List{}, security.AdminRoleName()),
+		{NewPrivilegeDescriptor(testUser, privilege.List{}, privilege.List{}, security.AdminRoleName()),
 			testUser, false},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.DROP},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.DROP}, privilege.List{},
 			security.AdminRoleName()),
 			testUser, true},
-		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.DROP},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.DROP}, privilege.List{},
 			security.AdminRoleName()),
 			barUser, false},
 	}
@@ -263,25 +263,25 @@ func TestPrivilegeValidate(t *testing.T) {
 	if err := validate(); err != nil {
 		t.Fatal(err)
 	}
-	descriptor.Grant(testUser, privilege.List{privilege.ALL})
+	descriptor.Grant(testUser, privilege.List{privilege.ALL}, false)
 	if err := validate(); err != nil {
 		t.Fatal(err)
 	}
-	descriptor.Grant(security.RootUserName(), privilege.List{privilege.SELECT})
+	descriptor.Grant(security.RootUserName(), privilege.List{privilege.SELECT}, false)
 	if err := validate(); err != nil {
 		t.Fatal(err)
 	}
-	descriptor.Revoke(security.RootUserName(), privilege.List{privilege.SELECT}, privilege.Table)
+	descriptor.Revoke(security.RootUserName(), privilege.List{privilege.SELECT}, privilege.Table, false)
 	if err := validate(); err == nil {
 		t.Fatal("unexpected success")
 	}
 	// TODO(marc): validate fails here because we do not aggregate
 	// privileges into ALL when all are set.
-	descriptor.Grant(security.RootUserName(), privilege.List{privilege.SELECT})
+	descriptor.Grant(security.RootUserName(), privilege.List{privilege.SELECT}, false)
 	if err := validate(); err == nil {
 		t.Fatal("unexpected success")
 	}
-	descriptor.Revoke(security.RootUserName(), privilege.List{privilege.ALL}, privilege.Table)
+	descriptor.Revoke(security.RootUserName(), privilege.List{privilege.ALL}, privilege.Table, false)
 	if err := validate(); err == nil {
 		t.Fatal("unexpected success")
 	}
@@ -306,7 +306,7 @@ func TestValidPrivilegesForObjects(t *testing.T) {
 	for _, tc := range testCases {
 		for _, priv := range tc.validPrivileges {
 			privDesc := NewBasePrivilegeDescriptor(security.AdminRoleName())
-			privDesc.Grant(testUser, privilege.List{priv})
+			privDesc.Grant(testUser, privilege.List{priv}, false)
 			err := privDesc.Validate(id, tc.objectType, "whatever", DefaultSuperuserPrivileges)
 			if err != nil {
 				t.Fatal(err)
@@ -323,7 +323,7 @@ func TestValidPrivilegesForObjects(t *testing.T) {
 
 		for _, priv := range invalidPrivileges {
 			privDesc := NewBasePrivilegeDescriptor(security.AdminRoleName())
-			privDesc.Grant(testUser, privilege.List{priv})
+			privDesc.Grant(testUser, privilege.List{priv}, false)
 			err := privDesc.Validate(id, tc.objectType, "whatever", DefaultSuperuserPrivileges)
 			if err == nil {
 				t.Fatalf("unexpected success, %s should not be a valid privilege for a %s",
@@ -361,13 +361,13 @@ func TestSystemPrivilegeValidate(t *testing.T) {
 		}
 
 		// Valid: foo has a subset of the allowed privileges.
-		descriptor.Grant(testUser, privilege.List{privilege.SELECT})
+		descriptor.Grant(testUser, privilege.List{privilege.SELECT}, false)
 		if err := validate(descriptor); err != nil {
 			t.Fatal(err)
 		}
 
 		// Valid: foo has exactly the allowed privileges.
-		descriptor.Grant(testUser, privilege.List{privilege.GRANT})
+		descriptor.Grant(testUser, privilege.List{privilege.GRANT}, false)
 		if err := validate(descriptor); err != nil {
 			t.Fatal(err)
 		}
@@ -381,20 +381,20 @@ func TestSystemPrivilegeValidate(t *testing.T) {
 		)
 
 		// Valid: foo has a subset of the allowed privileges.
-		descriptor.Grant(testUser, privilege.List{privilege.GRANT})
+		descriptor.Grant(testUser, privilege.List{privilege.GRANT}, false)
 		if err := validate(descriptor); err != nil {
 			t.Fatal(err)
 		}
 
 		// Valid: foo can have privileges revoked, including privileges it doesn't currently have.
 		descriptor.Revoke(
-			testUser, privilege.List{privilege.GRANT, privilege.UPDATE, privilege.ALL}, privilege.Table)
+			testUser, privilege.List{privilege.GRANT, privilege.UPDATE, privilege.ALL}, privilege.Table, false)
 		if err := validate(descriptor); err != nil {
 			t.Fatal(err)
 		}
 
 		// Invalid: root user has too many privileges.
-		descriptor.Grant(security.RootUserName(), privilege.List{privilege.UPDATE})
+		descriptor.Grant(security.RootUserName(), privilege.List{privilege.UPDATE}, false)
 		if err := validate(descriptor); !testutils.IsError(err, rootWrongPrivilegesErr) {
 			t.Fatalf("expected err=%s, got err=%v", rootWrongPrivilegesErr, err)
 		}
@@ -410,21 +410,21 @@ func TestSystemPrivilegeValidate(t *testing.T) {
 
 		// Invalid: root's invalid privileges are revoked and replaced with allowable privileges,
 		// but admin is still wrong.
-		descriptor.Revoke(security.RootUserName(), privilege.List{privilege.UPDATE}, privilege.Table)
-		descriptor.Grant(security.RootUserName(), privilege.List{privilege.SELECT, privilege.GRANT})
+		descriptor.Revoke(security.RootUserName(), privilege.List{privilege.UPDATE}, privilege.Table, false)
+		descriptor.Grant(security.RootUserName(), privilege.List{privilege.SELECT, privilege.GRANT}, false)
 		if err := validate(descriptor); !testutils.IsError(err, adminWrongPrivilegesErr) {
 			t.Fatalf("expected err=%s, got err=%v", adminWrongPrivilegesErr, err)
 		}
 
 		// Valid: admin's invalid privileges are revoked and replaced with allowable privileges.
-		descriptor.Revoke(security.AdminRoleName(), privilege.List{privilege.UPDATE}, privilege.Table)
-		descriptor.Grant(security.AdminRoleName(), privilege.List{privilege.SELECT, privilege.GRANT})
+		descriptor.Revoke(security.AdminRoleName(), privilege.List{privilege.UPDATE}, privilege.Table, false)
+		descriptor.Grant(security.AdminRoleName(), privilege.List{privilege.SELECT, privilege.GRANT}, false)
 		if err := validate(descriptor); err != nil {
 			t.Fatal(err)
 		}
 
 		// Valid: foo has less privileges than root.
-		descriptor.Grant(testUser, privilege.List{privilege.GRANT})
+		descriptor.Grant(testUser, privilege.List{privilege.GRANT}, false)
 		if err := validate(descriptor); err != nil {
 			t.Fatal(err)
 		}
@@ -499,3 +499,118 @@ func TestValidateOwnership(t *testing.T) {
 		t.Fatal(err)
 	}
 }
+
+// TestGrantWithGrantOption tests whether granting with grant option changes the
+// privilege bits and grant option bits as expected.
+func TestGrantWithGrantOption(t *testing.T) {
+	defer leaktest.AfterTest(t)()
+
+	testUser := security.TestUserName()
+
+	testCases := []struct {
+		pd                  *PrivilegeDescriptor
+		user                security.SQLUsername
+		objectType          privilege.ObjectType
+		grantPrivileges     privilege.List
+		expectedPrivileges  privilege.List
+		expectedGrantOption privilege.List
+	}{
+		{NewPrivilegeDescriptor(testUser, privilege.List{}, privilege.List{}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.SELECT, privilege.INSERT},
+			privilege.List{privilege.SELECT, privilege.INSERT},
+			privilege.List{privilege.SELECT, privilege.INSERT}},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, privilege.List{}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.SELECT, privilege.INSERT},
+			privilege.List{privilege.CREATE, privilege.SELECT, privilege.INSERT},
+			privilege.List{privilege.SELECT, privilege.INSERT}},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, privilege.List{}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.SELECT, privilege.INSERT},
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.SELECT, privilege.INSERT}},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.INSERT}, privilege.List{}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.ALL}},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, privilege.List{privilege.ALL}, security.AdminRoleName()),
+			testUser, privilege.Schema,
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.ALL}},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE}, privilege.List{privilege.CREATE}, security.AdminRoleName()),
+			testUser, privilege.Schema,
+			privilege.List{privilege.ALL, privilege.CREATE},
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.ALL}},
+	}
+
+	for tcNum, tc := range testCases {
+		tc.pd.Grant(tc.user, tc.grantPrivileges, true)
+		if tc.pd.Users[0].Privileges != tc.expectedPrivileges.ToBitField() {
+			t.Errorf("#%d: Incorrect privileges, returned %v, expected %v",
+				tcNum, privilege.ListFromBitField(tc.pd.Users[0].Privileges, tc.objectType), tc.expectedPrivileges)
+		}
+		if tc.pd.Users[0].WithGrantOption != tc.expectedGrantOption.ToBitField() {
+			t.Errorf("#%d: Incorrect grant option, returned %v, expected %v",
+				tcNum, privilege.ListFromBitField(tc.pd.Users[0].WithGrantOption, tc.objectType), tc.expectedGrantOption)
+		}
+	}
+}
+
+// TestRevokeWithGrantOption tests whether revoking grant option for changes the
+// privilege bits and grant option bits as expected.
+func TestRevokeWithGrantOption(t *testing.T) {
+	defer leaktest.AfterTest(t)()
+
+	testUser := security.TestUserName()
+
+	testCases := []struct {
+		pd                  *PrivilegeDescriptor
+		user                security.SQLUsername
+		objectType          privilege.ObjectType
+		revokePrivileges    privilege.List
+		expectedPrivileges  privilege.List
+		expectedGrantOption privilege.List
+	}{
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, privilege.List{}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.ALL},
+			privilege.List{}},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, privilege.List{privilege.ALL}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.CREATE, privilege.GRANT},
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.DROP, privilege.SELECT, privilege.INSERT, privilege.DELETE, privilege.UPDATE, privilege.ZONECONFIG}},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, privilege.List{privilege.ALL}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.ALL},
+			privilege.List{privilege.ALL},
+			privilege.List{}},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.ALL}, privilege.List{privilege.ALL}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.ALL, privilege.CREATE, privilege.SELECT},
+			privilege.List{privilege.ALL},
+			privilege.List{}},
+		{NewPrivilegeDescriptor(testUser, privilege.List{privilege.CREATE, privilege.SELECT, privilege.INSERT}, privilege.List{privilege.SELECT}, security.AdminRoleName()),
+			testUser, privilege.Table,
+			privilege.List{privilege.CREATE, privilege.DROP, privilege.SELECT},
+			privilege.List{privilege.CREATE, privilege.SELECT, privilege.INSERT},
+			privilege.List{}},
+	}
+
+	for tcNum, tc := range testCases {
+		tc.pd.Revoke(tc.user, tc.revokePrivileges, tc.objectType, true)
+		if tc.pd.Users[0].Privileges != tc.expectedPrivileges.ToBitField() {
+			t.Errorf("#%d: Incorrect privileges, returned %v, expected %v",
+				tcNum, privilege.ListFromBitField(tc.pd.Users[0].Privileges, tc.objectType), tc.expectedPrivileges)
+		}
+		if tc.pd.Users[0].WithGrantOption != tc.expectedGrantOption.ToBitField() {
+			t.Errorf("#%d: Incorrect grant option, returned %v, expected %v",
+				tcNum, privilege.ListFromBitField(tc.pd.Users[0].WithGrantOption, tc.objectType), tc.expectedGrantOption)
+		}
+	}
+}
diff --git a/pkg/sql/catalog/typedesc/type_desc_test.go b/pkg/sql/catalog/typedesc/type_desc_test.go
index 88e7e87d2ad3..c7324e5e6d11 100644
--- a/pkg/sql/catalog/typedesc/type_desc_test.go
+++ b/pkg/sql/catalog/typedesc/type_desc_test.go
@@ -376,7 +376,7 @@ func TestValidateTypeDesc(t *testing.T) {
 	defaultPrivileges := descpb.NewBasePrivilegeDescriptor(security.RootUserName())
 	invalidPrivileges := descpb.NewBasePrivilegeDescriptor(security.RootUserName())
 	// Make the PrivilegeDescriptor invalid by granting SELECT to a type.
-	invalidPrivileges.Grant(security.TestUserName(), privilege.List{privilege.SELECT})
+	invalidPrivileges.Grant(security.TestUserName(), privilege.List{privilege.SELECT}, false)
 	typeDescID := descpb.ID(keys.MaxReservedDescID + 1)
 	testData := []struct {
 		err  string
diff --git a/pkg/sql/grant_revoke.go b/pkg/sql/grant_revoke.go
index 97ca719aee5c..6fa283deefe5 100644
--- a/pkg/sql/grant_revoke.go
+++ b/pkg/sql/grant_revoke.go
@@ -51,13 +51,14 @@ func (p *planner) Grant(ctx context.Context, n *tree.Grant) (planNode, error) {
 	if err != nil {
 		return nil, err
 	}
+
 	return &changePrivilegesNode{
 		isGrant:      true,
 		targets:      n.Targets,
 		grantees:     grantees,
 		desiredprivs: n.Privileges,
 		changePrivilege: func(privDesc *descpb.PrivilegeDescriptor, privileges privilege.List, grantee security.SQLUsername) {
-			privDesc.Grant(grantee, privileges)
+			privDesc.Grant(grantee, privileges, n.WithGrantOption)
 		},
 		grantOn:          grantOn,
 		granteesNameList: n.Grantees,
@@ -87,7 +88,7 @@ func (p *planner) Revoke(ctx context.Context, n *tree.Revoke) (planNode, error)
 		grantees:     grantees,
 		desiredprivs: n.Privileges,
 		changePrivilege: func(privDesc *descpb.PrivilegeDescriptor, privileges privilege.List, grantee security.SQLUsername) {
-			privDesc.Revoke(grantee, privileges, grantOn)
+			privDesc.Revoke(grantee, privileges, grantOn, n.GrantOptionFor)
 		},
 		grantOn:          grantOn,
 		granteesNameList: n.Grantees,
@@ -178,8 +179,15 @@ func (n *changePrivilegesNode) startExec(params runParams) error {
 					return err
 				}
 			}
-
 			privileges := descriptor.GetPrivileges()
+
+			if p.ExecCfg().Settings.Version.IsActive(ctx, clusterversion.ValidateGrantOption) {
+				err := privileges.ValidateGrantPrivileges(p.User(), n.desiredprivs)
+				if err != nil {
+					return err
+				}
+			}
+
 			for _, grantee := range n.grantees {
 				n.changePrivilege(privileges, n.desiredprivs, grantee)
 			}
diff --git a/pkg/sql/logictest/testdata/logic_test/alter_default_privileges_with_grant_option b/pkg/sql/logictest/testdata/logic_test/alter_default_privileges_with_grant_option
new file mode 100644
index 000000000000..6cdd5d6cdbf7
--- /dev/null
+++ b/pkg/sql/logictest/testdata/logic_test/alter_default_privileges_with_grant_option
@@ -0,0 +1,611 @@
+# Should error when a role that does not exist is provided.
+statement error pq: user or role who does not exist
+ALTER DEFAULT PRIVILEGES FOR ROLE who GRANT SELECT ON TABLES to testuser WITH GRANT OPTION
+
+statement error pq: user or role who does not exist
+ALTER DEFAULT PRIVILEGES GRANT SELECT ON TABLES to who WITH GRANT OPTION
+
+statement error pq: user or role who does not exist
+ALTER DEFAULT PRIVILEGES FOR ROLE testuser GRANT SELECT ON TABLES to who WITH GRANT OPTION
+
+statement error pq: user or role who does not exist
+ALTER DEFAULT PRIVILEGES FOR ROLE testuser GRANT SELECT ON TABLES to testuser, who WITH GRANT OPTION
+
+# Should not be able to use invalid privileges.
+statement error pq: invalid privilege type USAGE for table
+ALTER DEFAULT PRIVILEGES GRANT USAGE ON TABLES to testuser WITH GRANT OPTION
+
+statement ok
+GRANT CREATE ON DATABASE test to testuser
+
+statement ok
+CREATE USER testuser2
+
+statement ok
+CREATE USER target
+
+statement ok
+ALTER DEFAULT PRIVILEGES FOR ROLE root GRANT GRANT, SELECT ON TABLES TO testuser;
+
+statement ok
+CREATE TABLE t1()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t1;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t1          admin     ALL
+test           public       t1          root      ALL
+test           public       t1          testuser  CREATE
+test           public       t1          testuser  GRANT
+test           public       t1          testuser  SELECT
+
+user testuser
+
+statement ok
+SELECT * FROM t1
+
+statement error pq: missing WITH GRANT OPTION privilege type GRANT
+GRANT GRANT, SELECT ON TABLE t1 to target
+
+user root
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT GRANT, SELECT, INSERT ON TABLES TO testuser WITH GRANT OPTION
+
+statement ok
+CREATE TABLE t2()
+
+user testuser
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t1;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t1          admin     ALL
+test           public       t1          root      ALL
+test           public       t1          testuser  CREATE
+test           public       t1          testuser  GRANT
+test           public       t1          testuser  SELECT
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t2;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t2          admin     ALL
+test           public       t2          root      ALL
+test           public       t2          testuser  CREATE
+test           public       t2          testuser  GRANT
+test           public       t2          testuser  INSERT
+test           public       t2          testuser  SELECT
+
+statement error pq: missing WITH GRANT OPTION privilege type GRANT
+GRANT GRANT, SELECT ON TABLE t1 to target
+
+statement ok
+GRANT GRANT, SELECT, INSERT ON TABLE t2 to target
+
+user root
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO testuser WITH GRANT OPTION
+
+statement ok
+CREATE TABLE t3()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t3;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t3          admin     ALL
+test           public       t3          root      ALL
+test           public       t3          testuser  ALL
+
+user testuser
+
+statement ok
+GRANT INSERT, DELETE on table t3 to target
+
+user root
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR INSERT, DELETE ON TABLES FROM testuser
+
+statement ok
+CREATE TABLE t4()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t4;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t4          admin     ALL
+test           public       t4          root      ALL
+test           public       t4          testuser  ALL
+
+user testuser
+
+statement error pq: missing WITH GRANT OPTION privilege type INSERT
+GRANT INSERT, DELETE ON TABLE t4 TO target
+
+user root
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TABLES FROM testuser
+
+statement ok
+CREATE TABLE t5()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t5;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t5          admin     ALL
+test           public       t5          root      ALL
+test           public       t5          testuser  ALL
+
+user testuser
+
+statement error pq: missing WITH GRANT OPTION privilege type GRANT
+GRANT GRANT, SELECT ON TABLE t5 TO target
+
+user root
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE ALL PRIVILEGES ON TABLES FROM testuser
+
+statement ok
+CREATE TABLE t6()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t6;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t6          admin     ALL
+test           public       t6          root      ALL
+test           public       t6          testuser  CREATE
+
+#-------------------------- testuser alters default privs on itself ---------------------------------
+user testuser
+
+statement ok
+CREATE TABLE t7()
+
+# since testuser created the table, it automatically has ALL PRIVILEGES ON IT
+query TTTTT colnames
+SHOW GRANTS ON TABLE t7;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t7          admin     ALL
+test           public       t7          root      ALL
+test           public       t7          testuser  ALL
+
+# you do not obtain grant option just for creating a table despite having ALL PRIVILEGES
+statement ok
+GRANT SELECT ON TABLE t7 TO testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT GRANT ON TABLES TO testuser
+
+statement ok
+CREATE TABLE t8()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t8;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t8          admin     ALL
+test           public       t8          root      ALL
+test           public       t8          testuser  ALL
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT GRANT, SELECT ON TABLES TO testuser WITH GRANT OPTION
+
+statement ok
+CREATE TABLE t9()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t9;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t9          admin     ALL
+test           public       t9          root      ALL
+test           public       t9          testuser  ALL
+
+statement error pq: missing WITH GRANT OPTION privilege type INSERT
+GRANT INSERT, DELETE ON TABLE t9 to testuser
+
+statement ok
+GRANT GRANT, SELECT ON TABLE t9 to testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO testuser WITH GRANT OPTION
+
+statement ok
+CREATE TABLE t10()
+
+statement ok
+GRANT INSERT, DELETE ON TABLE t10 to testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR SELECT ON TABLES FROM testuser
+
+statement ok
+CREATE TABLE t11()
+
+statement error pq: missing WITH GRANT OPTION privilege type SELECT
+GRANT SELECT ON TABLE t11 TO testuser
+
+statement ok
+GRANT GRANT, INSERT, DELETE ON TABLE t11 TO testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TABLES FROM testuser
+
+statement ok
+CREATE TABLE t12()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t12;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t12         admin     ALL
+test           public       t12         root      ALL
+test           public       t12         testuser  ALL
+
+statement ok
+GRANT INSERT, DELETE ON TABLE t12 TO testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE ALL PRIVILEGES ON TABLES FROM testuser
+
+statement ok
+CREATE TABLE t13()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t13;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t13         admin     ALL
+test           public       t13         root      ALL
+test           public       t13         testuser  CREATE
+
+# -------------------------------------- one created user to another (testuser to testuser2) ----------------------------------------------
+user testuser
+
+# Postgres does not seem to validate whether the user revoking privileges on another user holds those privileges themselves
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT GRANT, SELECT, INSERT ON TABLES TO testuser2
+
+user root
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO testuser WITH GRANT OPTION
+
+user testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT GRANT, SELECT ON TABLES TO testuser2
+
+statement ok
+CREATE TABLE t14()
+
+# The reason testuser does not have ALL despite creating the table is that we granted "FOR ROLE root", but testuser is creating
+# the table so when testuser creates a table, it's still going off the previous alter default privs which was to revoke everything
+query TTTTT colnames
+SHOW GRANTS ON TABLE t14;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t14         admin     ALL
+test           public       t14         root      ALL
+test           public       t14         testuser  CREATE
+test           public       t14         testuser2 GRANT
+test           public       t14         testuser2 INSERT
+test           public       t14         testuser2 SELECT
+
+statement ok
+GRANT GRANT, INSERT, DELETE ON TABLE t12 TO target
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO testuser WITH GRANT OPTION
+
+user testuser2
+
+statement error pq: missing WITH GRANT OPTION privilege type SELECT
+GRANT SELECT ON TABLE t14 TO target
+
+user testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT GRANT, SELECT ON TABLES TO testuser2 WITH GRANT OPTION
+
+statement ok
+CREATE TABLE t15()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t15;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t15         admin     ALL
+test           public       t15         root      ALL
+test           public       t15         testuser  ALL
+test           public       t15         testuser2 GRANT
+test           public       t15         testuser2 INSERT
+test           public       t15         testuser2 SELECT
+
+user testuser2
+
+statement ok
+GRANT SELECT, GRANT ON TABLE t15 TO target
+
+statement error pq: missing WITH GRANT OPTION privilege type INSERT
+GRANT INSERT ON TABLE t15 TO target
+
+user testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO testuser2 WITH GRANT OPTION
+
+statement ok
+CREATE TABLE t16()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t16;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t16         admin     ALL
+test           public       t16         root      ALL
+test           public       t16         testuser  ALL
+test           public       t16         testuser2 ALL
+
+user testuser2
+
+statement ok
+GRANT INSERT ON TABLE t16 TO target
+
+user testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR SELECT, INSERT ON TABLES FROM testuser2
+
+statement ok
+CREATE TABLE t17()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t17;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t17         admin     ALL
+test           public       t17         root      ALL
+test           public       t17         testuser  ALL
+test           public       t17         testuser2 ALL
+
+user testuser2
+
+statement error pq: missing WITH GRANT OPTION privilege type SELECT
+GRANT SELECT, INSERT ON TABLE t17 TO target
+
+user testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TABLES FROM testuser2
+
+statement ok
+CREATE TABLE t18()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t18;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t18         admin     ALL
+test           public       t18         root      ALL
+test           public       t18         testuser  ALL
+test           public       t18         testuser2 ALL
+
+user testuser2
+
+statement error pq: missing WITH GRANT OPTION privilege type SELECT
+GRANT SELECT ON TABLE t18 TO target
+
+user testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE ALL PRIVILEGES ON TABLES FROM testuser2
+
+statement ok
+CREATE TABLE t19()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t19;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t19         admin     ALL
+test           public       t19         root      ALL
+test           public       t19         testuser  ALL
+
+# -------------------------------------- Test Schemas ---------------------------------------------
+user root
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON SCHEMAS TO testuser, testuser2 WITH GRANT OPTION
+
+statement ok
+CREATE SCHEMA s1
+
+query TTTT colnames
+SHOW GRANTS ON SCHEMA s1
+----
+database_name  schema_name  grantee    privilege_type
+test           s1           admin      ALL
+test           s1           root       ALL
+test           s1           testuser   ALL
+test           s1           testuser2  ALL
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL PRIVILEGES ON SCHEMAS FROM testuser, testuser2
+
+statement ok
+CREATE SCHEMA s2
+
+query TTTT colnames
+SHOW GRANTS ON SCHEMA s2
+----
+database_name  schema_name  grantee    privilege_type
+test           s2           admin      ALL
+test           s2           root       ALL
+test           s2           testuser   ALL
+test           s2           testuser2  ALL
+
+user testuser
+
+statement ok
+GRANT CREATE ON SCHEMA s1 TO target
+
+statement ok
+GRANT ALL PRIVILEGES ON SCHEMA s1 TO target
+
+statement error pq: missing WITH GRANT OPTION privilege type CREATE
+GRANT CREATE ON SCHEMA s2 TO target
+
+statement error pq: missing WITH GRANT OPTION privilege type ALL
+GRANT ALL PRIVILEGES ON SCHEMA s2 TO target
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT ALL PRIVILEGES ON TABLES TO testuser WITH GRANT OPTION
+
+statement ok
+CREATE TABLE s1.t1()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE s1.t1
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           s1           t1          admin     ALL
+test           s1           t1          root      ALL
+test           s1           t1          testuser  ALL
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL PRIVILEGES ON SCHEMAS FROM testuser
+
+statement ok
+CREATE TABLE s1.t2()
+
+# revoking grant option for a schema that holds a table should not revoke the grant option for the table itself
+statement ok
+GRANT ALL PRIVILEGES ON TABLE s1.t2 TO target
+
+# -------------------------------------- Test Sequences -----------------------------------------
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT CREATE ON SEQUENCES TO testuser2 WITH GRANT OPTION
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL PRIVILEGES ON SEQUENCES FROM testuser
+
+statement ok
+CREATE SEQUENCE seq1
+
+query TTTTT colnames
+SHOW GRANTS ON seq1
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       seq1        admin     ALL
+test           public       seq1        root      ALL
+test           public       seq1        testuser  ALL
+test           public       seq1        testuser2 CREATE
+
+# TODO: implement the grant/revoke for sequence? Can't do much more that this in terms of testing otherwise
+# -------------------------------------- Test Types ---------------------------------------------
+user testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT GRANT, USAGE ON TYPES TO testuser2 WITH GRANT OPTION
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TYPES FROM testuser
+
+statement ok
+CREATE TYPE type1 AS ENUM()
+
+query TTTTT colnames
+SHOW GRANTS ON TYPE type1
+----
+database_name  schema_name  type_name   grantee   privilege_type
+test           public       type1       admin     ALL
+test           public       type1       public    USAGE
+test           public       type1       root      ALL
+test           public       type1       testuser  ALL
+test           public       type1       testuser2 GRANT
+test           public       type1       testuser2 USAGE
+
+statement ok
+GRANT ALL PRIVILEGES ON TYPE type1 TO target
+
+statement ok
+GRANT USAGE ON TYPE type1 TO target
+
+user testuser2
+
+statement ok
+GRANT USAGE ON TYPE type1 TO target
+
+# -------------------------------------- Test Roles ---------------------------------------------
+user testuser
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE ALL PRIVILEGES ON TABLES FROM testuser
+
+user testuser2
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE ALL PRIVILEGES ON TABLES FROM testuser2
+
+user root
+
+statement ok
+GRANT testuser, testuser2 TO root;
+
+statement ok
+ALTER DEFAULT PRIVILEGES FOR ROLE testuser, testuser2 GRANT ALL PRIVILEGES ON TABLES TO testuser, testuser2 WITH GRANT OPTION
+
+user testuser
+
+statement ok
+CREATE TABLE t20()
+
+# testuser2 will have ALL privileges because the ALTER statement made from root specifies it happens when testuser does it
+query TTTTT colnames
+SHOW GRANTS ON TABLE t20;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t20         admin     ALL
+test           public       t20         root      ALL
+test           public       t20         testuser  ALL
+test           public       t20         testuser2 ALL
+
+user root
+
+statement ok
+ALTER DEFAULT PRIVILEGES FOR ROLE testuser, testuser2 REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TABLES FROM testuser2
+
+user testuser
+
+statement ok
+CREATE TABLE t21()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t21;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t21         admin     ALL
+test           public       t21         root      ALL
+test           public       t21         testuser  ALL
+test           public       t21         testuser2 ALL
+
+user testuser2
+
+statement error pq: missing WITH GRANT OPTION privilege type ALL
+GRANT ALL PRIVILEGES ON TABLE t21 TO target
+
+statement error pq: missing WITH GRANT OPTION privilege type SELECT
+GRANT SELECT, INSERT ON TABLE t21 TO target
+
+
diff --git a/pkg/sql/logictest/testdata/logic_test/bytes b/pkg/sql/logictest/testdata/logic_test/bytes
index 009233f839b0..bab74aa5ef15 100644
--- a/pkg/sql/logictest/testdata/logic_test/bytes
+++ b/pkg/sql/logictest/testdata/logic_test/bytes
@@ -153,7 +153,7 @@ PREPARE r1(bytes) AS SELECT descriptor::STRING FROM system.descriptor WHERE desc
 query T
 EXECUTE r1('abc')
 ----
-\022C\012\011defaultdb\0202\032*\012\011\012\005admin\020\002\012\013\012\006public\020\200\020\012\010\012\004root\020\002\022\004root\030\002"\000(\001@\000J\000Z\000
+\022J\012\011defaultdb\0202\0321\012\013\012\005admin\020\002\030\000\012\016\012\006public\020\200\020\030\200\020\012\012\012\004root\020\002\030\000\022\004root\030\002"\000(\001@\000J\000Z\000
 
 statement ok
 create table regression_71444 (col bytes[]);
diff --git a/pkg/sql/logictest/testdata/logic_test/grant_revoke_with_grant_option b/pkg/sql/logictest/testdata/logic_test/grant_revoke_with_grant_option
new file mode 100644
index 000000000000..e318a1f93caf
--- /dev/null
+++ b/pkg/sql/logictest/testdata/logic_test/grant_revoke_with_grant_option
@@ -0,0 +1,403 @@
+statement ok
+CREATE TABLE t(row INT)
+
+statement ok
+CREATE USER testuser2
+
+statement ok
+CREATE USER target
+
+statement ok
+GRANT ALL PRIVILEGES ON TABLE t TO testuser
+
+# switch to testuser
+user testuser
+
+statement error pq: missing WITH GRANT OPTION privilege type ALL
+GRANT ALL PRIVILEGES ON table t to testuser2
+
+# switch to root
+user root
+
+statement ok
+GRANT ALL PRIVILEGES ON TABLE t TO testuser WITH GRANT OPTION
+
+# switch to testuser
+user testuser
+
+statement ok
+GRANT SELECT, GRANT, INSERT ON TABLE t TO testuser2 WITH GRANT OPTION
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser2
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+test           public       t              testuser2  GRANT
+test           public       t              testuser2  INSERT
+test           public       t              testuser2  SELECT
+
+statement ok
+REVOKE INSERT ON TABLE t FROM testuser2
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser2
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+test           public       t              testuser2  GRANT
+test           public       t              testuser2  SELECT
+
+statement ok
+REVOKE GRANT OPTION FOR SELECT ON TABLE t FROM testuser2
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser2
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+test           public       t              testuser2  GRANT
+test           public       t              testuser2  SELECT
+
+# switch to testuser2
+user testuser2
+
+statement error pq: missing WITH GRANT OPTION privilege type SELECT
+GRANT SELECT ON TABLE t TO target
+
+# switch to root
+user root
+
+statement ok
+REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TABLE t FROM testuser
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+test           public       t              testuser   ALL
+
+# switch to testuser
+user testuser
+
+statement error pq: missing WITH GRANT OPTION privilege type SELECT
+GRANT SELECT, GRANT, INSERT, DELETE ON TABLE t TO testuser2 WITH GRANT OPTION
+
+# switch to root
+user root
+
+statement ok
+REVOKE ALL PRIVILEGES ON TABLE t FROM testuser
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+
+statement ok
+GRANT GRANT, UPDATE, DELETE ON TABLE t to testuser WITH GRANT OPTION
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+test           public       t              testuser   DELETE
+test           public       t              testuser   GRANT
+test           public       t              testuser   UPDATE
+
+statement ok
+GRANT ALL PRIVILEGES ON TABLE t to testuser WITH GRANT OPTION
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+test           public       t              testuser   ALL
+
+# switch to testuser
+user testuser
+
+statement ok
+GRANT DELETE ON TABLE t to target
+
+# switch to root
+user root
+
+statement ok
+REVOKE GRANT OPTION FOR UPDATE, DELETE ON TABLE t FROM testuser
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+test           public       t              testuser   ALL
+
+# switch to testuser
+user testuser
+
+statement ok
+GRANT SELECT ON TABLE t TO testuser2 WITH GRANT OPTION
+
+statement error pq: missing WITH GRANT OPTION privilege type UPDATE
+GRANT UPDATE ON TABLE t TO testuser2 WITH GRANT OPTION
+
+statement error pq: missing WITH GRANT OPTION privilege type DELETE
+GRANT DELETE ON TABLE t TO testuser2 WITH GRANT OPTION
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser2
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+test           public       t              testuser2  GRANT
+test           public       t              testuser2  SELECT
+
+# switch to testuser2
+user testuser2
+
+statement ok
+GRANT SELECT ON TABLE t TO target
+
+# briefly test databases, schemas, etc since the code is the same as with tables tested above
+# switch to root
+user root
+
+statement ok
+REVOKE ALL PRIVILEGES ON TABLE t FROM testuser
+
+statement ok
+REVOKE ALL PRIVILEGES ON TABLE t FROM testuser2
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser2
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+
+statement ok
+CREATE SCHEMA s
+
+statement ok
+GRANT GRANT, CREATE ON SCHEMA s TO testuser WITH GRANT OPTION
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+test           s            NULL           testuser   CREATE
+test           s            NULL           testuser   GRANT
+
+# switch to testuser
+user testuser
+
+statement ok
+GRANT CREATE ON SCHEMA s TO testuser2 WITH GRANT OPTION
+
+# switch to root
+user root
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser2
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+test           s            NULL           testuser2  CREATE
+
+statement ok
+REVOKE GRANT OPTION FOR ALL PRIVILEGES ON SCHEMA s FROM testuser
+
+query TTTTT colnames
+SHOW GRANTS FOR testuser
+----
+database_name  schema_name  relation_name  grantee    privilege_type
+test           s            NULL           testuser   CREATE
+test           s            NULL           testuser   GRANT
+
+# switch to testuser
+user testuser
+
+statement error pq: missing WITH GRANT OPTION privilege type CREATE
+GRANT CREATE ON SCHEMA s TO target
+
+# switch to root
+user root
+
+statement ok
+CREATE DATABASE d
+
+statement ok
+GRANT ALL PRIVILEGES ON DATABASE d TO testuser WITH GRANT OPTION
+
+query TTT colnames
+SHOW GRANTS ON DATABASE d
+----
+database_name   grantee    privilege_type
+d               admin      ALL
+d               public     CONNECT
+d               root       ALL
+d               testuser   ALL
+
+# switch to testuser
+user testuser
+
+statement ok
+GRANT GRANT, CREATE, CONNECT ON DATABASE d TO testuser2 WITH GRANT OPTION
+
+statement ok
+REVOKE GRANT OPTION FOR CREATE ON DATABASE d FROM testuser2
+
+# switch to testuser2
+user testuser2
+
+statement ok
+GRANT GRANT ON DATABASE d TO target WITH GRANT OPTION
+
+statement ok
+GRANT CONNECT ON DATABASE d TO target WITH GRANT OPTION
+
+statement error pq: missing WITH GRANT OPTION privilege type CREATE
+GRANT CREATE ON DATABASE d TO target WITH GRANT OPTION
+
+# switch to root
+user root
+
+query TTT colnames
+SHOW GRANTS ON DATABASE d
+----
+database_name   grantee    privilege_type
+d               admin      ALL
+d               public     CONNECT
+d               root       ALL
+d               target     CONNECT
+d               target     GRANT
+d               testuser   ALL
+d               testuser2  CONNECT
+d               testuser2  CREATE
+d               testuser2  GRANT
+
+statement ok
+REVOKE ALL PRIVILEGES ON DATABASE d FROM testuser2
+
+query TTT colnames
+SHOW GRANTS ON DATABASE d
+----
+database_name   grantee    privilege_type
+d               admin      ALL
+d               public     CONNECT
+d               root       ALL
+d               target     CONNECT
+d               target     GRANT
+d               testuser   ALL
+
+# switch to testuser2
+user testuser2
+
+statement error pq: user testuser2 does not have GRANT privilege on database d
+GRANT CONNECT ON DATABASE d TO target WITH GRANT OPTION
+
+# ---------------------------OWNER OF AN OBJECT WILL ALWAYS BE ABLE TO GRANT/REVOKE--------------------------------------------------------
+user root
+
+statement ok
+GRANT CREATE ON DATABASE test to testuser
+
+statement ok
+GRANT CREATE ON DATABASE test to testuser2
+
+user testuser
+
+statement ok
+CREATE TABLE t1()
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t1;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t1          admin     ALL
+test           public       t1          root      ALL
+test           public       t1          testuser  ALL
+test           public       t1          testuser2 CREATE
+
+statement ok
+GRANT SELECT ON TABLE t1 TO testuser2
+
+statement ok
+REVOKE ALL PRIVILEGES ON TABLE t1 FROM testuser
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t1;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t1          admin     ALL
+test           public       t1          root      ALL
+test           public       t1          testuser2 CREATE
+test           public       t1          testuser2 SELECT
+
+statement ok
+GRANT INSERT ON TABLE t1 TO testuser2
+
+statement ok
+GRANT GRANT ON TABLE t1 TO testuser2
+
+user testuser2
+
+statement error pq: missing WITH GRANT OPTION privilege type SELECT
+GRANT SELECT ON TABLE t1 TO target
+
+user testuser
+
+statement ok
+GRANT ALL PRIVILEGES ON TABLE t1 TO testuser2 WITH GRANT OPTION
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t1;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t1          admin     ALL
+test           public       t1          root      ALL
+test           public       t1          testuser2 ALL
+
+user testuser2
+
+statement ok
+GRANT SELECT ON TABLE t1 TO TARGET
+
+statement ok
+REVOKE GRANT OPTION FOR ALL PRIVILEGES ON TABLE t1 FROM testuser2
+
+statement error pq: missing WITH GRANT OPTION privilege type INSERT
+GRANT INSERT ON TABLE t1 TO target
+
+user testuser
+
+statement ok
+GRANT ALL PRIVILEGES ON TABLE t1 TO testuser2 WITH GRANT OPTION
+
+user testuser2
+
+statement ok
+REVOKE ALL PRIVILEGES ON TABLE t1 FROM testuser2
+
+statement error pq: user testuser2 does not have GRANT privilege on relation t1
+GRANT INSERT ON TABLE t1 TO target
+
+user testuser
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t1;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t1          admin     ALL
+test           public       t1          root      ALL
+test           public       t1          target    SELECT
+
+statement ok
+GRANT ALL PRIVILEGES ON TABLE t1 TO testuser
+
+query TTTTT colnames
+SHOW GRANTS ON TABLE t1;
+----
+database_name  schema_name  table_name  grantee   privilege_type
+test           public       t1          admin     ALL
+test           public       t1          root      ALL
+test           public       t1          target    SELECT
+test           public       t1          testuser  ALL
diff --git a/pkg/sql/logictest/testdata/logic_test/owner b/pkg/sql/logictest/testdata/logic_test/owner
index 721f08494e80..31da9628c567 100644
--- a/pkg/sql/logictest/testdata/logic_test/owner
+++ b/pkg/sql/logictest/testdata/logic_test/owner
@@ -26,7 +26,7 @@ REVOKE ALL ON t FROM testuser
 # Owner should able to grant all privileges to other roles.
 
 statement ok
-GRANT ALL ON t TO new_role
+GRANT ALL ON t TO new_role WITH GRANT OPTION
 
 # Test ownership of views.
 
@@ -46,7 +46,7 @@ statement ok
 ALTER TABLE v2 RENAME to v
 
 statement ok
-GRANT ALL ON v TO new_role
+GRANT ALL ON v TO new_role WITH GRANT OPTION
 
 statement ok
 DROP VIEW v
@@ -71,7 +71,7 @@ statement ok
 ALTER SEQUENCE s2 RENAME to s
 
 statement ok
-GRANT ALL ON s TO new_role
+GRANT ALL ON s TO new_role WITH GRANT OPTION
 
 statement ok
 DROP SEQUENCE s
@@ -103,7 +103,7 @@ statement ok
 ALTER TABLE d.t2 RENAME TO d.t
 
 statement ok
-GRANT ALL ON DATABASE d TO new_role
+GRANT ALL ON DATABASE d TO new_role WITH GRANT OPTION
 
 statement ok
 DROP TABLE d.t
@@ -154,7 +154,7 @@ statement ok
 ALTER TABLE d.t2 RENAME TO d.t
 
 statement ok
-GRANT ALL ON DATABASE d TO new_role
+GRANT ALL ON DATABASE d TO new_role WITH GRANT OPTION
 
 statement ok
 DROP TABLE d.t
diff --git a/pkg/sql/logictest/testdata/logic_test/pg_catalog_pg_default_acl_with_grant_option b/pkg/sql/logictest/testdata/logic_test/pg_catalog_pg_default_acl_with_grant_option
new file mode 100644
index 000000000000..9489342d1237
--- /dev/null
+++ b/pkg/sql/logictest/testdata/logic_test/pg_catalog_pg_default_acl_with_grant_option
@@ -0,0 +1,164 @@
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT SELECT ON TABLES TO PUBLIC WITH GRANT OPTION;
+ALTER DEFAULT PRIVILEGES GRANT USAGE ON SCHEMAS TO PUBLIC WITH GRANT OPTION;
+ALTER DEFAULT PRIVILEGES GRANT SELECT ON SEQUENCES TO PUBLIC WITH GRANT OPTION;
+
+# Public should appear as an empty string with privileges.
+query OOOTT colnames,rowsort
+SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL
+----
+oid         defaclrole  defaclnamespace  defaclobjtype  defaclacl
+4149409857  1546506610  0                r              {=r*/}
+4149409857  1546506610  0                S              {=r*/}
+4149409857  1546506610  0                n              {=U*/}
+
+statement ok
+CREATE USER foo
+
+statement ok
+CREATE USER bar
+
+statement ok
+ALTER DEFAULT PRIVILEGES GRANT ALL ON TABLES TO foo, bar WITH GRANT OPTION;
+ALTER DEFAULT PRIVILEGES GRANT ALL ON TYPES TO foo, bar WITH GRANT OPTION;
+ALTER DEFAULT PRIVILEGES GRANT ALL ON SCHEMAS TO foo, bar WITH GRANT OPTION;
+ALTER DEFAULT PRIVILEGES GRANT ALL ON SEQUENCES TO foo, bar WITH GRANT OPTION;
+
+query OOOTT colnames,rowsort
+SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL
+----
+oid         defaclrole  defaclnamespace  defaclobjtype  defaclacl
+4149409857  1546506610  0                r              {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/,=r*/}
+4149409857  1546506610  0                S              {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/,=r*/}
+4149409857  1546506610  0                T              {bar=U*/,foo=U*/}
+4149409857  1546506610  0                n              {bar=C*U*/,foo=C*U*/,=U*/}
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR SELECT, DELETE ON TABLES FROM foo, bar;
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR USAGE ON TYPES FROM foo, bar;
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR CREATE ON SCHEMAS FROM foo, bar;
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR CREATE, UPDATE ON SEQUENCES FROM foo, bar;
+
+query OOOTT colnames,rowsort
+SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL
+----
+oid         defaclrole  defaclnamespace  defaclobjtype  defaclacl
+4149409857  1546506610  0                r              {bar=C*a*drw*/,foo=C*a*drw*/,=r*/}
+4149409857  1546506610  0                S              {bar=Ca*d*r*w/,foo=Ca*d*r*w/,=r*/}
+4149409857  1546506610  0                T              {bar=U/,foo=U/}
+4149409857  1546506610  0                n              {bar=CU*/,foo=CU*/,=U*/}
+
+statement ok
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL ON TABLES FROM foo, bar;
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL ON TYPES FROM foo, bar;
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL ON SCHEMAS FROM foo, bar;
+ALTER DEFAULT PRIVILEGES REVOKE GRANT OPTION FOR ALL ON SEQUENCES FROM foo, bar;
+
+query OOOTT colnames,rowsort
+SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL
+----
+oid         defaclrole  defaclnamespace  defaclobjtype  defaclacl
+4149409857  1546506610  0                r              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                S              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                T              {bar=U/,foo=U/}
+4149409857  1546506610  0                n              {bar=CU/,foo=CU/,=U*/}
+
+statement ok
+GRANT foo, bar TO root;
+
+statement ok
+ALTER DEFAULT PRIVILEGES FOR ROLE foo, bar GRANT ALL ON TABLES TO foo, bar WITH GRANT OPTION;
+ALTER DEFAULT PRIVILEGES FOR ROLE foo, bar GRANT ALL ON TYPES TO foo, bar WITH GRANT OPTION;
+ALTER DEFAULT PRIVILEGES FOR ROLE foo, bar GRANT ALL ON SCHEMAS TO foo, bar WITH GRANT OPTION;
+ALTER DEFAULT PRIVILEGES FOR ROLE foo, bar GRANT ALL ON SEQUENCES TO foo, bar WITH GRANT OPTION;
+
+# 12 rows should exist, 4 for each role, root, foo and bar.
+query OOOTT colnames,rowsort
+SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL
+----
+oid         defaclrole  defaclnamespace  defaclobjtype  defaclacl
+542080048   1791217281  0                r              {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/}
+542080048   1791217281  0                S              {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/}
+542080048   1791217281  0                T              {bar=U*/,foo=U*/,=U/}
+542080048   1791217281  0                n              {bar=C*U*/,foo=C*U*/}
+38059971    2026795574  0                r              {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/}
+38059971    2026795574  0                S              {bar=C*a*d*r*w*/,foo=C*a*d*r*w*/}
+38059971    2026795574  0                T              {bar=U*/,foo=U*/,=U/}
+38059971    2026795574  0                n              {bar=C*U*/,foo=C*U*/}
+4149409857  1546506610  0                r              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                S              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                T              {bar=U/,foo=U/}
+4149409857  1546506610  0                n              {bar=CU/,foo=CU/,=U*/}
+
+statement ok
+ALTER DEFAULT PRIVILEGES FOR ROLE foo, bar REVOKE ALL ON TABLES FROM foo, bar;
+ALTER DEFAULT PRIVILEGES FOR ROLE foo, bar REVOKE ALL ON TYPES FROM foo, bar;
+ALTER DEFAULT PRIVILEGES FOR ROLE foo, bar REVOKE ALL ON SCHEMAS FROM foo, bar;
+ALTER DEFAULT PRIVILEGES FOR ROLE foo, bar REVOKE ALL ON SEQUENCES FROM foo, bar;
+
+# Revoking all will result in rows with empty privileges since the privileges
+# are revoked from the creator role.
+query OOOTT colnames,rowsort
+SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL
+----
+oid         defaclrole  defaclnamespace  defaclobjtype  defaclacl
+542080048   1791217281  0                r              {}
+542080048   1791217281  0                S              {}
+542080048   1791217281  0                T              {=U/}
+542080048   1791217281  0                n              {}
+38059971    2026795574  0                r              {}
+38059971    2026795574  0                S              {}
+38059971    2026795574  0                T              {=U/}
+38059971    2026795574  0                n              {}
+4149409857  1546506610  0                r              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                S              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                T              {bar=U/,foo=U/}
+4149409857  1546506610  0                n              {bar=CU/,foo=CU/,=U*/}
+
+statement ok
+ALTER DEFAULT PRIVILEGES FOR ROLE foo GRANT ALL ON TABLES TO foo;
+ALTER DEFAULT PRIVILEGES FOR ROLE foo GRANT ALL ON SEQUENCES TO foo;
+ALTER DEFAULT PRIVILEGES FOR ROLE foo GRANT ALL ON SCHEMAS TO foo;
+ALTER DEFAULT PRIVILEGES FOR ROLE foo GRANT ALL ON TYPES TO foo;
+ALTER DEFAULT PRIVILEGES FOR ROLE bar GRANT ALL ON TABLES TO bar;
+ALTER DEFAULT PRIVILEGES FOR ROLE bar GRANT ALL ON SEQUENCES TO bar;
+ALTER DEFAULT PRIVILEGES FOR ROLE bar GRANT ALL ON SCHEMAS TO bar;
+ALTER DEFAULT PRIVILEGES FOR ROLE bar GRANT ALL ON TYPES TO bar;
+
+# Entries should disappear since the previous ALTER DEFAULT PRIVILEGE commands
+# revert the default privileges to the default state.
+query OOOTT colnames,rowsort
+SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL
+----
+oid         defaclrole  defaclnamespace  defaclobjtype  defaclacl
+4149409857  1546506610  0                r              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                S              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                T              {bar=U/,foo=U/}
+4149409857  1546506610  0                n              {bar=CU/,foo=CU/,=U*/}
+
+statement ok
+ALTER DEFAULT PRIVILEGES FOR ROLE foo GRANT USAGE ON TYPES TO foo WITH GRANT OPTION
+
+# foo should show up in the table since it got modified
+query OOOTT colnames,rowsort
+SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL
+----
+oid         defaclrole  defaclnamespace  defaclobjtype  defaclacl
+38059971    2026795574  0                T              {foo=U*/,=U/}
+4149409857  1546506610  0                r              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                S              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                T              {bar=U/,foo=U/}
+4149409857  1546506610  0                n              {bar=CU/,foo=CU/,=U*/}
+
+statement ok
+ALTER DEFAULT PRIVILEGES FOR ROLE foo REVOKE GRANT OPTION FOR USAGE ON TYPES FROM foo
+
+# foo should disappear since it's back in the "default state"
+query OOOTT colnames,rowsort
+SELECT * FROM PG_CATALOG.PG_DEFAULT_ACL
+----
+oid         defaclrole  defaclnamespace  defaclobjtype  defaclacl
+4149409857  1546506610  0                r              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                S              {bar=Cadrw/,foo=Cadrw/,=r*/}
+4149409857  1546506610  0                T              {bar=U/,foo=U/}
+4149409857  1546506610  0                n              {bar=CU/,foo=CU/,=U*/}
diff --git a/pkg/sql/logictest/testdata/logic_test/privileges_table b/pkg/sql/logictest/testdata/logic_test/privileges_table
index 48a79e613606..c39ccf8c2279 100644
--- a/pkg/sql/logictest/testdata/logic_test/privileges_table
+++ b/pkg/sql/logictest/testdata/logic_test/privileges_table
@@ -23,7 +23,7 @@ statement ok
 CREATE USER bar
 
 statement ok
-GRANT ALL ON t TO bar
+GRANT ALL ON t TO bar WITH GRANT OPTION
 
 statement ok
 REVOKE ALL ON t FROM bar
@@ -111,7 +111,7 @@ DROP TABLE t
 user root
 
 statement ok
-GRANT SELECT ON t TO testuser
+GRANT SELECT ON t TO testuser WITH GRANT OPTION
 
 user testuser
 
@@ -161,7 +161,7 @@ DROP TABLE t
 user root
 
 statement ok
-GRANT ALL ON t TO testuser
+GRANT ALL ON t TO testuser WITH GRANT OPTION
 
 statement ok
 REVOKE SELECT ON t FROM testuser
@@ -169,7 +169,7 @@ REVOKE SELECT ON t FROM testuser
 user testuser
 
 statement ok
-GRANT INSERT ON t TO bar
+GRANT INSERT ON t TO bar WITH GRANT OPTION
 
 statement ok
 REVOKE INSERT ON t FROM bar
@@ -214,12 +214,12 @@ statement ok
 CREATE TABLE t (k INT PRIMARY KEY, v int)
 
 statement ok
-GRANT ALL ON t TO testuser
+GRANT ALL ON t TO testuser WITH GRANT OPTION
 
 user testuser
 
 statement ok
-GRANT ALL ON t TO bar
+GRANT ALL ON t TO bar WITH GRANT OPTION
 
 statement ok
 REVOKE ALL ON t FROM bar
@@ -258,7 +258,7 @@ statement ok
 CREATE TABLE t (k INT PRIMARY KEY, v int)
 
 statement ok
-GRANT INSERT ON t TO testuser
+GRANT INSERT ON t TO testuser WITH GRANT OPTION
 
 user testuser
 
@@ -277,7 +277,7 @@ UPSERT INTO t VALUES (1, 2)
 user root
 
 statement ok
-GRANT SELECT ON t TO testuser
+GRANT SELECT ON t TO testuser WITH GRANT OPTION
 
 user testuser
 
@@ -294,7 +294,7 @@ INSERT INTO t VALUES (1, 2) ON CONFLICT (k) DO UPDATE SET v = excluded.v
 user root
 
 statement ok
-GRANT UPDATE ON t TO testuser
+GRANT UPDATE ON t TO testuser WITH GRANT OPTION
 
 user testuser
 
@@ -331,7 +331,7 @@ SHOW CONSTRAINTS FROM t
 user root
 
 statement ok
-GRANT SELECT ON t TO testuser
+GRANT SELECT ON t TO testuser WITH GRANT OPTION
 
 user testuser
 
diff --git a/pkg/sql/opt/exec/execbuilder/testdata/show_trace_nonmetamorphic b/pkg/sql/opt/exec/execbuilder/testdata/show_trace_nonmetamorphic
index f7750785bbcc..ed1037a17ace 100644
--- a/pkg/sql/opt/exec/execbuilder/testdata/show_trace_nonmetamorphic
+++ b/pkg/sql/opt/exec/execbuilder/testdata/show_trace_nonmetamorphic
@@ -18,7 +18,7 @@ WHERE message NOT LIKE '%Z/%'
   AND operation != 'dist sender send'
 ----
 batch flow coordinator  CPut /NamespaceTable/30/1/0/0/"t"/4/1 -> 53
-batch flow coordinator  CPut /Table/3/1/53/2/1 -> database:<name:"t" id:53 modification_time:<> version:1 privileges:<users:<user_proto:"admin" privileges:2 > users:<user_proto:"public" privileges:2048 > users:<user_proto:"root" privileges:2 > owner_proto:"root" version:2 > state:PUBLIC offline_reason:"" default_privileges:<> >
+batch flow coordinator  CPut /Table/3/1/53/2/1 -> database:<name:"t" id:53 modification_time:<> version:1 privileges:<users:<user_proto:"admin" privileges:2 with_grant_option:0 > users:<user_proto:"public" privileges:2048 with_grant_option:2048 > users:<user_proto:"root" privileges:2 with_grant_option:0 > owner_proto:"root" version:2 > state:PUBLIC offline_reason:"" default_privileges:<> >
 batch flow coordinator  CPut /NamespaceTable/30/1/53/0/"public"/4/1 -> 29
 exec stmt               rows affected: 0
 
@@ -39,7 +39,7 @@ WHERE message NOT LIKE '%Z/%'
   AND operation != 'dist sender send'
 ----
 batch flow coordinator  CPut /NamespaceTable/30/1/53/29/"kv"/4/1 -> 54
-batch flow coordinator  CPut /Table/3/1/54/2/1 -> table:<name:"kv" id:54 version:1 modification_time:<> parent_id:53 unexposed_parent_schema_id:29 columns:<name:"k" id:1 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:false hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > columns:<name:"v" id:2 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:true hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > next_column_id:3 families:<name:"primary" id:0 column_names:"k" column_names:"v" column_ids:1 column_ids:2 default_column_id:2 > next_family_id:1 primary_index:<name:"kv_pkey" id:1 unique:true version:4 key_column_names:"k" key_column_directions:ASC store_column_names:"v" key_column_ids:1 store_column_ids:2 foreign_key:<table:0 index:0 name:"" validity:Validated shared_prefix_len:0 on_delete:NO_ACTION on_update:NO_ACTION match:SIMPLE > interleave:<> partitioning:<num_columns:0 num_implicit_columns:0 > type:FORWARD created_explicitly:false encoding_type:1 sharded:<is_sharded:false name:"" shard_buckets:0 > disabled:false geo_config:<> predicate:"" use_delete_preserving_encoding:false > next_index_id:2 privileges:<users:<user_proto:"admin" privileges:2 > users:<user_proto:"public" privileges:0 > users:<user_proto:"root" privileges:2 > owner_proto:"root" version:2 > next_mutation_id:1 format_version:3 state:PUBLIC offline_reason:"" view_query:"" is_materialized_view:false new_schema_change_job_id:0 drop_time:0 replacement_of:<id:0 time:<> > audit_mode:DISABLED drop_job_id:0 create_query:"" create_as_of_time:<> temporary:false partition_all_by:false >
+batch flow coordinator  CPut /Table/3/1/54/2/1 -> table:<name:"kv" id:54 version:1 modification_time:<> parent_id:53 unexposed_parent_schema_id:29 columns:<name:"k" id:1 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:false hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > columns:<name:"v" id:2 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:true hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > next_column_id:3 families:<name:"primary" id:0 column_names:"k" column_names:"v" column_ids:1 column_ids:2 default_column_id:2 > next_family_id:1 primary_index:<name:"kv_pkey" id:1 unique:true version:4 key_column_names:"k" key_column_directions:ASC store_column_names:"v" key_column_ids:1 store_column_ids:2 foreign_key:<table:0 index:0 name:"" validity:Validated shared_prefix_len:0 on_delete:NO_ACTION on_update:NO_ACTION match:SIMPLE > interleave:<> partitioning:<num_columns:0 num_implicit_columns:0 > type:FORWARD created_explicitly:false encoding_type:1 sharded:<is_sharded:false name:"" shard_buckets:0 > disabled:false geo_config:<> predicate:"" use_delete_preserving_encoding:false > next_index_id:2 privileges:<users:<user_proto:"admin" privileges:2 with_grant_option:0 > users:<user_proto:"public" privileges:0 with_grant_option:0 > users:<user_proto:"root" privileges:2 with_grant_option:2 > owner_proto:"root" version:2 > next_mutation_id:1 format_version:3 state:PUBLIC offline_reason:"" view_query:"" is_materialized_view:false new_schema_change_job_id:0 drop_time:0 replacement_of:<id:0 time:<> > audit_mode:DISABLED drop_job_id:0 create_query:"" create_as_of_time:<> temporary:false partition_all_by:false >
 exec stmt               rows affected: 0
 
 # We avoid using the full trace output, because that would make the
@@ -65,7 +65,7 @@ WHERE message NOT LIKE '%Z/%' AND message NOT LIKE 'querying next range at%'
   AND tag NOT LIKE '%IndexBackfiller%'
   AND operation != 'dist sender send'
 ----
-batch flow coordinator  Put /Table/3/1/54/2/1 -> table:<name:"kv" id:54 version:2 modification_time:<> parent_id:53 unexposed_parent_schema_id:29 columns:<name:"k" id:1 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:false hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > columns:<name:"v" id:2 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:true hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > next_column_id:3 families:<name:"primary" id:0 column_names:"k" column_names:"v" column_ids:1 column_ids:2 default_column_id:2 > next_family_id:1 primary_index:<name:"kv_pkey" id:1 unique:true version:4 key_column_names:"k" key_column_directions:ASC store_column_names:"v" key_column_ids:1 store_column_ids:2 foreign_key:<table:0 index:0 name:"" validity:Validated shared_prefix_len:0 on_delete:NO_ACTION on_update:NO_ACTION match:SIMPLE > interleave:<> partitioning:<num_columns:0 num_implicit_columns:0 > type:FORWARD created_explicitly:false encoding_type:1 sharded:<is_sharded:false name:"" shard_buckets:0 > disabled:false geo_config:<> predicate:"" use_delete_preserving_encoding:false > next_index_id:3 privileges:<users:<user_proto:"admin" privileges:2 > users:<user_proto:"public" privileges:0 > users:<user_proto:"root" privileges:2 > owner_proto:"root" version:2 > mutations:<index:<name:"woo" id:2 unique:true version:3 key_column_names:"v" key_column_directions:ASC key_column_ids:2 key_suffix_column_ids:1 foreign_key:<table:0 index:0 name:"" validity:Validated shared_prefix_len:0 on_delete:NO_ACTION on_update:NO_ACTION match:SIMPLE > interleave:<> partitioning:<num_columns:0 num_implicit_columns:0 > type:FORWARD created_explicitly:true encoding_type:0 sharded:<is_sharded:false name:"" shard_buckets:0 > disabled:false geo_config:<> predicate:"" use_delete_preserving_encoding:false > state:DELETE_ONLY direction:ADD mutation_id:1 rollback:false > next_mutation_id:2 format_version:3 state:PUBLIC offline_reason:"" view_query:"" is_materialized_view:false mutationJobs:<...> new_schema_change_job_id:0 drop_time:0 replacement_of:<id:0 time:<> > audit_mode:DISABLED drop_job_id:0 create_query:"" create_as_of_time:<...> temporary:false partition_all_by:false >
+batch flow coordinator  Put /Table/3/1/54/2/1 -> table:<name:"kv" id:54 version:2 modification_time:<> parent_id:53 unexposed_parent_schema_id:29 columns:<name:"k" id:1 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:false hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > columns:<name:"v" id:2 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:true hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > next_column_id:3 families:<name:"primary" id:0 column_names:"k" column_names:"v" column_ids:1 column_ids:2 default_column_id:2 > next_family_id:1 primary_index:<name:"kv_pkey" id:1 unique:true version:4 key_column_names:"k" key_column_directions:ASC store_column_names:"v" key_column_ids:1 store_column_ids:2 foreign_key:<table:0 index:0 name:"" validity:Validated shared_prefix_len:0 on_delete:NO_ACTION on_update:NO_ACTION match:SIMPLE > interleave:<> partitioning:<num_columns:0 num_implicit_columns:0 > type:FORWARD created_explicitly:false encoding_type:1 sharded:<is_sharded:false name:"" shard_buckets:0 > disabled:false geo_config:<> predicate:"" use_delete_preserving_encoding:false > next_index_id:3 privileges:<users:<user_proto:"admin" privileges:2 with_grant_option:0 > users:<user_proto:"public" privileges:0 with_grant_option:0 > users:<user_proto:"root" privileges:2 with_grant_option:2 > owner_proto:"root" version:2 > mutations:<index:<name:"woo" id:2 unique:true version:3 key_column_names:"v" key_column_directions:ASC key_column_ids:2 key_suffix_column_ids:1 foreign_key:<table:0 index:0 name:"" validity:Validated shared_prefix_len:0 on_delete:NO_ACTION on_update:NO_ACTION match:SIMPLE > interleave:<> partitioning:<num_columns:0 num_implicit_columns:0 > type:FORWARD created_explicitly:true encoding_type:0 sharded:<is_sharded:false name:"" shard_buckets:0 > disabled:false geo_config:<> predicate:"" use_delete_preserving_encoding:false > state:DELETE_ONLY direction:ADD mutation_id:1 rollback:false > next_mutation_id:2 format_version:3 state:PUBLIC offline_reason:"" view_query:"" is_materialized_view:false mutationJobs:<...> new_schema_change_job_id:0 drop_time:0 replacement_of:<id:0 time:<> > audit_mode:DISABLED drop_job_id:0 create_query:"" create_as_of_time:<...> temporary:false partition_all_by:false >
 exec stmt               rows affected: 0
 
 statement ok
@@ -120,7 +120,7 @@ WHERE message NOT LIKE '%Z/%'
   AND operation != 'dist sender send'
 ----
 batch flow coordinator  CPut /NamespaceTable/30/1/53/29/"kv2"/4/1 -> 55
-batch flow coordinator  CPut /Table/3/1/55/2/1 -> table:<name:"kv2" id:55 version:1 modification_time:<> parent_id:53 unexposed_parent_schema_id:29 columns:<name:"k" id:1 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:true hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > columns:<name:"v" id:2 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:true hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > columns:<name:"rowid" id:3 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:false default_expr:"unique_rowid()" hidden:true inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > next_column_id:4 families:<name:"primary" id:0 column_names:"k" column_names:"v" column_names:"rowid" column_ids:1 column_ids:2 column_ids:3 default_column_id:0 > next_family_id:1 primary_index:<name:"kv2_pkey" id:1 unique:true version:4 key_column_names:"rowid" key_column_directions:ASC store_column_names:"k" store_column_names:"v" key_column_ids:3 store_column_ids:1 store_column_ids:2 foreign_key:<table:0 index:0 name:"" validity:Validated shared_prefix_len:0 on_delete:NO_ACTION on_update:NO_ACTION match:SIMPLE > interleave:<> partitioning:<num_columns:0 num_implicit_columns:0 > type:FORWARD created_explicitly:false encoding_type:1 sharded:<is_sharded:false name:"" shard_buckets:0 > disabled:false geo_config:<> predicate:"" use_delete_preserving_encoding:false > next_index_id:2 privileges:<users:<user_proto:"admin" privileges:2 > users:<user_proto:"public" privileges:0 > users:<user_proto:"root" privileges:2 > owner_proto:"root" version:2 > next_mutation_id:1 format_version:3 state:ADD offline_reason:"" view_query:"" is_materialized_view:false new_schema_change_job_id:0 drop_time:0 replacement_of:<id:0 time:<> > audit_mode:DISABLED drop_job_id:0 create_query:"TABLE t.public.kv" create_as_of_time:<> temporary:false partition_all_by:false >
+batch flow coordinator  CPut /Table/3/1/55/2/1 -> table:<name:"kv2" id:55 version:1 modification_time:<> parent_id:53 unexposed_parent_schema_id:29 columns:<name:"k" id:1 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:true hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > columns:<name:"v" id:2 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:true hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > columns:<name:"rowid" id:3 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:false default_expr:"unique_rowid()" hidden:true inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > next_column_id:4 families:<name:"primary" id:0 column_names:"k" column_names:"v" column_names:"rowid" column_ids:1 column_ids:2 column_ids:3 default_column_id:0 > next_family_id:1 primary_index:<name:"kv2_pkey" id:1 unique:true version:4 key_column_names:"rowid" key_column_directions:ASC store_column_names:"k" store_column_names:"v" key_column_ids:3 store_column_ids:1 store_column_ids:2 foreign_key:<table:0 index:0 name:"" validity:Validated shared_prefix_len:0 on_delete:NO_ACTION on_update:NO_ACTION match:SIMPLE > interleave:<> partitioning:<num_columns:0 num_implicit_columns:0 > type:FORWARD created_explicitly:false encoding_type:1 sharded:<is_sharded:false name:"" shard_buckets:0 > disabled:false geo_config:<> predicate:"" use_delete_preserving_encoding:false > next_index_id:2 privileges:<users:<user_proto:"admin" privileges:2 with_grant_option:0 > users:<user_proto:"public" privileges:0 with_grant_option:0 > users:<user_proto:"root" privileges:2 with_grant_option:2 > owner_proto:"root" version:2 > next_mutation_id:1 format_version:3 state:ADD offline_reason:"" view_query:"" is_materialized_view:false new_schema_change_job_id:0 drop_time:0 replacement_of:<id:0 time:<> > audit_mode:DISABLED drop_job_id:0 create_query:"TABLE t.public.kv" create_as_of_time:<> temporary:false partition_all_by:false >
 exec stmt               rows affected: 0
 
 statement ok
@@ -169,7 +169,7 @@ WHERE message NOT LIKE '%Z/%' AND message NOT LIKE 'querying next range at%'
   AND operation != 'dist sender send'
 ----
 batch flow coordinator  Del /NamespaceTable/30/1/53/29/"kv2"/4/1
-batch flow coordinator  Put /Table/3/1/55/2/1 -> table:<name:"kv2" id:55 version:3 modification_time:<> parent_id:53 unexposed_parent_schema_id:29 columns:<name:"k" id:1 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:true hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > columns:<name:"v" id:2 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:true hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > columns:<name:"rowid" id:3 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:false default_expr:"unique_rowid()" hidden:true inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > next_column_id:4 families:<name:"primary" id:0 column_names:"k" column_names:"v" column_names:"rowid" column_ids:1 column_ids:2 column_ids:3 default_column_id:0 > next_family_id:1 primary_index:<name:"kv2_pkey" id:1 unique:true version:4 key_column_names:"rowid" key_column_directions:ASC store_column_names:"k" store_column_names:"v" key_column_ids:3 store_column_ids:1 store_column_ids:2 foreign_key:<table:0 index:0 name:"" validity:Validated shared_prefix_len:0 on_delete:NO_ACTION on_update:NO_ACTION match:SIMPLE > interleave:<> partitioning:<num_columns:0 num_implicit_columns:0 > type:FORWARD created_explicitly:false encoding_type:1 sharded:<is_sharded:false name:"" shard_buckets:0 > disabled:false geo_config:<> predicate:"" use_delete_preserving_encoding:false > next_index_id:2 privileges:<users:<user_proto:"admin" privileges:2 > users:<user_proto:"public" privileges:0 > users:<user_proto:"root" privileges:2 > owner_proto:"root" version:2 > next_mutation_id:1 format_version:3 state:DROP offline_reason:"" view_query:"" is_materialized_view:false new_schema_change_job_id:0 drop_time:... replacement_of:<id:0 time:<> > audit_mode:DISABLED drop_job_id:0 create_query:"TABLE t.public.kv" create_as_of_time:<...> temporary:false partition_all_by:false >
+batch flow coordinator  Put /Table/3/1/55/2/1 -> table:<name:"kv2" id:55 version:3 modification_time:<> parent_id:53 unexposed_parent_schema_id:29 columns:<name:"k" id:1 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:true hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > columns:<name:"v" id:2 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:true hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > columns:<name:"rowid" id:3 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:false default_expr:"unique_rowid()" hidden:true inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > next_column_id:4 families:<name:"primary" id:0 column_names:"k" column_names:"v" column_names:"rowid" column_ids:1 column_ids:2 column_ids:3 default_column_id:0 > next_family_id:1 primary_index:<name:"kv2_pkey" id:1 unique:true version:4 key_column_names:"rowid" key_column_directions:ASC store_column_names:"k" store_column_names:"v" key_column_ids:3 store_column_ids:1 store_column_ids:2 foreign_key:<table:0 index:0 name:"" validity:Validated shared_prefix_len:0 on_delete:NO_ACTION on_update:NO_ACTION match:SIMPLE > interleave:<> partitioning:<num_columns:0 num_implicit_columns:0 > type:FORWARD created_explicitly:false encoding_type:1 sharded:<is_sharded:false name:"" shard_buckets:0 > disabled:false geo_config:<> predicate:"" use_delete_preserving_encoding:false > next_index_id:2 privileges:<users:<user_proto:"admin" privileges:2 with_grant_option:0 > users:<user_proto:"public" privileges:0 with_grant_option:0 > users:<user_proto:"root" privileges:2 with_grant_option:2 > owner_proto:"root" version:2 > next_mutation_id:1 format_version:3 state:DROP offline_reason:"" view_query:"" is_materialized_view:false new_schema_change_job_id:0 drop_time:... replacement_of:<id:0 time:<> > audit_mode:DISABLED drop_job_id:0 create_query:"TABLE t.public.kv" create_as_of_time:<...> temporary:false partition_all_by:false >
 exec stmt               rows affected: 0
 
 statement ok
@@ -203,7 +203,7 @@ WHERE message NOT LIKE '%Z/%' AND message NOT LIKE 'querying next range at%'
   AND tag NOT LIKE '%IndexBackfiller%'
   AND operation != 'dist sender send'
 ----
-batch flow coordinator  Put /Table/3/1/54/2/1 -> table:<name:"kv" id:54 version:5 modification_time:<> parent_id:53 unexposed_parent_schema_id:29 columns:<name:"k" id:1 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:false hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > columns:<name:"v" id:2 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:true hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > next_column_id:3 families:<name:"primary" id:0 column_names:"k" column_names:"v" column_ids:1 column_ids:2 default_column_id:2 > next_family_id:1 primary_index:<name:"kv_pkey" id:1 unique:true version:4 key_column_names:"k" key_column_directions:ASC store_column_names:"v" key_column_ids:1 store_column_ids:2 foreign_key:<table:0 index:0 name:"" validity:Validated shared_prefix_len:0 on_delete:NO_ACTION on_update:NO_ACTION match:SIMPLE > interleave:<> partitioning:<num_columns:0 num_implicit_columns:0 > type:FORWARD created_explicitly:false encoding_type:1 sharded:<is_sharded:false name:"" shard_buckets:0 > disabled:false geo_config:<> predicate:"" use_delete_preserving_encoding:false > next_index_id:3 privileges:<users:<user_proto:"admin" privileges:2 > users:<user_proto:"public" privileges:0 > users:<user_proto:"root" privileges:2 > owner_proto:"root" version:2 > mutations:<index:<name:"woo" id:2 unique:true version:3 key_column_names:"v" key_column_directions:ASC key_column_ids:2 key_suffix_column_ids:1 foreign_key:<table:0 index:0 name:"" validity:Validated shared_prefix_len:0 on_delete:NO_ACTION on_update:NO_ACTION match:SIMPLE > interleave:<> partitioning:<num_columns:0 num_implicit_columns:0 > type:FORWARD created_explicitly:true encoding_type:0 sharded:<is_sharded:false name:"" shard_buckets:0 > disabled:false geo_config:<> predicate:"" use_delete_preserving_encoding:false > state:DELETE_AND_WRITE_ONLY direction:DROP mutation_id:2 rollback:false > next_mutation_id:3 format_version:3 state:PUBLIC offline_reason:"" view_query:"" is_materialized_view:false mutationJobs:<...> new_schema_change_job_id:0 drop_time:0 replacement_of:<id:0 time:<> > audit_mode:DISABLED drop_job_id:0 create_query:"" create_as_of_time:<...> temporary:false partition_all_by:false >
+batch flow coordinator  Put /Table/3/1/54/2/1 -> table:<name:"kv" id:54 version:5 modification_time:<> parent_id:53 unexposed_parent_schema_id:29 columns:<name:"k" id:1 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:false hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > columns:<name:"v" id:2 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:true hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > next_column_id:3 families:<name:"primary" id:0 column_names:"k" column_names:"v" column_ids:1 column_ids:2 default_column_id:2 > next_family_id:1 primary_index:<name:"kv_pkey" id:1 unique:true version:4 key_column_names:"k" key_column_directions:ASC store_column_names:"v" key_column_ids:1 store_column_ids:2 foreign_key:<table:0 index:0 name:"" validity:Validated shared_prefix_len:0 on_delete:NO_ACTION on_update:NO_ACTION match:SIMPLE > interleave:<> partitioning:<num_columns:0 num_implicit_columns:0 > type:FORWARD created_explicitly:false encoding_type:1 sharded:<is_sharded:false name:"" shard_buckets:0 > disabled:false geo_config:<> predicate:"" use_delete_preserving_encoding:false > next_index_id:3 privileges:<users:<user_proto:"admin" privileges:2 with_grant_option:0 > users:<user_proto:"public" privileges:0 with_grant_option:0 > users:<user_proto:"root" privileges:2 with_grant_option:2 > owner_proto:"root" version:2 > mutations:<index:<name:"woo" id:2 unique:true version:3 key_column_names:"v" key_column_directions:ASC key_column_ids:2 key_suffix_column_ids:1 foreign_key:<table:0 index:0 name:"" validity:Validated shared_prefix_len:0 on_delete:NO_ACTION on_update:NO_ACTION match:SIMPLE > interleave:<> partitioning:<num_columns:0 num_implicit_columns:0 > type:FORWARD created_explicitly:true encoding_type:0 sharded:<is_sharded:false name:"" shard_buckets:0 > disabled:false geo_config:<> predicate:"" use_delete_preserving_encoding:false > state:DELETE_AND_WRITE_ONLY direction:DROP mutation_id:2 rollback:false > next_mutation_id:3 format_version:3 state:PUBLIC offline_reason:"" view_query:"" is_materialized_view:false mutationJobs:<...> new_schema_change_job_id:0 drop_time:0 replacement_of:<id:0 time:<> > audit_mode:DISABLED drop_job_id:0 create_query:"" create_as_of_time:<...> temporary:false partition_all_by:false >
 exec stmt               rows affected: 0
 
 statement ok
@@ -221,7 +221,7 @@ WHERE message NOT LIKE '%Z/%' AND message NOT LIKE 'querying next range at%'
   AND operation != 'dist sender send'
 ----
 batch flow coordinator  Del /NamespaceTable/30/1/53/29/"kv"/4/1
-batch flow coordinator  Put /Table/3/1/54/2/1 -> table:<name:"kv" id:54 version:8 modification_time:<> parent_id:53 unexposed_parent_schema_id:29 columns:<name:"k" id:1 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:false hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > columns:<name:"v" id:2 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:true hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > next_column_id:3 families:<name:"primary" id:0 column_names:"k" column_names:"v" column_ids:1 column_ids:2 default_column_id:2 > next_family_id:1 primary_index:<name:"kv_pkey" id:1 unique:true version:4 key_column_names:"k" key_column_directions:ASC store_column_names:"v" key_column_ids:1 store_column_ids:2 foreign_key:<table:0 index:0 name:"" validity:Validated shared_prefix_len:0 on_delete:NO_ACTION on_update:NO_ACTION match:SIMPLE > interleave:<> partitioning:<num_columns:0 num_implicit_columns:0 > type:FORWARD created_explicitly:false encoding_type:1 sharded:<is_sharded:false name:"" shard_buckets:0 > disabled:false geo_config:<> predicate:"" use_delete_preserving_encoding:false > next_index_id:3 privileges:<users:<user_proto:"admin" privileges:2 > users:<user_proto:"public" privileges:0 > users:<user_proto:"root" privileges:2 > owner_proto:"root" version:2 > next_mutation_id:3 format_version:3 state:DROP offline_reason:"" view_query:"" is_materialized_view:false new_schema_change_job_id:0 drop_time:... replacement_of:<id:0 time:<> > audit_mode:DISABLED drop_job_id:0 gc_mutations:<index_id:2 drop_time:... job_id:0 > create_query:"" create_as_of_time:<...> temporary:false partition_all_by:false >
+batch flow coordinator  Put /Table/3/1/54/2/1 -> table:<name:"kv" id:54 version:8 modification_time:<> parent_id:53 unexposed_parent_schema_id:29 columns:<name:"k" id:1 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:false hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > columns:<name:"v" id:2 type:<family: IntFamily width: 64 precision: 0 locale: "" visible_type: 0 oid: 20 time_precision_is_set: false > nullable:true hidden:false inaccessible:false generated_as_identity_type:NOT_IDENTITY_COLUMN virtual:false pg_attribute_num:0 alter_column_type_in_progress:false system_column_kind:NONE > next_column_id:3 families:<name:"primary" id:0 column_names:"k" column_names:"v" column_ids:1 column_ids:2 default_column_id:2 > next_family_id:1 primary_index:<name:"kv_pkey" id:1 unique:true version:4 key_column_names:"k" key_column_directions:ASC store_column_names:"v" key_column_ids:1 store_column_ids:2 foreign_key:<table:0 index:0 name:"" validity:Validated shared_prefix_len:0 on_delete:NO_ACTION on_update:NO_ACTION match:SIMPLE > interleave:<> partitioning:<num_columns:0 num_implicit_columns:0 > type:FORWARD created_explicitly:false encoding_type:1 sharded:<is_sharded:false name:"" shard_buckets:0 > disabled:false geo_config:<> predicate:"" use_delete_preserving_encoding:false > next_index_id:3 privileges:<users:<user_proto:"admin" privileges:2 with_grant_option:0 > users:<user_proto:"public" privileges:0 with_grant_option:0 > users:<user_proto:"root" privileges:2 with_grant_option:2 > owner_proto:"root" version:2 > next_mutation_id:3 format_version:3 state:DROP offline_reason:"" view_query:"" is_materialized_view:false new_schema_change_job_id:0 drop_time:... replacement_of:<id:0 time:<> > audit_mode:DISABLED drop_job_id:0 gc_mutations:<index_id:2 drop_time:... job_id:0 > create_query:"" create_as_of_time:<...> temporary:false partition_all_by:false >
 exec stmt               rows affected: 0
 
 # Check that session tracing does not inhibit the fast path for inserts &
diff --git a/pkg/sql/parser/sql.y b/pkg/sql/parser/sql.y
index e00f0199767a..082a5e56e0d1 100644
--- a/pkg/sql/parser/sql.y
+++ b/pkg/sql/parser/sql.y
@@ -4286,9 +4286,9 @@ deallocate_stmt:
 //
 // %SeeAlso: REVOKE, WEBDOCS/grant.html
 grant_stmt:
-  GRANT privileges ON targets TO role_spec_list
+  GRANT privileges ON targets TO role_spec_list opt_with_grant_option
   {
-    $$.val = &tree.Grant{Privileges: $2.privilegeList(), Grantees: $6.roleSpecList(), Targets: $4.targetList()}
+    $$.val = &tree.Grant{Privileges: $2.privilegeList(), Grantees: $6.roleSpecList(), Targets: $4.targetList(), WithGrantOption: $7.bool(),}
   }
 | GRANT privilege_list TO role_spec_list
   {
@@ -4298,11 +4298,11 @@ grant_stmt:
   {
     $$.val = &tree.GrantRole{Roles: $2.nameList(), Members: $4.roleSpecList(), AdminOption: true}
   }
-| GRANT privileges ON TYPE target_types TO role_spec_list
+| GRANT privileges ON TYPE target_types TO role_spec_list opt_with_grant_option
   {
-    $$.val = &tree.Grant{Privileges: $2.privilegeList(), Targets: $5.targetList(), Grantees: $7.roleSpecList()}
+    $$.val = &tree.Grant{Privileges: $2.privilegeList(), Targets: $5.targetList(), Grantees: $7.roleSpecList(), WithGrantOption: $8.bool(),}
   }
-| GRANT privileges ON SCHEMA schema_name_list TO role_spec_list
+| GRANT privileges ON SCHEMA schema_name_list TO role_spec_list opt_with_grant_option
   {
     $$.val = &tree.Grant{
       Privileges: $2.privilegeList(),
@@ -4310,13 +4310,14 @@ grant_stmt:
         Schemas: $5.objectNamePrefixList(),
       },
       Grantees: $7.roleSpecList(),
+      WithGrantOption: $8.bool(),
     }
   }
 | GRANT privileges ON SCHEMA schema_name_list TO role_spec_list WITH error
   {
     return unimplemented(sqllex, "grant privileges on schema with")
   }
-| GRANT privileges ON ALL TABLES IN SCHEMA schema_name_list TO role_spec_list
+| GRANT privileges ON ALL TABLES IN SCHEMA schema_name_list TO role_spec_list opt_with_grant_option
   {
     $$.val = &tree.Grant{
       Privileges: $2.privilegeList(),
@@ -4325,6 +4326,7 @@ grant_stmt:
         AllTablesInSchema: true,
       },
       Grantees: $10.roleSpecList(),
+      WithGrantOption: $11.bool(),
     }
   }
 | GRANT privileges ON SEQUENCE error
@@ -4355,7 +4357,11 @@ grant_stmt:
 revoke_stmt:
   REVOKE privileges ON targets FROM role_spec_list
   {
-    $$.val = &tree.Revoke{Privileges: $2.privilegeList(), Grantees: $6.roleSpecList(), Targets: $4.targetList()}
+    $$.val = &tree.Revoke{Privileges: $2.privilegeList(), Grantees: $6.roleSpecList(), Targets: $4.targetList(), GrantOptionFor: false}
+  }
+| REVOKE GRANT OPTION FOR privileges ON targets FROM role_spec_list
+  {
+    $$.val = &tree.Revoke{Privileges: $5.privilegeList(), Grantees: $9.roleSpecList(), Targets: $7.targetList(), GrantOptionFor: true}
   }
 | REVOKE privilege_list FROM role_spec_list
   {
@@ -4367,7 +4373,11 @@ revoke_stmt:
   }
 | REVOKE privileges ON TYPE target_types FROM role_spec_list
   {
-    $$.val = &tree.Revoke{Privileges: $2.privilegeList(), Targets: $5.targetList(), Grantees: $7.roleSpecList()}
+    $$.val = &tree.Revoke{Privileges: $2.privilegeList(), Targets: $5.targetList(), Grantees: $7.roleSpecList(), GrantOptionFor: false}
+  }
+| REVOKE GRANT OPTION FOR privileges ON TYPE target_types FROM role_spec_list
+  {
+    $$.val = &tree.Revoke{Privileges: $5.privilegeList(), Targets: $8.targetList(), Grantees: $10.roleSpecList(), GrantOptionFor: true}
   }
 | REVOKE privileges ON SCHEMA schema_name_list FROM role_spec_list
   {
@@ -4377,6 +4387,18 @@ revoke_stmt:
         Schemas: $5.objectNamePrefixList(),
       },
       Grantees: $7.roleSpecList(),
+      GrantOptionFor: false,
+    }
+  }
+| REVOKE GRANT OPTION FOR privileges ON SCHEMA schema_name_list FROM role_spec_list
+  {
+    $$.val = &tree.Revoke{
+      Privileges: $5.privilegeList(),
+      Targets: tree.TargetList{
+        Schemas: $8.objectNamePrefixList(),
+      },
+      Grantees: $10.roleSpecList(),
+      GrantOptionFor: true,
     }
   }
 | REVOKE privileges ON ALL TABLES IN SCHEMA schema_name_list FROM role_spec_list
@@ -4388,6 +4410,19 @@ revoke_stmt:
         AllTablesInSchema: true,
       },
       Grantees: $10.roleSpecList(),
+      GrantOptionFor: false,
+    }
+  }
+| REVOKE GRANT OPTION FOR privileges ON ALL TABLES IN SCHEMA schema_name_list FROM role_spec_list
+  {
+    $$.val = &tree.Revoke{
+      Privileges: $5.privilegeList(),
+      Targets: tree.TargetList{
+        Schemas: $11.objectNamePrefixList(),
+        AllTablesInSchema: true,
+      },
+      Grantees: $13.roleSpecList(),
+      GrantOptionFor: true,
     }
   }
 | REVOKE privileges ON SEQUENCE error
@@ -4396,6 +4431,7 @@ revoke_stmt:
   }
 | REVOKE error // SHOW HELP: REVOKE
 
+
 // ALL can either be by itself, or with the optional PRIVILEGES keyword (which no-ops)
 privileges:
   ALL opt_privileges_clause
diff --git a/pkg/sql/pg_catalog.go b/pkg/sql/pg_catalog.go
index 49d5ec915fa3..040a135c2a4a 100644
--- a/pkg/sql/pg_catalog.go
+++ b/pkg/sql/pg_catalog.go
@@ -1245,7 +1245,10 @@ https://www.postgresql.org/docs/13/catalog-pg-default-acl.html`,
 					privileges := privilege.ListFromBitField(
 						userPrivs.Privileges, privilegeObjectType,
 					)
-					defaclItem := createDefACLItem(user, privileges, privilegeObjectType)
+					grantOptions := privilege.ListFromBitField(
+						userPrivs.WithGrantOption, privilegeObjectType,
+					)
+					defaclItem := createDefACLItem(user, privileges, grantOptions, privilegeObjectType)
 					if err := arr.Append(
 						tree.NewDString(defaclItem)); err != nil {
 						return err
@@ -1262,7 +1265,7 @@ https://www.postgresql.org/docs/13/catalog-pg-default-acl.html`,
 						if !catprivilege.GetRoleHasAllPrivilegesOnTargetObject(&defaultPrivilegesForRole, tree.Types) &&
 							catprivilege.GetPublicHasUsageOnTypes(&defaultPrivilegesForRole) {
 							defaclItem := createDefACLItem(
-								"" /* public role */, privilege.List{privilege.USAGE}, privilegeObjectType,
+								"" /* public role */, privilege.List{privilege.USAGE}, privilege.List{}, privilegeObjectType,
 							)
 							if err := arr.Append(tree.NewDString(defaclItem)); err != nil {
 								return err
@@ -1272,7 +1275,7 @@ https://www.postgresql.org/docs/13/catalog-pg-default-acl.html`,
 							defaultPrivilegesForRole.GetExplicitRole().RoleHasAllPrivilegesOnTypes {
 							defaclItem := createDefACLItem(
 								defaultPrivilegesForRole.GetExplicitRole().UserProto.Decode().Normalized(),
-								privilege.List{privilege.ALL}, privilegeObjectType,
+								privilege.List{privilege.ALL}, privilege.List{}, privilegeObjectType,
 							)
 							if err := arr.Append(tree.NewDString(defaclItem)); err != nil {
 								return err
@@ -1315,11 +1318,15 @@ https://www.postgresql.org/docs/13/catalog-pg-default-acl.html`,
 }
 
 func createDefACLItem(
-	user string, privileges privilege.List, privilegeObjectType privilege.ObjectType,
+	user string,
+	privileges privilege.List,
+	grantOptions privilege.List,
+	privilegeObjectType privilege.ObjectType,
 ) string {
 	return fmt.Sprintf(`%s=%s/%s`,
 		user,
 		privileges.ListToACL(
+			grantOptions,
 			privilegeObjectType,
 		),
 		// TODO(richardjcai): CockroachDB currently does not track grantors
diff --git a/pkg/sql/privilege/privilege.go b/pkg/sql/privilege/privilege.go
index 0621733af0c5..ab8be2e48347 100644
--- a/pkg/sql/privilege/privilege.go
+++ b/pkg/sql/privilege/privilege.go
@@ -256,35 +256,46 @@ func GetValidPrivilegesForObject(objectType ObjectType) List {
 	}
 }
 
+// privToACL is a map of privilege -> ACL character
+var privToACL = map[Kind]string{
+	CREATE:  "C",
+	SELECT:  "r",
+	INSERT:  "a",
+	DELETE:  "d",
+	UPDATE:  "w",
+	USAGE:   "U",
+	CONNECT: "c",
+}
+
+// orderedPrivs is the list of privileges sorted in alphanumeric order based on the ACL character -> CUacdrw
+var orderedPrivs = List{CREATE, USAGE, INSERT, CONNECT, DELETE, SELECT, UPDATE}
+
 // ListToACL converts a list of privileges to a list of Postgres
 // ACL items.
 // See: https://www.postgresql.org/docs/13/ddl-priv.html#PRIVILEGE-ABBREVS-TABLE
 //     for privileges and their ACL abbreviations.
-func (pl List) ListToACL(objectType ObjectType) string {
+func (pl List) ListToACL(grantOptions List, objectType ObjectType) string {
 	privileges := pl
 	// If ALL is present, explode ALL into the underlying privileges.
 	if pl.Contains(ALL) {
 		privileges = GetValidPrivilegesForObject(objectType)
+		if grantOptions.Contains(ALL) {
+			grantOptions = GetValidPrivilegesForObject(objectType)
+		}
 	}
 	chars := make([]string, len(privileges))
-	for _, privilege := range privileges {
-		switch privilege {
-		case CREATE:
-			chars = append(chars, "C")
-		case SELECT:
-			chars = append(chars, "r")
-		case INSERT:
-			chars = append(chars, "a")
-		case DELETE:
-			chars = append(chars, "d")
-		case UPDATE:
-			chars = append(chars, "w")
-		case USAGE:
-			chars = append(chars, "U")
-		case CONNECT:
-			chars = append(chars, "c")
+	for _, privilege := range orderedPrivs {
+		if _, ok := privToACL[privilege]; !ok {
+			panic(errors.AssertionFailedf("unknown privilege type %s", privilege.String()))
+		}
+		if privileges.Contains(privilege) {
+			chars = append(chars, privToACL[privilege])
+		}
+		if grantOptions.Contains(privilege) {
+			chars = append(chars, "*")
 		}
 	}
-	sort.Strings(chars)
+
 	return strings.Join(chars, "")
+
 }
diff --git a/pkg/sql/schemachanger/testdata/drop b/pkg/sql/schemachanger/testdata/drop
index 8f28a8d2f188..22208e9f324e 100644
--- a/pkg/sql/schemachanger/testdata/drop
+++ b/pkg/sql/schemachanger/testdata/drop
@@ -17,7 +17,7 @@ begin transaction #1
 ## stage 1 in PreCommitPhase: 1 MutationType ops
 upsert descriptor #53
   ...
-         userProto: root
+         withGrantOption: 2
        version: 2
   -  version: "1"
   +  state: DROP
@@ -115,21 +115,21 @@ begin transaction #1
 ## stage 1 in PreCommitPhase: 3 MutationType ops
 upsert descriptor #54
   ...
-         userProto: root
+         withGrantOption: 2
        version: 2
   -  version: "1"
   +  state: DROP
   +  version: "2"
 upsert descriptor #56
   ...
-         userProto: root
+         withGrantOption: 2
        version: 2
   -  version: "1"
   +  state: DROP
   +  version: "2"
 upsert descriptor #57
   ...
-         userProto: root
+         withGrantOption: 2
        version: 2
   -  version: "1"
   +  state: DROP
@@ -221,7 +221,7 @@ upsert descriptor #58
   +  version: "3"
 upsert descriptor #59
   ...
-         userProto: root
+         withGrantOption: 2
        version: 2
   -  version: "1"
   +  state: DROP
@@ -392,7 +392,7 @@ upsert descriptor #67
      viewQuery: (SELECT n2, n1 FROM db1.sc1.v2)
 upsert descriptor #68
   ...
-         userProto: root
+         withGrantOption: 2
        version: 2
   -  referencingDescriptorIds:
   -  - 70
@@ -402,7 +402,7 @@ upsert descriptor #68
   +  version: "3"
 upsert descriptor #69
   ...
-         userProto: root
+         withGrantOption: 2
        version: 2
   -  referencingDescriptorIds:
   -  - 70
diff --git a/pkg/sql/sem/tree/grant.go b/pkg/sql/sem/tree/grant.go
index 88ef29dc4367..085629e9883a 100644
--- a/pkg/sql/sem/tree/grant.go
+++ b/pkg/sql/sem/tree/grant.go
@@ -28,9 +28,10 @@ import (
 
 // Grant represents a GRANT statement.
 type Grant struct {
-	Privileges privilege.List
-	Targets    TargetList
-	Grantees   RoleSpecList
+	Privileges      privilege.List
+	Targets         TargetList
+	Grantees        RoleSpecList
+	WithGrantOption bool
 }
 
 // TargetList represents a list of targets.
diff --git a/pkg/sql/sem/tree/revoke.go b/pkg/sql/sem/tree/revoke.go
index bac0a86dd1c5..69bf49983216 100644
--- a/pkg/sql/sem/tree/revoke.go
+++ b/pkg/sql/sem/tree/revoke.go
@@ -24,9 +24,10 @@ import "github.com/cockroachdb/cockroach/pkg/sql/privilege"
 // Revoke represents a REVOKE statement.
 // PrivilegeList and TargetList are defined in grant.go
 type Revoke struct {
-	Privileges privilege.List
-	Targets    TargetList
-	Grantees   RoleSpecList
+	Privileges     privilege.List
+	Targets        TargetList
+	Grantees       RoleSpecList
+	GrantOptionFor bool
 }
 
 // Format implements the NodeFormatter interface.