There is a bug in the Grants API for the Table ACLs. It does not support concurrent grant/revoke operations.

TableAcl grant/revoke operations are not atomic. When granting the permissions, the service would first get all existing permissions, append with the new permissions, and set the full list in the database. If there are concurrent grant requests, both requests might succeed and emit the audit logs, but what actually happens could be that the new permission list from one request overrides the other one, causing permission loss.

We won't hit the issue as long as we grant permissions for one securable to one user in one grant/statement. e.g.,
GRANT SELECT, CREATE, MODIFY ON table my_table TO some-user

Possible solutions:

• Remove threading from Table ACLs
• Fold actions belonging to the same principal, object type and id into one grant statement (better)

ES ticket for reference.