Validating sql privileges
Additional privileges on referenced objects are required for invoker-rights procedures, but not for definer-rights procedures.A user of a definer-rights procedure requires only the privilege to execute the procedure and no privileges on the underlying objects that the procedure accesses, because a definer-rights procedure operates under the security domain of the user who owns the procedure, regardless of who is executing it.The procedure's owner must have all the necessary object privileges for referenced objects.Fewer privileges have to be granted to users of a definer-rights procedure, resulting in tighter control of database access.If you grant system privileges to roles, then you can use the roles to manage system privileges.For example, roles permit privileges to be made selectively available. Some schema objects, such as clusters, indexes, triggers, and database links, do not have associated object privileges. For example, to alter a cluster, a user must own the cluster or have the system privilege.Because these privileges allow other users to alter or create dependencies on a table, you should grant privileges conservatively.A user attempting to perform a DDL operation on a table may need additional system or object privileges.
No runtime privilege check is made when the procedure is called.
A user can grant any object privilege on any schema object he or she owns to any other user or role.