Is it possible grant execute on a package to a role? The following snippet (run as SYS AS SYSDBA) demonstrates my problem.
SET SERVEROUTPUT ON SIZE 1000000;
CREATE USER foo_user IDENTIFIED BY foo;
GRANT CONNECT, UNLIMITED TABLESPACE TO foo_user;
CREATE USER bar_user IDENTIFIED BY bar;
GRANT CONNECT, UNLIMITED TABLESPACE TO bar_user;
CREATE OR REPLACE PACKAGE foo_user.foo_package AS
PROCEDURE foo_procedure;
END;
/
CREATE OR REPLACE PACKAGE BODY foo_user.foo_package AS
PROCEDURE foo_procedure AS
BEGIN
DBMS_OUTPUT.PUT_LINE('Ran foo_user.foo_package.foo_procedure');
END foo_procedure;
END;
/
CREATE ROLE bar_role;
GRANT bar_role TO bar_user;
GRANT EXECUTE ON foo_user.foo_package TO bar_role;
CREATE TABLE bar_user.bar_table(bar_column NUMBER);
CREATE OR REPLACE TRIGGER bar_user.bar_table_bit
BEFORE INSERT ON bar_user.bar_table
FOR EACH ROW
BEGIN
foo_user.foo_package.foo_procedure;
END;
/
INSERT INTO bar_user.bar_table (bar_column) VALUES (1);
The execute grant on foo_user.foo_package to bar_role works, however, the creation of the trigger which relies on the grant does not. If, however, I replace the grant to bar_role with a grant to bar_user the creation of the trigger works fine. So replacing
CREATE ROLE bar_role;
GRANT bar_role TO bar_user;
GRANT EXECUTE ON foo_user.foo_package TO bar_role;
with
GRANT EXECUTE ON foo_user.foo_package TO bar_user;
works fine.
Am I doing something wrong or is not possible to grant execute on a package to a role?