ORACLE - Create Procedure granted but can't create procedure

Question

There's a user in the database to whom CREATE PROCEDURE privelege is granted. But when that user tries to create a simple procedure the following error is thrown: ORA-01031: insufficient privileges 01031. 00000 - "insufficient privileges" *Cause: An attempt was made to change the current username or password without the appropriate privilege. This error also occurs if attempting to install a database without the necessary operating system privileges.

here's the DDL for the procedure:

 CREATE OR REPLACE PROCEDURE TOTALBASE.ROUNDUP 
          (CUR OUT SYS_REFCURSOR  ) 
 AS 
 BEGIN
  OPEN CUR FOR
   SELECT * FROM TOTALBASE.ABONENT; 
 END ROUNDUP;

What else should I consider to do to make this work? I'm suspecting that even if the privelege is granted anyone who's not in the administrators or ORA_DBA group can't create a procedure. but I'm not sure.

Answer 1

To create a procedure in a schema other than your own, you'll need CREATE ANY PROCEDURE privilege.

As a general rule, this privilege should not be granted lightly, as it could easily be used to circumvent database security.

Hope that helps.

Answer 2

After few comments below, I am trying again.

Do not create a procedure in another schema; only let each user create objects in their own schema.

This way you have less of a reason to GRANT access to other schema objects. The TOTALBASE user can than grant the EXECUTE privilege on that procedure to current user.

The current user, which needs some data from a TOTALUSER table, does not need to create or access other objects when he has the EXECUTE privilege on function or procedure.

Looking from another angle, this way it's also easier to maintain: TOTALUSER provides sort of an API in how it exposes data to the current user, hiding implementation details which can change in the future, being transparent to current user.