Use the grant command to grant permission on objects to all users who have been granted a specified role, whether system or user-defined. This allows you to restrict use of an object to users who have been granted any of these roles:
Any system-defined role
Any user-defined role
A role can be granted only to a login account, another role, or login profile.
Grant permission to a role does not prevent users who do not have the specified role from being granted the same permission, directly or through a group. To ensure, for example, that only system administrators can successfully execute a stored procedure, use the has_role system function within the stored procedure itself to check that the user has been granted and has activated the requisite role. See “Displaying information about roles”.
Permissions granted to roles override permissions granted to users or groups. For example, assume John has been granted the system security officer role, and sso_role has been granted permission on the sales table. If John’s individual permission on sales is revoked, he can still access sales when he has sso_role active because his role permissions override his individual permissions.
