Cristinano,
This information I obtained in the Oracle 9i Manual (Oracle9I Database Concepts Release 2 (9.2)), but I understand that it extends to all releases after this:
Who can grant schema object privileges?
The User Automatically Has All Object privileges for Schema Objects Contained in His Or Her Schema. The User Can Grant Any Object Privilege On Any Schema Object He or She Owns to Any Other User Or Role. The User With The Grant Any Object Privilege Can Grant Or Reuvoke Any Specified Object Privilege to Another User With Or Without The Grant Option Of The Grant Statement. Otherwise, The Grantee Can use The Privilege, but Cannot Grant It to Other Users.
for example, assumes User Scott Has to Table Named T2:
Select all
SQL>GRANT grant any object privilege TO U1;
SQL> connect u1/u1
Connected.
SQL> GRANT select on scott.t2 \TO U2;
SQL> SELECT GRANTEE, OWNER, GRANTOR, PRIVILEGE, GRANTABLE FROM DBA_TAB_PRIVS
WHERE TABLE_NAME = 'employees';
GRANTEE OWNER
------------------------------ ------------------------------
GRANTOR PRIVILEGE GRA
------------------------------ ---------------------------------------- ---
U2 SCOTT
SCOTT SELECT NO
From what I can Understanding, when a user has the "Grant Any Object" privilege it can assign access permissions to objects (which do not belong to it) for any schema or role.
In the example above, the U1 user assigned a Select permission in the Scott.t2 table for the U2 user.
As U1 had the privilege
GRANT ANY OBJECT
the SCOTT user did not have to do a
GRANT SELECT ON SCOTT.T2 TO U1 WITH GRANT OPTION
Hugs,
Sergio Coutinho