procedure权限

创建procedure需要create [any] procedure权限，procedure中引用的权限需要显示授予，而不能通过role来授予！但匿名块没这个要求
如user1下创建一个proc1(不论使用authid current_user|definer)用于插入user2.t1表，user2.t1通过role授予user1，这时将报错找不到表
To create a procedure, you need to have been explicitly granted the necessary privileges (system or object) on all objects referenced by the procedure. You cannot obtain the required privileges through roles. This includes the EXECUTE privilege for any procedures that are called inside the procedure being created.
Note: Anonymous PL/SQL blocks can use any privilege, whether the privilege is granted explicitly or through a role.

packpage权限
对execute包授予执行权限，则会应用到包中所有procedure or function,并且可访问或更改public package variable
注：不能对包中某个存储过程或函数单独授予权限, 如果想单独授予，需要包外创建procedure来引用包内存储过程：
CREATE PACKAGE BODY test AS 
  PROCEDURE proc1 IS BEGIN ... END; 
  PROCEDURE proc2 IS BEGIN ... END; 
END employee_changes; 
CREATE PROCEDURE out_proc1
  BEGIN 
    test.proc1(...) 
  END hire; 
CREATE PROCEDURE out_proc2
  BEGIN 
    test.proc2(...) 
  END fire; 
GRANT EXECUTE ON out_proc1,out_proc2 TO scott; 

注：关于procedure的definer's rights 与 Invoker's rights, 简单来说前者使用定义者权限，后者使用调用者权限
      但上面的设置仍可能有安全问题，为此Oracle提供了更多对definer与Invoker的设置
      详细见《Database Security Guide》的<Managing Security for Definer's Rights and Invoker's Rights>

《Database Security Guide》中的<Managing Fine-Grained Access in PL/SQL Packages and Types>  
包括下面两方面，需要时再看
关于Oracle Application Security access control lists (ACL) ，相关包： DBMS_NETWORK_ACL_ADMIN
关于Access Control to Oracle Wallets