The AUTHID clause instructs Oracle as to whether the routine is to be run with the invoker's rights (CURRENT_USER), or with the Owner rights (DEFINER). If the clause is not specified, Oracle will default to using the AUTHID DEFINER.
Note that to enable code to run with Invoker rights, the AUTHID clause must be used before the IS or AS keyword in the routine header.
Invoker rights is a method present in Oracle 8i and greater that is used to resolve references to database elements in a PL/SQL program unit. Using Invoker rights we can instruct Oracle if a given program unit should run with the authority of the definer or of the invoker. The result is that multiple schemas can share the same piece of code while accessing only the elements which belong to the invoker.
Invoker Rights Restrictions
- When compiling a new routine, direct privileges are only evaluated to resolve any external references, and grants through roles are ignored. This is also true when executing a routine created with invoker rights.
- AUTHID must be specified in the header of a program unit. The same cannot be specified for individual programs or methods within a package or object type.
- Definer rights will always take precedence in resolving external references used when compiling a new routine.
- Extreme care must be used when privileges are assigned to a different user. If inappropriate privileges are assigned, a routine with invoker rights may gain unintended access and cause unexpected results (including security breaches). Pay careful attention that grants are assigned correctly.
- Note that for an invoker rights routine referred to in a VIEW or TRIGGER, the owner of these objects is always considered to be the invoker, not the user triggering it.
For DEFINER RIGHTS objects execute privileges must be granted directly to the user; not to a role. With CURRENT USER rights can be granted to a role. AUTHID DEFINER (default) stored procedures are executed in environment equivalent to the one you get after SET ROLE NONE.
In other words, roles are disabled for PL/SQL and any privileges granted via roles do not apply unless you created the procedure with AUTHID CURRENT_USER, in which case role privileges do apply. Note that executing such procedures is a bit more expensive because Oracle has to evaluate the privileges on every call.