I have procedure (procedureA) that is created in schema (schemaA). SchemaA user doesn't have any privilages only CONNECT role granted. ProcedureA is responsible for grant select,alter,update... privilages to specific table in other schemas to specific user. What I read in oracle doc (How Procedure Privileges Affect Invoker's Rights) is that procedure use owner rights and now I don't understand how it's possible to invoke this procedure by sys user since schemaA user doesn't have any rights. ProcedureA was created without AUTHID CURRENT_USER. After execute procedureA privilages are granted correctly.
Thanks
In "Protecting Oracle Database 12c" by Paul Wright at page 91 under SYSDBA Phishing it is stated that a SYSDBA's privilege will pass through if a definer's rights procedure is invoked. (Found at Google books)
If that is true then when you use an account as SYSDBA (as is the case with SYS automatically), procedures in other schemas are run with invokers rights even if not defined.