You cannot grant certain privileges to a role:
- CREATE ROLE
- DROP ROLE
- CREATE PROFILE
- DROP PROFILE
- CREATE USER
- DROP USER
- CTCONTROL
- OVERRIDE privileges
- WITH GRANT OPTION (membership in a role cannot confer the ability to grant any of the privileges it contains to other users or roles)
Instead of WITH GRANT OPTION, you should use WITH ADMIN OPTION for roles. A user granted WITH ADMIN OPTION on a role can:
- Drop the role
- Grant the role to other users and roles
- Grant the role to another user with the WITH ADMIN OPTION
- Revoke the role from a grantee
WITH ADMIN OPTION does not provide the ability to grant or revoke privileges to or from the role or to any members of the role.