Which privilege must be granted on every database referenced by a secure view to enable data sharing, in addition to the standard data sharing procedures?