Which order of object privileges should be used to grant a custom role read-only access to a table?