A posting on the PeopleSoft DBA Forum, referenced Tanel Poder's blog entry: Oracle Security: All your DBAs are SYSDBAs and can have full OS access. Essentially, there is a security bug in Oracle where users with IMP_FULL_DATABASE and BECOME_USER can gain SYSDBA access. This hole has been closed up a patch delivered in the July 2008 Critical Patch Update.
The PSADMIN role has both of these privileges, as well as another 22 that are not required for normal operation of a PeopleSoft system.
There are two morals to this story:
- There are good reasons to keep up to date with Oracle's CPUs.
- PSADMIN has privileges that if given to application accounts could compromise database security.
- ANALYZE ANY
- ALTER SESSION
- CREATE SESSION
- CREATE TABLE
- CREATE TRIGGER
- ALTER USER
Each privilege is discussed in Chapter 3 of PeopleSoft for the Oracle DBA.