Accenture Enkitec Group E4 Webinar

Tuesday, January 06, 2009

PeopleSoft's PSADMIN Role

Recently, I have had a number of conversations about the privileges that are granted to the PeopleSoft OWNERID account (usually SYSADM) via the PSADMIN role.

A posting on the PeopleSoft DBA Forum, referenced Tanel Poder's blog entry: Oracle Security: All your DBAs are SYSDBAs and can have full OS access. Essentially, there is a security bug in Oracle where users with IMP_FULL_DATABASE and BECOME_USER can gain SYSDBA access. This hole has been closed up a patch delivered in the July 2008 Critical Patch Update.

The PSADMIN role has both of these privileges, as well as another 22 that are not required for normal operation of a PeopleSoft system.

There are two morals to this story:
  1. There are good reasons to keep up to date with Oracle's CPUs.
  2. PSADMIN has privileges that if given to application accounts could compromise database security.
I think that PSADMIN could be stripped down to just the following 8 privileges:
  • ANALYZE ANY
  • ALTER SESSION
  • CREATE SESSION
  • CREATE TABLE
  • CREATE TRIGGER
  • CREATE_VIEW
  • SELECT_CATALOG_ROLE
  • ALTER USER
You only need CREATE USER when creating the PeopleSoft database with the Data Mover import. SELECT_CATALOG_ROLE is not in the delivered PSADMIN, but is required if you remove IMP_FULL_DATABASE and EXP_FULL_DATABASE.

Each privilege is discussed in Chapter 3 of PeopleSoft for the Oracle DBA.

No comments :