PeopleSoft's PSADMIN Role

Recently, I have had a number of conversations about the privileges that are granted to the PeopleSoft OWNERID account (usually SYSADM) via the PSADMIN role.

A posting on the PeopleSoft DBA Forum, referenced Tanel Poder's blog entry: Oracle Security: All your DBAs are SYSDBAs and can have full OS access. Essentially, there is a security bug in Oracle where users with IMP_FULL_DATABASE and BECOME_USER can gain SYSDBA access. This hole has been closed up a patch delivered in the July 2008 Critical Patch Update.

The PSADMIN role has both of these privileges, as well as another 22 that are not required for normal operation of a PeopleSoft system.

There are two morals to this story:

1. There are good reasons to keep up to date with Oracle's CPUs.
2. PSADMIN has privileges that if given to application accounts could compromise database security.
   

I think that PSADMIN could be stripped down to just the following 8 privileges:

• ANALYZE ANY
• ALTER SESSION
• CREATE SESSION
• CREATE TABLE
• CREATE TRIGGER
• CREATE_VIEW
• SELECT_CATALOG_ROLE
• ALTER USER

You only need CREATE USER when creating the PeopleSoft database with the Data Mover import. SELECT_CATALOG_ROLE is not in the delivered PSADMIN, but is required if you remove IMP_FULL_DATABASE and EXP_FULL_DATABASE.

Each privilege is discussed in Chapter 3 of PeopleSoft for the Oracle DBA.