Loading ...
Sorry, an error occurred while loading the content.
 

Re: PSADMIN role considered...harmful?

Expand Messages
  • shajivps
    James, All dba s and security admins will question the need for the privileges given to SYSADM via the PSADMIN role. We had 2 ways to approach it. First one
    Message 1 of 3 , Jan 7, 2009
      James,

      All dba's and security admins will question the need for the
      privileges given to SYSADM via the PSADMIN role. We had 2 ways to
      approach it.

      First one was to trim down the privileges with the approval of
      oracle/peoplesoft. We tried that and that was not going to happen
      since oracle was not going to spend the time and effort to certify a
      new modified PSADMIN role.

      Second option was to control who gets access to PSADMIN role. At our
      site, it was agreed that PSADMIN will be granted only to SYSADM and
      SYSADM password is locked away by the dba. This still opens up a
      loophole where code can be written and executed via SYSADM that can
      utilize the psadmin privileges. We are hoping that the well managed
      change control process will keep track of the history of code changes
      and keep any abuse of loopholes to a minimum.

      Regards,

      Shaji.


      --- In psftdba@yahoogroups.com, "James Blanding" <stoneandkobi@...> wrote:
      >
      > After taking a look at the privileges granted to SYSADM via the
      > delivered PSADMIN role, I'm wondering if anyone has trimmed any of the
      > seemingly unnecessary ones from their installation. For example, I
      > don't see why SYSADM should have access to create a tablespace or drop
      > a user. And I'm a bit disturbed to see IMP_FULL_DATABASE after
      > reading this article (though it sounds like the issue discussed may
      > have been fixed in the July08 security patch):
      >
      >
      http://blog.tanelpoder.com/2007/11/10/oracle-security-all-your-dbas-are-sysdbas-and-can-have-full-os-access/
      >
      > Comments in the psroles.sql script, which creates PSADMIN, say in
      > part, "These are the minimum privileges required to run PeopleSoft
      > applications." But then, this wouldn't be the first statement
      > PeopleSoft has made that wasn't entirely true. So is there anyone out
      > there who has tried locking down PSADMIN a bit?
      >
      > --James
      >
    Your message has been successfully submitted and would be delivered to recipients shortly.