Re: PSADMIN role considered...harmful?
All dba's and security admins will question the need for the
privileges given to SYSADM via the PSADMIN role. We had 2 ways to
First one was to trim down the privileges with the approval of
oracle/peoplesoft. We tried that and that was not going to happen
since oracle was not going to spend the time and effort to certify a
new modified PSADMIN role.
Second option was to control who gets access to PSADMIN role. At our
site, it was agreed that PSADMIN will be granted only to SYSADM and
SYSADM password is locked away by the dba. This still opens up a
loophole where code can be written and executed via SYSADM that can
utilize the psadmin privileges. We are hoping that the well managed
change control process will keep track of the history of code changes
and keep any abuse of loopholes to a minimum.
--- In firstname.lastname@example.org, "James Blanding" <stoneandkobi@...> wrote:
> After taking a look at the privileges granted to SYSADM via the
> delivered PSADMIN role, I'm wondering if anyone has trimmed any of the
> seemingly unnecessary ones from their installation. For example, I
> don't see why SYSADM should have access to create a tablespace or drop
> a user. And I'm a bit disturbed to see IMP_FULL_DATABASE after
> reading this article (though it sounds like the issue discussed may
> have been fixed in the July08 security patch):
> Comments in the psroles.sql script, which creates PSADMIN, say in
> part, "These are the minimum privileges required to run PeopleSoft
> applications." But then, this wouldn't be the first statement
> PeopleSoft has made that wasn't entirely true. So is there anyone out
> there who has tried locking down PSADMIN a bit?