Description
All system privileges except for CREATE SESSION must be restricted to DBAs, application object owner accounts/schemas (locked accounts) and default Oracle accounts. Developers may be granted limited system privileges as required on development databases. Audit: select PRIVILEGE, GRANTEE from DBA_SYS_PRIVS where privilege != 'CREATE SESSION' and GRANTEE not in ( 'AQ_ADMINISTRATOR_ROLE', 'DBA', 'DBSNMP', 'EXFSYS', 'EXP_FULL_DATABASE', 'IMP_FULL_DATABASE', 'IX', 'JAVADEBUGPRIV', 'MDSYS', 'HR', 'OE', 'OEM_MONITOR', 'OLAPSYS', 'OLAP_DBA', 'ORDPLUGINS', 'ORDSYS', 'OUTLN', 'SCHEDULER_ADMIN', 'SYS', 'SYSMAN', 'SYSTEM', 'WKSYS', 'BI', 'CTXSYS', 'DATAPUMP_EXP_FULL_DATABASE', 'FLOWS_0300000', 'OLAP_USER', 'OWBSYS', 'XDB', 'WMSYS', 'WKUSER', 'TSMSYS' ) order by GRANTEE;