After taking a look at the privileges granted to SYSADM via the
delivered PSADMIN role, I'm wondering if anyone has trimmed any of the
seemingly unnecessary ones from their installation. For example, I
don't see why SYSADM should have access to create a tablespace or drop
a user. And I'm a bit disturbed to see IMP_FULL_DATABASE after
reading this article (though it sounds like the issue discussed may
have been fixed in the July08 security patch):

http://blog.tanelpoder.com/2007/11/10/oracle-security-all-your-dbas-are-sysdbas-\
and-can-have-full-os-access/

Comments in the psroles.sql script, which creates PSADMIN, say in
part, "These are the minimum privileges required to run PeopleSoft
applications." But then, this wouldn't be the first statement
PeopleSoft has made that wasn't entirely true. So is there anyone out
there who has tried locking down PSADMIN a bit?

--James