Information
The BECOME USER system privilege allows a user to switch identities to another database user during the execution of a session, which can lead to serious security risks if granted to unauthorized users.
A user with the BECOME USER system privilege can impersonate another user and access data they are not authorized to see, bypassing access controls and security policies. Oracle Data Pump Import utilities impdp and imp uses BECOME USER system privilege to assume the identity of another user to perform operations that cannot be directly performed by a third party (for example, loading objects such as object privilege grants). In an Oracle Database Vault environment, Database Vault provides several levels of required authorization that affect grants of BECOME USER This capability should be restricted according to the needs of the organization.
Solution
To remediate this setting, execute the following SQL statement, keeping in mind if this is granted in both container and pluggable database, you must connect to both places to revoke. Please ensure proper impact analysis is done before revoking the privilege from a role.
REVOKE BECOME USER FROM <grantee>;
In the case of a grant via a role:
REVOKE <rolename> FROM <grantee>;