Security Vault gives you the possibility to limit sys privileges. :) Interesting solution but old as this world. There is another super-user and it controls data access while sys user is for DBAs to stop/start/backup/troubleshoot whatever. Looks like a security system with two keys that should be turned at the same time to open the lock. :-)
I'll agree with you for the most part. However, when an auditor comes in and reports a discrepancy in that the DBA's have the SYS password as a problem, I have to say that's "putting a stamp". How else do you create the database if you don't know and give it the sys password.
Yes, this was a real life audit example. The auditor who was clueless about what a DBA was or did, had this checklist of items and just lumped DBA's in as users and since we knew how to get at the base level of the DB we were considered an audit risk. We all volunteered to give up the password and go home. Our boss wasn't impressed.
-- Best regards, Alex Gorbachev
http://blog.oracloid.com -- //www.freelists.org/webpage/oracle-l