You might be learning something new today, as I did when I ran the DBSAT Oracle utility! In the generated report, I noticed a privilege
that was mentioned: Become User Privilege. I found it interesting, so I started reading up on it. The only thing is, there is not much information in the documentation about this privilege. The reason behind it, I think, would be that Oracle uses it internally, and it is not really a privilege that you must grant to a user explicitly.
The Become User Privilege is required by DataPump to be able to import
objects into a different schema, on behalf of the schema owner.
The privilege is granted explicitly to IMP_FULL_DATABASE role (through a direct grant) and DBA role, and implicitly to DATAPUMP_IMP_FULL_DATABASE role (through a role grant), and of course t is also granted to SYS.
select PRIVILEGE from dba_sys_privs
where GRANTEE='IMP_FULL_DATABASE' order by 1;
PRIVILEGE
----------------------------------------
...
BECOME USER
...
select
GRANTED_ROLE from dba_role_privs
where GRANTEE='DATAPUMP_IMP_FULL_DATABASE';
GRANTED_ROLE
------------------------------
EXP_FULL_DATABASE
IMP_FULL_DATABASE
When you enable Database Vault, this privilege is revoked from the two roles mentioned above: IMP_FULL_DATABASE,
DATAPUMP_IMP_FULL_DATABASE, and disabling Database Vault will grant the privilege back again. This is expected behaviour.
I’d like to emphasize this that this privilege will not give you proxy privileges to other schemas. This privilege is strictly used by DataPump import. In order to proxy to other schemas, you require other privilege (connect through proxy).