In our system we run audits and are confused by a username that's showing up where it shouldn't.
OS USER USERNAME USERHOST Timestamp OWNER OBJ_NAME GRANTEE PRIV_USED
------- -------- -------- ------------- ----- -------- -------- -------------
SECSEC Tom INTER\SEC 1/27/2013 6:28 null null null CREATE SESSION
SECSEC SysDBA INTER\SEC 1/27/2013 6:28 null null null CREATE SESSION
SECSEC Tom INTER\SEC 1/27/2013 6:29 null null null CREATE SESSION
SECSEC SysDBA INTER\SEC 1/27/2013 6:29 null null PROJECT GRANT ANY ROLE
SECSEC SysDBA INTER\SEC 1/27/2013 6:29 null null PROJECT GRANT ANY PRIVILEGE
SECSEC SysDBA INTER\SEC 1/27/2013 6:29 null DBA PROJECT null
SECSEC Tom INTER\SEC 1/27/2013 7:37 null null null CREATE SESSION
SECSEC Tom INTER\SEC 1/27/2013 7:42 Tom TSOC null null
How did Tom connect as SYSDBA?
We check V$PWFILE_USERS and not SYSDBA. We checked DBA_SYS_PRIVS and he just has the connect role.
How could we find out how this user performed this action?
