I just tried today to limit power of rman :
REVOKE ALTER SESSION, CREATE DATABASE LINK FROM RECOVERY_CATALOG_OWNER;
It seems I can still do a backup… probably those privilege are not needed by rman, maybe just inherited from Connect in an older released !?
I’m wondering whether the dblink priv might be used in some syntax for cloning?
Pete Finnegan mentioned this post.
Thanks for your comment.
pete finnigan advise to not revoke from builtin role, but not grant the builtin role to rman sounds very wise!