11i: 07_DICTIONARY_ACCESSIBILITY and Auditors
A frequent topic of discussion after any security assessment or review by auditors is the setting of O7_DICTIONARY_ACCESSIBILITY in Oracle Applications. 07_DICTIONARY_ACCESSIBILITY is a database initialization parameter that controls access to objects in the SYS schema. It was originally intended to help with migrations from Oracle7 to newer versions where access to data dictionary objects is limited by default. From a pure security perspective, 07_DICTIONARY_ACCESSIBILITY should always be set to FALSE and is a very common security recommendations for Oracle Databases in general.
However, in Oracle Applications 11.5.9 and lower, 07_DICTIONARY_ACCESSIBILITY must be set to TRUE. This is required for proper functioning of the application and Oracle does not support setting it to FALSE. In 11.5.10 and higher, 07_DICTIONARY_ACCESSIBILITY should be set to FALSE. See Oracle Metalink Note ID 216205.1 for more information.
We find in many implementations that have been upgraded to 11.5.10.x, 07_DICTIONARY_ACCESSIBILITY is still set to TRUE. For all 11.5.10.x implementations, 07_DICTIONARY_ACCESSIBILITY should be set to FALSE.