We, no, the client asks for it
So, ultimately, the answer is yes
And don't ask me to try and make the client set back on these requirements :p It's a lost cause
They want 1. to be the only ones to have the ability to decrypt their data, and 2. to forbid everyone but the target app to read the data
1. requires TDE, and 2. requires dbvault
I tried to push the argument of "availabilty vs privacy" (data integrity remains equal), but they won't listen
One alternate solution would be to disallow "OS privileges" (ie, that the dba group doesn't imply the sysdba role) at the instance level - I _think_
But that doesn't solve the wallet problem
So there, I get a s*load of requirements to meet without even half the knowledge necessary to achieve it all :p
But anyway, this particular phrase: "Calling a procedure or function (whether inside a package or not) owned by another user, to which you have been granted execute access, causes it to run as though you were the owning user
Doesn't that mean that this way, procedures are setuid?
It says "owned", however, not "compiled"
Well, I guess the keyword here is "TIAS"
Which I will do
Well, I must run