| If all user accounts are authenticated by the OS or an enterprise-level authentication/access mechanism, and not by Oracle, this is not a finding. |
If an Oracle feature/product, an OS feature, a third-party product, or custom code is used to automate account management, this is not a finding.
Determine what is the site-defined definition of an acceptably small level of manual account-management activity. If the site has established the definition, documented it, and obtained ISSO-ISSM-AO approval, use that definition. If not, use the following rule of thumb as the definition: No more than 12 such accounts exist or are expected to exist; no more than 100 manual account-management actions (account creation, modification, locking, unlocking, removal, etc.) are expected to occur in the course of a year.
If the amount of account management activity is small, as defined in the preceding paragraph, this is not a finding.
Otherwise, this is a finding.