Use the .NET code transparency model. Keep the amount of Oracle Central Designer code that untrusted code can call to the minimum. In the Oracle Central Designer application, very few assemblies allow partially untrusted callers.
Elevate permissions only when necessary and only in the code that is rule
specific.
Review the possible code path from untrusted code to the function that elevates
permission to see if untrusted code can misuse the function.
During the review process, watch for too generic or too powerful functions
running with elevated permissions.
One example of such a function is RunExternalFunction(assemblyName,
className, methodName, parameters). It allows untrusted code to execute
ANYTHING, and it is executed in full trust.