Should multiple database level users (like scott etc.) be created i.e. for each application user a corresponding database user is created and database level security be maintained.
I would establish database accounts for each user, but actually connecting to the database with individual user accounts would eliminate the usefulness of database connection pooling. Plus, you'd incur the overhead of establishing a new database connection each time a user logs in to the application.
I'd investigate the Proxy Authentication mechanism that was created precisely to address this situation. It is not difficult to configure on the database end, but the application will have to connect differently to utilize this feature. The Oracle9i documentation for Proxy Authentication begins here: http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96521/users.htm#17433.
This was first published in April 2004