Escolar Documentos
Profissional Documentos
Cultura Documentos
February 2008
SAP AG
Neurottstraße 16
69190 Walldorf
Germany
T +49/18 05/34 34 24
F +49/18 05/34 34 20
www.sap.com
SAP Copyrights and Trademarks Java is a registered trademark of Sun Microsystems, Inc.
© Copyright 2008 SAP AG. All rights reserved. JavaScript is a registered trademark of Sun Microsystems, Inc., used
under license for technology invented and implemented by Netscape.
The information contained herein may be changed without prior ByDesign, SAP Business ByDesign, and other SAP products and
Some software products marketed by SAP AG and its distributors several other countries all over the world. All other product and
contain proprietary software components of other software vendors. service names mentioned are the trademarks of their respective
companies. Data contained in this document serves informational
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered purposes only. National product specifications may vary.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, are provided by SAP AG and its affiliated companies ("SAP Group")
MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, for informational purposes only, without representation or warranty of
xSeries, zSeries, System i, System i5, System p, System p5, System x, any kind, and SAP Group shall not be liable for errors or omissions
System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, with respect to the materials. The only warranties for SAP Group
Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, products and services are those that are set forth in the express
OpenPower and PowerPC are trademarks or registered trademarks of warranty statements accompanying such products and services, if any.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either
trademarks or registered trademarks of Adobe Systems Incorporated in
the United States and/or other countries. Where to Find this Documentation
You can find this documentation at the following address:
http://www.sdn.sap.com/irj/sdn/ora
Oracle is a registered trademark of Oracle Corporation.
Contents
Introduction ....................................................................................................... 5
Requirements of the DBA Tools ........................................................................ 5
Database User OPS$<SID>ADM ......................................................................................... 5
BRBACKUP, BRARCHIVE, and BRCONNECT ..................................................................... 5
BRRECOVER, BRRESTORE, and BRSPACE....................................................................... 5
Requirements for Backups Using RMAN ........................................................... 5
The OPS$ Mechanism ........................................................................................ 6
Examples of User Configurations (UNIX)........................................................... 8
Additional Information ..................................................................................... 11
SAP Library ...................................................................................................................... 11
SAP Notes ........................................................................................................................ 11
February 2008 4
Database Security for Oracle
Introduction
The security issues in the two-user concept (ora<sid>, <sid>adm (UNIX) or <SID>ADM,
SAPSERVICE<SID> (Windows)) made it necessary to consider a global solution in the area of
database security. This document is intended to explain the overall context and the improvements
made in this area.
February 2008 5
Database Security for Oracle
UNIX
Windows
February 2008 6
Database Security for Oracle
Logon Context
OS user
logon
OS> brarchive -u /
OS> brbackup -u /
DB Role
February 2008 7
Database Security for Oracle
User Configuration 1
Logon Context
OS user
logon
Configuration
February 2008 8
Database Security for Oracle
User Configuration 2
Logon Context
OS user
logon
Configuration
BRCONNECT belongs to ora<sid>, but can be called by any user. Due to the set s-bit,
BRCONNECT runs with the authorizations of the user ora<sid>.
The operator logs on as the user <sid>adm. This user belongs to the group oper. This allows the
user to start up and shut down the database. This does not fully correspond to the standard
configuration for SAP, since <sid>adm does not belong to the dba group. The user <sid>adm has a
corresponding OPS$ database user as standard (OPS$<sid>adm). This OPS$ user is granted the
SAPDBA role on the database and can, therefore, read the Oracle Dictionary tables and write in the
DBA log tables in the database.
The OPS$ mechanism is activated automatically for the standard user <sid>adm during installation.
You can use the OPS$ mechanism by calling BRCONNECT with the option -u /.
brconnect -u / -f check
brbackup -u / -q
The operator then has full administration authorization for the SAP system (but not for the
database). If you want to keep privileges for the database separate from privileges for the
SAP system, you must set up a separate OS user with the operator authorizations
described above (see “Configuration 3” below).
If the standard password is changed from user SYSTEM and the OPS$ Mechanism is not
used, then you must call BRCONNECT, BRBACKUP, and so on, with the option -u.
February 2008 9
Database Security for Oracle
User Configuration 3
Logon Context
OS user
logon
Configuration
BRBACKUP belongs to ora<sid>, but can be called by any user <employee>. Due to the set bit,
BRBACKUP runs with the authorizations of the user ora<sid>.
You can start BRBACKUP with brbackup -u /, and therefore work with the user OPS$ora<sid>,
to perform backups. To use this mechanism, the user OPS$ora<sid> with the SAPDBA role granted
has to be defined in the database.
February 2008 10
Database Security for Oracle
Additional Information
SAP Library
You can find more information on Oracle database administration and the contents of this document in
the SAP Library as follows:
All paths refer to Release SAP NetWeaver Process Integration 7.1 of the SAP Library.
1. Call up the SAP Help Portal at help.sap.com/nwpi71 → KNOWLEDGE CENTER FOR SAP
NETWEAVER PROCESS INTEGRATION 7.1 → SAP NetWeaver Process Integration Library
English.
2. Choose one of the following:
o Administrator’s Guide → Technical Operations for SAP NetWeaver → Administration of
Databases → Database Administration for Oracle → SAP Database Guide: Oracle
o Administrator’s Guide → Security Guide → Security Guides for the Operating System
and Database Platforms → Database Access Protection → Oracle Under UNIX or Oracle
on Windows
You can also find these plus selected extracts from the SAP Library at:
www.sdn.sap.com/irj/sdn/ora → SAP on Oracle Knowledge Center → SAP
Documentation in Help Portal
SAP Notes
You can find SAP Notes at:
service.sap.com/notes
February 2008 11