Protecting the SAP Database User

Procedure

Take the following precautions to protect SAPR3 / SAP<SAPSID> and prevent unauthorized access to the database:

The password for SAPR3 / SAP<SAPSID> is stored in the SAPUSER table. Therefore, protect access to this table by regularly changing the password for <sapsid>adm.
To prevent someone from working around the OPS$ mechanism by using an .rhosts file, deactivate the UNIX service rlogin in the inetd.conf file.

Caution

In a distributed system, the client is responsible for the authorization checks for the operating system user <sapsid>adm. Therefore, make sure that only authorized persons have access to PC clients that directly access the database server.

Note

Do not change the value of the Oracle parameter REMOTE_OS_AUTHENT to FALSE. The OPS$ mechanism needs to be able to work from remote clients - for example, SAP System work processes need to be able to log on to the application servers as the user OPS$<sapsid>adm. Therefore, keep this parameter set to TRUE.
With the Oracle network protocol SQL*Net, you can also use the file sqlnet.ora to restrict access to the database using IP addresses. In this file, you specify invited and excluded IP addresses.

Example

tcp.validnode_checking = yes tcp.invited_nodes = (139.185.5.73, ...)

tcp.excluded_nodes = (139.185.6.71, ...)

In this way, you can make sure that only specific hosts (for example, only the application server host) are capable of accessing the database.