Setting Access Privileges for SAP System Directories Under UNIX/LINUX

For security reasons, the SAP system and user data is stored in a special directory structure in the operating system. The SAP system and user data is protected with defined access authorizations.

For more information about how the SAP system directory structure is established in the UNIX/LINUX file system, see the installation guide for the respective SAP system at http://support.sap.com/sltoolsetInformation published on SAP site Start of the navigation path Next navigation step System Provisioning Next navigation step Installation Option of Software Provisioning ManagerEnd of the navigation path.

We recommend that you apply the file and directory access privileges as shown in the table below.

SAP Directory or Files

Access Privilege in Octal Form

Owner

Group

/ <sapmnt>/<SAPSID>/exe

775

<sapsid>adm

sapsys

/ <sapmnt>/<SAPSID>/global

700

<sapsid>adm

sapsys

/ <sapmnt>/<SAPSID>/profile

755

<sapsid>adm

sapsys

/usr/sap/<SAPSID>

751

<sapsid>adm

sapsys

/usr/sap/<SAPSID>/<Instance ID>

755

<sapsid>adm

sapsys

/usr/sap/<SAPSID>/<Instance ID>/sec

700

<sapsid>adm

sapsys

/usr/sap/<SAPSID>/SYS

755

<sapsid>adm

sapsys

/usr/sap/<SAPSID>/SYS/*

755

<sapsid>adm

sapsys

/usr/sap/trans

775

<sapsid>adm

sapsys

/usr/sap/trans/*

770

<sapsid>adm

sapsys

/usr/sap/trans/.sapconf

775

<sapsid>adm

sapsys

<home directory of <sapsid>adm>

700

<sapsid>adm

sapsys

<home directory of <sapsid>adm>/*

700

<sapsid>adm

sapsys

SAP Host Agent Directory

Do not change the default permissions for the /usr/sap/hostctrl directory. If you change them, they are automatically reset to their default values when SAP Host Agent is started next time.

UMASK

Newly created files have rights determined by UMASK definitions. An UMASK is a four digit octal number that specifies those access rights that are not to be given to newly created files. You can define UMASKS in any of several files including the following:

  • .login

  • .cshrc

  • .profile

  • /etc/profile

As with UNIX access rights, the corresponding octal positions represent user, group, and world access, and the value of the digit represents which access privileges should be removed (remove none = 0, remove write = 2, remove all = 7).

You can use the UMASK to automatically restrict permissions for newly created files. For example, by defining a UMASK of 0027, you specify that all newly created files have the access rights 750.