Security for IBM i
The figure below shows the file and database security concept for SAPsystems on IBM i.
User Security Concept
The ABAP database schema, R3<SID>DATAand the kernel library SAP<SID>IND, are accessible by members of the group profile <SID>OWNER. The <SID>ADMuser is a member of the <SID>OWNERgroup. The SAPwork processes and tools run under the <SID>ADMuser profile and therefore have access to the ABAP database. Objects created in this schema are owned by the group profile <SID>OWNER.
The AS Java schema, SAP<SID>DB, is only accessible by the SAP<SID>DBuser, which has the same name as the schema. Objects created in this schema are owned by the user profile SAP<SID>DB.
Files residing in the Integrated File System (IFS) under the subdirectory for a specific SID such as /usr/sap/<sid/* or /sapmnt/<sid>/* are owned by the user <SID>ADMand have the profile R3GROUPas group. Some files in IFSare accessible by <SID>ADMonly, other files by any member of the group R3GROUP, and other files are visible to everyone.
For compatibility with earlier releases, the group profile R3OWNER and the authorization list R3ADMAUTL(not shown in the figure above) can continue to exist, but these objects are not relevant in this new environment.
Depending on the users in the security concept, the following primary and supplemental groups apply:
| User | Primary Group | Supplemental Group |
|---|---|---|
|
<SID>ADM |
<SID>OWNER |
R3GROUP,<SID>OWNER |
|
SAP<SID>DB |
<SID>OWNER |
R3GROUP,<SID>OWNER |
The supplemental group R3GROUP authorizes access to global IFSowned by QSECOFRand the group R3GROUP for the users <SID>ADM and SAP<SID>DB.
For additional information about the individual user and group profiles, see: