Data Storage Security

Use

The data of a database is stored in the file system.

Caution

During installation, the installation program assigns the correct permissions to all your database directories and database files. Do not change the permissions of any database directories or files later, because this might render your database software installation unusable.

There are several operating system users that have extensive authorizations for accessing database resources using operating system commands.

Table 1: Special Operating System Groups for SAP MaxDB (Microsoft Windows)
Name	Type	Authorizations
SDB Operators	Group	Access to the following resources: Database software files and directories ( <global_data_path> and <private_data_path> directories and their subdirectories) Database processes SAP MaxDB global listener and X server processes (communication servers) Volumes Backups Permissions for the following administration tasks (among others): Creating new databases (additionally system administrator rights are necessary) Using the XCONS database tool Changing database parameters Accessing the volumes
`<SID>` ADM	User	SAP system administrator and database administrator in SAP systems Group member of SDB Operators
SQD<SID>	User	Not for SAP liveCache databases SQD<SID> is owner of all database resources and is the operating system user for database administrators. Group member of SDB Operators

Table 2: Special Operating System Groups for SAP MaxDB (Microsoft Windows)
Name	System Default Value	Type	Authorizations
`<sdb_user>`	sdb	User	Owner of all database resources Group member of `<sdba_group>`
`<sdba_group>`	sdba	Group	Creating databases Analysis and error handling Srating the global listener and X server (SAP MaxDB communicatin server)
`<support_group>`	sdb `<database_name>`	Group	Optional; support tasks
root	root	User	Installing the database software Granting access rights to operating system users (by their group affiliation) A SetUID root program is only required for a user change to `<sdb_user>` .
`<os_user>`	-	User	Normal operating system user Accessing the DBM server (requires a valid DBM operator name and a password to log on to the database) Accessing other database tools (for example Loader, SQLCLI), interfaces (ODBC, JDBC, SQLDBC) and all database tools that use these interfaces; a database user name and password are required
`<sid>` adm	-	User	SAP system administrator and database administrator in SAP systems Group member of `<sdba_group>`
sqd `<sid>`	-	User	Not for SAP liveCache databases SQD<SID> is owner of all database resources and is the operating system user for database administrators. Group member of `<sdba_group>`

Hazards

Unauthorized access to protected database resources using external user logon data

A normal operating system user learns the password of a privileged operating system user and accesses protected database resources using operating system commands.
An unauthorized person gains access to backups of a database.
Access to unprotected database resources

A person uses operating system commands to access database resources not protected by restrictions at the operating system level.

Activities

Changing Passwords of SAP Standard Operating System Users
Access to database resources is restricted. Don't change these restrictions.

More Information

Database Administration, Special Operating System Users and Groups, Special Operating System User Group on Microsoft Windows, Special Operating System Users and Groups on Unix and Linux