Show TOC

SAP Role and User ManagementLocate this document in the navigation structure

With the new remote monitoring capabilities of DBA Cockpit, the security concept had to be enhanced. While in previous releases, the authorization objects controlled only access to the local database, the new focus on remote monitoring required an adequate and granular protection of remote systems. As a consequence, privileges specific to individual destination databases have been implemented.

The SAP delivered role SAP_BC_DB_ADMIN_MSS is the starting point for implementing a robust security policy for your database administrators. Your SAP security administrator should use transaction PFCG to copy the role and adapt it to your organization's needs. The role contains two authorizations objects, which are particularly relevant for customization: S_ADMI_FCD and S_DBCON.

The authorization object S_ADMI_FCD requires the field content ST0R and DBA for functioning properly. If you want to allow access to the SQL Server command line interface within the DBA Cockpit, you have to add value SMSS. The command line interface allows authorized users, to execute arbitrary SQL commands with database administrator privileges. It is therefore a powerful and potentially dangerous tool. Only highly trusted personnel should be granted this privilege. It is important to understand that this field value principally opens this tool. To allow access to a specific system, you still need to maintain the values for the authorization object S_DBCON, which is described in the next paragraph.

S_DBCON is a new authorization object, which was specifically created to allow and deny access to individual database connections. To make the object more resilient against malicious attacks, it relies on the destination database hostname, its database name and the database login, rather than the name of the remote connection in table DBCON.

  • DBA Cockpit: Server Name (DBA_DBHOST)

    SQL Server database instance name. For technical reasons, this value is converted to upper case although the authorization check is performed in a case-insensitive manner.If you use a named SQL Server instance, the "Server Name" must follow the pattern "SERVERNAME\INSTANCE". When using Microsoft Cluster Services, "Server Name" must be the virtual name of the database service.To specify the database instance of your local SAP system, specify <LOCAL SYSTEM> without the quotes but including the angle brackets. Using this generic naming, is advantageous in the event of a future renaming of the database host.

  • DBA Cockpit: Database Name (DBA_DBSID)

    SQL Server database name. For technical reasons, this value is converted to upper case although the authorization check is performed in a case-insensitive manner.

  • Database User (DBA_DBUSER)

    This is actually the SQL Server database login. If you want to allow integrated security logins (also known as Windows authentication), do not specify the Windows account in this field. Rather use the string Windows authentication. This field is case sensitive.

  • Activity (ACTVT)

    This field may receive the following values:

    • Display (03)

      Display data with little or no security relevance. Examples include the database cache hit ratio, the size of individual data files or the CPU consumption of the database system.

    • Analyze (71)

      Display data, which might contain confidential information.

      Examples include: SQL trace, SQL statement parameters.

    • Maintain (23)

      Permission to change database parameters and database settings on the remotely connected database.

    • Extended Maintenance (36)

      Permission to execute all kinds of SQL statements on the database. This authorization is extremely powerful and should not be granted on a routine basis.