UNIX User Configurations
Different user configurations at the operating system (OS) level meet different security requirements.
Configuration 1
Database administrator with all authorizations
This configuration matches the SAP standard installation.
One person is fully responsible for database administration using SAPDBA and other database tools. As UNIX user ora<sid>, this person can also perform all actions possible in this context.
In this case, there are no other security aspects that need to be considered and the following user configuration is appropriate:
User Configuration 1
The database administrator knows the UNIX password of the OS user ora<sid>. Logged on as such, the administrator belongs to the OS groups dba and oper and has very high privileges. ora<sid> can access the database directly and manipulate database objects. The administrator can also start the program SAPDBA at the operating system level.
Configuration 2
User with operator privileges
This operator is authorized to make database backups, and to call SAPDBA with certain command options, such as -analyze, -check, -checkopt. This operator can also start up and shut down the database, but only has limited authorization for reading or modifying data (that is, just data that is needed for the programs SAPDBA, BRBACKUP and BRARCHIVE, no application data). The administrator is the only user allowed to restore backups.
User Configuration 2
The program SAPDBA belongs to ora<sid> but can be called by any user. SAPDBA runs with the authorization of the user ora<sid> due to the set s bit.
The operator logs on as user <sid>adm. This user belongs to the OS group oper. The user is authorized to start up and shut down the database.
The user <sid>adm has a corresponding OPS$ user on the database (OPS$<sid>adm) as standard. This OPS$ user has the SAPDBA role on the database (granted). This allows the user to read the Oracle Dictionary tables and write to the SAPDBA log tables on the database.
The OPS$ mechanism is activated automatically for the standard user <sid>adm during installation and upgrade. You can use the OPS$ mechanism by calling SAPDBA with the option –u /, as in the following examples:
sapdba -u / -check
brbackup u / -q
As user
<sid>adm, the operator has complete administration authorization for the SAP System, but not for the database. If this is not required, then you have to set up a separate OS user with the operator authorizations mentioned above. See also user configuration 3.
If the standard password has been changed from
system, and the OPS$ mechanism is not used, then SAPDBA, BRBACKUP and so on, have to be called with the option -u.Configuration 3
Arbitrary user <student> who can perform selected operations only.
You need a security mechanism that allows a SAPDBA user to perform particular actions only (for example, monitoring) and does not provide any other privileges. This user must not know the ora<sid> or <sid>adm password, nor belong to the OS group dba. Depending on the actions needed, this user should be assigned to the OS group oper (required for database backups, for example).
User Configuration 3
The program SAPDBA belongs to ora<sid> but can be called by any user <student>. SAPDBA runs with the authorization of the user ora<sid> due to the set s bit.
The password of user system, which is used by SAPDBA to connect to the database, must in this case be stored in a password file in the directory <orapwd_path>. SAPDBA always requests this file when it is called by any user. The system password protection prevents an arbitrary user from logging on to the database with SQLPLUS> connect system/password
SAPDBA supports the call sapdba –u system/<password> and the OPS$ mechanism (sapdba –u /) in this configuration for the first time in Release 4.5A.
You can start BRBACKUP with brbackup -u / in releases before 4.5A. This means that you can work with the user OPS$<student> to make backups. The prerequisite is that you have saved this user on the database, and assigned it the SAPDBA role.
