
The DBA Cockpit provides a set of actions to monitor and to maintain the database. To be able to perform these actions, the SAP user requires some additional authorizations. A user must first have the global authorization and then additionally the appropriate system-specific permission. For example, to administrate a system, the user must have S_RZL_ADM authorization for maintenance and the system-specific authorization for maintenance. The following sections provide information about how global and system-specific authorizations are checked and what you need to do to gain the required authorizations.
The maintenance actions provided in the DBA Cockpit set locks to prevent parallel processing. All changes to the database are recorded in an audit log.
Global Authorization Check
When you start the DBA Cockpit or change to another system in the DBA Cockpit, an authorization check is performed.
You can enable or disable the database maintenance in general using the profile parameter dbs/dba/ccms_maintenance. If this profile parameter is not set in the instance profile, the default value 1 is used.
Depending on the setting of profile parameter dbs/dba/ccms_maintenance, the following authorization checks exist:
If the profile parameter is set to 0 , SAP users cannot perform any maintenance actions, regardless of their personal permissions.
If the profile parameter is set to 1 , SAP users can perform maintenance actions depending on their personal permission for the authorization object S_RZL_ADM. The attribute ACTVT of this authorization object defines whether a user may maintain or only monitor objects.
System-specific Authorization Check
In addition to the permissions that are globally granted, you can restrict access to specific systems that were configured in the DBA Cockpit. You enable or disable the system-specific permission checks using the profile parameter dbs/dba/ccms_security_level.
If this profile parameter is not set in the instance profile, the default value 0 is used. Depending on the setting of profile parameter dbs/dba/ccms_security_level, the following authorization checks are performed when you select a system in the DBA Cockpit:
If parameter dbs/dba/ccms_security_level is set to 0, no additional system-specific check is performed.
If parameter dbs/dba/ccms_security_level is set to 1, SAP system users can perform actions depending on their personal permission for the authorization object S_DBCON.
The attributes DBA_DBHOST, DBA_DBSID, and DBA_DBUSER must match the corresponding attributes for the database connection that was assigned to the selected system. The special value <LOCAL System> for the attribute DBA_DBSID is used to identify the local system itself.
The attribute ACTVT of this S_DBCON authorization object defines the level of permitted actions and can have the following values:
|
Value |
Description |
|---|---|
|
03 Display |
Enables read access to all screens of the DBA Cockpit except to those that only have a maintenance mode and no read-only mode. |
|
23 Maintain |
Enables read and maintenance access to all screens of the DBA Cockpit except those that require extended maintenance permissions. |
|
36 Extended maintenance |
Enables read and maintenance access to all screens of the DBA Cockpit including special maintenance screens. Note
The only screen for which extended maintenance permission is required is the SQL Command Line screen that you can access in the Favorites list of the DBA Cockpit. |
You can grant authorizations for using the DBA Cockpit with the following roles:
SAP_BC_S_DBCON_USER
Read-only role that allows monitoring access to all systems configured within the DBA Cockpit.
SAP_BC_S_DBCON_ADMIN
Additionally grants administration rights to the user for all systems. This role does not include the value Extended Maintenance .
Make sure that you have maintained the authorizations for your DBA user and for all batch users that either run jobs of the DBA Planning Calendar or the SAP standard jobs SAP_COLLECTOR_FOR_PERFMONITOR and SAP_CCMS_MONI_BATCH_DP.
Granting Database Permissions
To access the database, the database user that is used for monitoring must at least have sufficient authorizations as follows:
If you want to connect to remote systems running on Sybase ASE, you can freely select a user for monitoring. Nevertheless, we recommended that you use the sapsa login when adding remote systems because only sapsa has sufficient authorizations to execute administrative tasks.
If you want to connect to remote systems running on any other database platform, see the appropriate DBA Cockpit documentation for the database platform.
Local systems use a special administration connection. This connection is called +++SYBADM and is automatically generated. When you start the DBA Cockpit and the administration connection does not have yet a user assigned, you are asked for the password of the sapsa login.
If you do not supply the correct user credentials, a standard connection with the SAP connect user is used instead of the administration connection. In this case all administrative actions of the DBA Cockpit are disabled. You can change the user and password for the administrative connection as described in Configuring Database Connections , which is mandatory for background tasks that require administrative permissions.
Locking of Actions
For each maintenance action that you have selected using the DBA Cockpit, a lock is set for the system that is being monitored. All locks are released when you exit the DBA Cockpit or when you change to another system.
Auditing of Maintenance Actions
When you make changes that affect database objects such as Adaptive Server configuration parameters, an audit log is written. You can display this audit log in the DBA Cockpit.
For more information, see Diagnostics: Displaying the Audit Log .