Setting Access Privileges for SAP System Directories Under UNIX/LINUX 
For security reasons, the SAP system and user data is stored in a special directory structure in the operating system. The SAP system and user data is protected with defined access authorizations.
For more information about how the SAP system directory structure is established in the UNIX/LINUX file system, see the installation guide for the respective SAP system at http://service.sap.com/instguides.
We recommend that you apply the file and directory access privileges as shown in the table below.
Note
The access rights shown in the table below are automatically set in the installation procedure.
SAP Directory or Files | Access Privilege in Octal Form | Owner | Group |
/<sapmnt>/<SAPSID>/exe | 775 | <sapsid>adm | sapsys |
/<sapmnt>/<SAPSID>/exe/saposcol | 4755 | root | sapsys |
/<sapmnt>/<SAPSID>/global | 700 | <sapsid>adm | sapsys |
/<sapmnt>/<SAPSID>/profile | 755 | ||
/usr/sap/<SAPSID> | 751 | ||
/usr/sap/<SAPSID>/<Instance ID> | 755 | ||
/usr/sap/<SAPSID> | 750 | <sapsid>adm | sapsys |
/usr/sap/<SAPSID>/<Instance ID>/sec | 700 | <sapsid>adm | sapsys |
/usr/sap/<SAPSID>/SYS | 755 | <sapsid>adm | sapsys |
/usr/sap/<SAPSID>/SYS/* | 755 | <sapsid>adm | sapsys |
/usr/sap/trans | 775 | <sapsid>adm | sapsys |
/usr/sap/trans/* | 770 | <sapsid>adm | sapsys |
/usr/sap/trans/.sapconf | 775 | <sapsid>adm | sapsys |
<home directory of <sapsid>adm> | 700 | <sapsid>adm | sapsys |
<home directory of <sapsid>adm>/* | 700 | <sapsid>adm | sapsys |
UMASK
Newly created files have rights determined by UMASK definitions. An UMASK is a four digit octal number that specifies those access rights that are not to be given to newly created files. You can define UMASKS in any of several files including the following:
.login
.cshrc
.profile
/etc/profile
As with UNIX access rights, the corresponding octal positions represent user, group, and world access, and the value of the digit represents which access privileges should be removed (remove none = 0, remove write = 2, remove all = 7).
You can use the UMASK to automatically restrict permissions for newly created files. For example, by defining a UMASK of 0027, you specify that all newly created files have the access rights 750.