Operation system user without administrator privileges. SAP recommends that you create a separate user and home directory for each SAP Content Server, so that separate server instances can be operated. SAP recommends the naming convention: <sid>cs or <sid>csc. But you could still use any other name. (See also the Installation Guide IMG).

If documents are created in file system repositories, the created repository objects, without exception, belong to the user with the user ID, under which the content server processes are running.

The <sid>cs/csc user must be a member of the user group sapsys.

Additional content server administrators can be created. All administrators must belong to the same group, which must be declared as the administration security group in the content server for UNIX. (See below).

A database user, so that the content server can log on to an SAP DB instance to access the repositories created there. The default database user is SAPR3 and the default password is SAP. You can define an alternative user and an encrypted password in the relevant configuration parameters on the content server.

To operate the SAP database other operating system users are required. One is the sapdb user, under which the SAP DB software is installed. Each SAP DB instance also needs its own user to whom all instance-dependent files (devspaces, logspaces, etc.) will later belong. The following name format is used for this: sqd<sid>. All SAP DB users must be members of the sapsys group.

If they do not already exist, all users and the sapsys group required to operate the SAP Database are generated automatically by the installation program for the SAP DB.

When the operating system is started up, the Microsoft Internet Information Server (MS IIS) is started as the "World Wide Web" system service. For Windows 2000 the WWW service is started with the user "SYSTEM". For Windows 2003 the user is "NETWORK SERVICE". These users are set up in the operating system and cannot be changed.

Like the Microsoft Internet Information Server, the SAPDB instance for Windows is started as the system service. So a separate user is not required for the SAPDB instance.

So that the content server can log on to an SAP DB instance to access the repositories created there, during the installation the default database user SAPR3 with default password SAP is created. The default password can be changed in report RSCMSPWS and transferred encrypted to the content server. Report RSCMSPWS does NOT change the password in the database - this step has to be done separately. Refer to notes 212394 and 661852.

Depending on the configuration, the user/password combination sent by the client is checked either against an NIS user database or against the local file/etc/password.

To prevent users with operating system access from inadvertently executing administration commands, the administrator user must belong to an AdminSecurityGroup.

The AdminSecurityGroup can be freely assigned by the system administrator - it does not have to be the same group as the user group under which the SAP Content Server was installed. Depending on the user/password combination, the group is checked either against the NIS group database or the local file/etc/group.

The profile parameter AuthService determines which user/group data is used for the authentication.

The configuration parameters AdminSecurityGroup and AuthService are available for UNIX only.

The system uses the user/password combination sent by the client to check whether the file ContentServer.INI can be opened. When the content server is installed, this file, which needs special protection, is assigned to all the users in the "administrators" group. Local and domain administrators are given the same authorizations. In particular, fully-qualified domain users can be passed to the SAP Content Server for Windows for the authentication check.