Show TOC

Background documentationProtecting the SAP Database User

 

To protect access to the SAPUSER table and the SAP database user SAP<SAPSID>, or SAPR3 you must do the following:

  • Change the passwords for SAP<SAPSID> or SAPR3, and <sapsid>adm regularly.

  • Only define OPS$ users for the Windows users that are necessary for operating the SAP system.

    These are typically the users SAPService<SAPSID> and <sapsid>adm; however, you may assign them other names. In this guide, we refer to SAPService<SAPSID> and <sapsid>adm). For more information about creating OPS$ users on Windows, see SAP note 50088Information published on SAP site.

  • With the Oracle network protocol SQL*Net, you can also use the file sqlnet.ora to restrict access to the database using IP addresses. In this file, you specify invited and excluded IP addresses. In this way, you can make sure that only specific hosts (for example, only the application server host) can access the database.

Example Example

tcp.validnode_checking = yes

tcp.invited_nodes = (139.185.5.73, ...)

or:

tcp.excluded_nodes = (139.185.6.71, ...)

End of the example.

More Information

Changing Passwords for SAP Database Users with BRCONNECT