White Paper:

Oracle Database Administration

Database Security for

Oracle

February 2006
 SAP AG
Neurottstraße 16
69190 Walldorf
Germany
T +49/18 05/34 34 24
F +49/18 05/34 34 20
www.sap.com

© Copyright 2006 SAP AG. All rights reserved. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and
other SAP products and services mentioned herein as well as their
No part of this publication may be reproduced or transmitted in any respective logos are trademarks or registered trademarks of SAP AG
form or for any purpose without the express permission of SAP AG. in Germany and in several other countries all over the world. All other
The information contained herein may be changed without prior product and service names mentioned are the trademarks of their
notice. respective companies. Data contained in this document serves
informational purposes only. National product specifications may
Some software products marketed by SAP AG and its distributors vary.
contain proprietary software components of other software vendors.
These materials are subject to change without notice. These materials
Microsoft, Windows, Outlook, and PowerPoint are registered are provided by SAP AG and it affiliated companies ("SAP Group")
trademarks of Microsoft Corporation. for informational purposes only, without representation or warranty of
any kind, and SAP Group shall not be liable for errors or omisions
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, with respect to the materials.
MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries,
xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, The only warranties for SAP Group products and services are those
Tivoli, and Informix are trademarks of IBM Corp. in USA and/or other that are set forth in the express warranty statements accompanying
countries. such products and services, if any. Nothing herein should be construed
as constituting an additional warranty.
Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Disclaimer
Open Group. Some components of this product are based on Java™. Any code
change in these components may cause unpredictable and severe
Citrix, ICA, Program Neighborhood , MetaFrame, WinFrame, malfunctions and is therefore expressively prohibited, as is any
VideoFrame, MultiWin are trademarks or registered trademarks of decompilation of these components.
Citrix Systems, Inc.
Any Java™ Source Code delivered with this product is only to be used
HTML, XML, XHTML and W3C are trademarks or registered by SAP’s Support Services and may not be modified or altered in any
®
trademarks of W3C , World Wide Web Consortium, Massachusetts way.
Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc. Documentation in the SAP Service Marketplace
You can find this documentation at the following address:
JavaScript is a registered trademark of Sun Microsystems, Inc., used http://service.sap.com/dbaora

under license for technology invented and implemented by Netscape.

Typographic Conventions Icons

Type Style Represents Icon Meaning

Example Text Words or characters that appear Caution
on the screen. These include
field names, screen titles, Example
pushbuttons as well as menu
names, paths and options.
Note
Cross-references to other
documentation Recommendation
Example text Emphasized words or phrases in
body text, titles of graphics and Syntax
tables
EXAMPLE TEXT Names of elements in the
system. These include report
names, program names,
transaction codes, table names,
and individual key words of a
programming language, when
surrounded by body text, for
example, SELECT and
INCLUDE.
Example text Screen output. This includes file
and directory names and their
paths, messages, names of
variables and parameters,
source code as well as names of
installation, upgrade and
database tools.
Example text Exact user entry. These are
words or characters that you
enter in the system exactly as
they appear in the
documentation.
<Example text> Variable user entry. Pointed
brackets indicate that you
replace these words and
characters with appropriate
entries.
EXAMPLE TEXT Keys on the keyboard, for
example, function keys (such as
F2) or the Enter key.
Database Security for Oracle

Contents
Introduction........................................................................................................... 5
Requirements of the DBA Tools ........................................................................... 5
Database User OPS$<SID>ADM........................................................................................... 5
BRBACKUP and BRARCHIVE .............................................................................................. 5
BRRECOVER and BRSPACE................................................................................................ 5
Requirements for Backups Using RMAN ............................................................. 5
The OPS$ Mechanism ........................................................................................... 6
Examples of User Configurations (UNIX)............................................................. 8
Additional Information ........................................................................................ 11
SAP Library .........................................................................................................................11
SAP Notes ...........................................................................................................................11

February 2006 4
Database Security for Oracle

Introduction
The security issues in the two-user concept (ora<sid>, <sid>adm (UNIX) or <SID>ADM,
SAPSERVICE<SID> (Windows)) made it necessary to consider a global solution in the area of
database security. This document is intended to explain the overall context and the improvements
made in this area.

Requirements of the DBA Tools

Database User OPS$<SID>ADM

The database user OPS$<SID>ADM is created in the database. It has the SAPDBA role and
remote_os_authent is set to TRUE. The SAPDBA role is necessary to schedule BR*Tools from
CCMS.
The parameter remote_os_authent must be set to TRUE, because the SAP database has to set up
a remote connection for the SAP system, and the OPS$ mechanism is used to protect the password
of the user SAP<SID> in the SAPUSER table.

BRBACKUP and BRARCHIVE

Since BRBACKUP has to start up and shut down the database, for Oracle versions lower than 8 the
SYSDBA role was necessary, that is, <sid>adm had to belong to the UNIX group dba or to the
Windows local group ORA_<SID>_DBA.
In Oracle versions greater than or equal to 8, a SYSOPER role with reduced authorizations can also be
used. The analogous UNIX group is oper. On Windows, the local group is ORA_<SID>_OPER.
BRBACKUP calls SQLPLUS with connect / as sysoper.
Therefore, from the point of view of BRBACKUP, the UNIX group of the <sid>adm could be oper,
the Windows group ORA_<SID>_OPER.
Furthermore, BRBACKUP and BRARCHIVE must have full access to the SAP<SID> tables SDBAD,
SDBAH, and other DBA tables. The required privileges are part of the SAPDBA role. Thus appropriate
operating system groups and the SAPDBA role are sufficient for BRBACKUP and BRARCHIVE to
perform backups using cpio, dd or BACKINT interface. The same privileges are also needed by
BRCONNECT.

BRRECOVER and BRSPACE

BRRECOVER performs database recovery whereas BRSPACE performs, among other things,
tablespace management. These tools need the SYSDBA privilege to perform these functions. This
privilege is normally granted through the UNIX group dba or the Windows group ORA_<SID>_DBA.
Since these tools also need special file system rights to create database files, make sure that you only
call them as the UNIX user ora<sid> or the Windows user <SID>ADM.

Requirements for Backups Using RMAN

BRBACKUP and BRARCHIVE support backups using the Oracle Recovery Manager (RMAN). To
perform database backups, RMAN requires SYSDBA authority. To enable RMAN backups (for
example, incremental backups) from the CCMS transaction DB13 (DBA Planning Calendar), the OS
users <sid>adm (UNIX) and SAPSERVICE<SID> (Windows) must be entered in the corresponding
operating system groups:

February 2006 5
Database Security for Oracle

UNIX

OS User OS Group DB Role DB User

ora<sid> dba SYSDBA OPS$ORA<SID>
oper SYSOPER
<sid>adm dba SYSDBA
oper SYSOPER OPS$<SID>ADM
SAPDBA

Windows

OS User OS Group DB Role DB User

<SID>ADM ORA_<SID>_DBA SYSDBA OPS$<SID>ADM
ORA_<SID>_OPER SYSOPER
SAPSERVICE<SID> ORA_<SID>_DBA SYSDBA
ORA_<SID>_OPER SYSOPER OPS$SAPSERVICE<SID>
SAPDBA

We assume that the option –u / is used (see next section).

The OPS$ Mechanism

The Oracle OPS$ Mechanism moves the entire database security mechanism to the operating system
level. The prerequisite is that a database user OPS$<OS_user>, corresponding to the operating
system user (OS_user) is defined, and identified externally.
When you have successfully logged on with the operating system user, you can then connect to the
database with SQL> connect / , without entering a password. You then work there as
OPS$<OS_user>. For example, you can start BRBACKUP in the same way:
OS> brbackup -u /
The OPS$ Mechanism is also always used when, for example, you call BRARCHIVE or BRBACKUP
from the CCMS transaction DB13 of the SAP System.

February 2006 6
Database Security for Oracle

OPS$ Mechanism for SAP

Logon Context

unix <sid>adm / <password>

OS user
logon

Definition OPS$<SID>ADM Configuration

identified “externally”
Database
Role
User
SYSDBA User Group
SYSOPER
DB OPS$<SID>ADM SAPDBA dba
<sid>adm
oper

OS> brarchive -u /
OS> brbackup -u /

ora<sid> rsx rwx r-x brarchive

BR-TOOL
ora<sid> rsx rwx r-x brbackup

Database Context UNIX Context

DB Role

February 2006 7
Database Security for Oracle

Examples of User Configurations (UNIX)

You can use differing user configurations at the operating system level to meet the various security
requirements in your organization.

Configuration 1: A Database Administrator with All Authorizations.

This configuration corresponds to the SAP standard installation. One employee has full
responsibility for database administration with BR*Tools and other database tools. This employee can
also execute all actions possible in this context as the UNIX user ora<sid>. In this case, you do not
have to take any other security aspects into consideration, and the following user configuration is
sensible. The database administrator knows the UNIX password of the user ora<sid>. When logged
on under this password, the administrator has a high authorization level.
The user ora<sid> can start BR*Tools directly at operating system level, and can also access the
database directly and manipulate database objects.

User Configuration 1

Logon Context

unix ora<sid> / <password>

OS user
logon

Configuration

OS user OS group OS user OS group

ora<sid> dba+oper <sid>adm dba +oper

OS> brbackup

ora<sid> rsx rwx r-x brbackup

BRBACKUP

UNIX context UNIX context

Configuration 2: An Employee with Operator Authorization

The operator is authorized to back up the database (but not with RMAN), and to call BRCONNECT
with certain command options, such as –f check, -f next, -f stats, -f cleanup. The operator
can also start up and shut down the database, but only has limited authorization to read or modify data
(that is, only data that are needed to run BRCONNECT, BRBACKUP, and BRARCHIVE, but no
application data). Only the administrator can restore backups.

February 2006 8
Database Security for Oracle

User Configuration 2

Logon Context

unix <sid>adm / <password>

OS user
logon

Configuration

OS user OS group OS user OS group

ora<sid> dba+oper <sid>adm oper

OS> brconnect –f check

ora<sid> rsx rwx r-x brconnect

BRCONNECT
ora<sid> rwx r-x --- sqlplus

UNIX context UNIX context

BRCONNECT belongs to ora<sid>, but can be called by any user. Due to the set s-bit,
BRCONNECT runs with the authorizations of the user ora<sid>.
The operator logs on as the user <sid>adm. This user belongs to the group oper. This allows the
user to start up and shut down the database. This does not fully correspond to the standard
configuration for SAP, since <sid>adm does not belong to the dba group. The user <sid>adm has a
corresponding OPS$ database user as standard (OPS$<sid>adm). This OPS$ user is granted the
SAPDBA role on the database and can, therefore, read the Oracle Dictionary tables and write in the
DBA log tables in the database.
The OPS$ mechanism is activated automatically for the standard user <sid>adm during installation.
You can use the OPS$ mechanism by calling BRCONNECT with the option -u /.

brconnect -u / -f check
brbackup -u / -q

The operator then has full administration authorization for the SAP System (but not for the
database). If you do not want this, then you must set up a separate OS user with the
operator authorizations described above (see “Configuration 3” below).

If the standard password is changed from user SYSTEM and the OPS$ Mechanism is not
used, then you must call BRCONNECT, BRBACKUP, and so on, with the option -u.

February 2006 9
Database Security for Oracle

Configuration 3: An Employee Who Can Only Perform Selected Operations.

This configuration is for when you require a security mechanism for BR*Tools on UNIX with the
following features:
• Only authorized DBA operators are allowed to execute BR*Tools operations. Such users have
no other database access rights.
• Authorized DBA operators must not know the password of ora<sid> or <sid>adm and
must not belong to the dba or oper groups.
• BR*Tools operations are logged continuously, including the ID of the person executing the
operation. This person must not be able to manipulate these logs.
To achieve this level of security, BR*Tools executables are placed in a separate directory and given
special rights. The new UNIX group required for the authorized DBA operators is dboper, which must
contain all such users. If BR*Tools are also called under the user <sapsid>adm (for example, using
transaction DB13, the DBA Planning Calendar), this user must also belong to the group dboper.
For more information, see SAP Note 832662.

User Configuration 3

Logon Context

unix <employee> / <password>

OS user
logon

Configuration

OS user OS group OS user OS group OS user OS group

ora<sid> dba+oper <sid>adm dboper <employee> dboper

OS> brbackup -u /
OS> brspace –u/

ora<sid> rsx rsx r-x brbackup

BRBACKUP
ora<sid> rsx rsx r-x brspace

UNIX context UNIX context UNIX context

BRBACKUP belongs to ora<sid>, but can be called by any user <employee>. Due to the set bit,
BRBACKUP runs with the authorizations of the user ora<sid>.
You can start BRBACKUP with brbackup -u /, and therefore work with the user OPS$ora<sid>,
to perform backups. To use this mechanism, the user OPS$ora<sid> with the SAPDBA role granted
has to be defined on the database.

February 2006 10
Database Security for Oracle

Additional Information

SAP Library
You can find more information on Oracle database administration in the SAP Library from any of the
following:

All paths refer to Release NW2004s of the SAP Library.

1. Call up the SAP Help Portal at help.sap.com/nw2004s.
2. Choose English → SAP NetWeaver Library → SAP NetWeaver by Key Capability.
3. Choose one of the following:
o Application Platform by Key Capability → Platform-Wide Services → Database Support
→ Oracle → SAP Database Guide.
o Security → SAP NetWeaver Security Guide → Security Guides for the Operating System and
Database Platforms → Database Access Protection → Oracle Under Windows or Oracle
Under Windows

You can find extracts from the SAP Library in the SAP Service Marketplace at:
service.sap.com/dbaora → General
However, we recommend you to use the SAP Library as described above, because not all
links function correctly in these extracts.

SAP Notes
You can find SAP Notes in the SAP Service Marketplace at:
service.sap.com/notes

February 2006 11