Operating System Users and Groups & Database Users and Roles

Operating System Users

In the SAP system the roles of the users ora<dbsid> and <sapsid>adm on UNIX, or <sapsid>adm and SAPSERVICE<SID> on Windows, used to be separate. Due to the requirements for RMAN backup, this is no longer true. Both users now belong to the operating system groups dba andoper, as shown in the tables below.

Database Roles

·        SYSDBA
All authorizations

·        SYSOPER
Operator activities, but no read or write authorizations.

·        SAPDBA
Read and write authorizations to work with BR*Tools command options, and therefore the DBA functions in the Computer Center Management System (CCMS).

To be able to use the CCMS DBA functions or BR*Tools command options without restrictions, the OPS$ user must have both the SYSOPER role and the SAPDBA role.

Operating System Users and Groups, Database Users and Roles

UNIX

Operating System Users	Operating System Group	Database Role	Database Users
ora<dbsid>	dba oper	SYSDBA SYSOPER	OPS$ORA<DBSID>
<sapsid>adm	dba oper	SYSDBA SYSOPER	OPS$<SAPSID>ADM

 

Windows

Operating System Users	Operating System Group	Database Role	Database Users
<sapsid>adm	ORA_<SID>_DBA ORA_<SID>_OPER	SYSDBA SYSOPER	(SYS) OPS$<DOMAIN>\<SAPSID>ADM
SAPSERVICE<SID>	ORA_<SID>_DBA ORA_<SID>_OPER	SYSDBA SYSOPER	OPS$<DOMAIN>\SAPSERVICE<SID>

The OS group on Windows can also be specified globally (without instance name) (ORA_DBA, ORA_OPER).

OPS$ Database User

The Oracle OPS$ mechanism moves the entire DB security mechanism to the operating system level.

The prerequisite is that a DB user OPS$<OS_user> corresponding to the OS user is defined on the database, and identified as externally. It must have been granted the SAPDBA role.

Once you have logged on successfully with the OS user, you can connect to the database with:

 SQL>connect /

This means you do not have to enter another password. You are then working as OPS$<OS_user>. In the same way you can start the program BRBACKUP with:

OS> brbackup –u /

This OPS$ mechanism is always used if you call BR*Tools from the CCMS transaction DB13 in the SAP System.

The OPS$ Mechanism (UNIX)

BR*Tools Database User

The standard DB user used by BR*Tools is always SYSTEM. BR*Tools connects with the Oracle option AS SYSOPER or AS SYSDBA for actions such as startup, shutdown, recover and so on, as well as selecting from V$ tables when the database is not open.