database security for oracle[1]
TRANSCRIPT
8/7/2019 Database Security for Oracle[1]
http://slidepdf.com/reader/full/database-security-for-oracle1 1/11
W h i t e P a p e r :
O r a c l e D a t a b a s e A d m i n is t r a t i o n
D a t a b a s e S e c u r i t y f o r
O r a c l e
F e b r u a r y 2 0 0 8
8/7/2019 Database Security for Oracle[1]
http://slidepdf.com/reader/full/database-security-for-oracle1 2/11
SAP Copyrights and Trademarks
© Copyright 2008 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in anyform or for any purpose without the express permission of SAP AG.
The information contained herein may be changed without prior
notice..
Some software products marketed by SAP AG and its distributors
contain proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered
trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex,
MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries,
xSeries, zSeries, System i, System i5, System p, System p5, System x,
System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere,
Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+,
OpenPower and PowerPC are trademarks or registered trademarks of
IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either
trademarks or registered trademarks of Adobe Systems Incorporated in
the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the
Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,
VideoFrame, and MultiWin are trademarks or registered trademarks of
Citrix Systems, Inc.
HTML, XML, XHTML, and W3C are trademarks or registered
trademarks of W3C®, World Wide Web Consortium, Massachusetts
Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used
under license for technology invented and implemented by Netscape.
SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge,
ByDesign, SAP Business ByDesign, and other SAP products and
services mentioned herein as well as their respective logos are
trademarks or registered trademarks of SAP AG in Germany and in
several other countries all over the world. All other product and
service names mentioned are the trademarks of their respective
companies. Data contained in this document serves informational
purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials
are provided by SAP AG and its affiliated companies ("SAP Group")
for informational purposes only, without representation or warranty of
any kind, and SAP Group shall not be liable for errors or omissions
with respect to the materials. The only warranties for SAP Group
products and services are those that are set forth in the express
warranty statements accompanying such products and services, if any.
Nothing herein should be construed as constituting an additional
warranty.
Where to Find this Documentation
You can find this documentation at the following address:
h t t p : //w w w . s d n . s a p . c o m /i r j /s d n / o r a
S A P A GNeurottstraße 1669190 WalldorfGermany
T +49/18 05/34 34 24F +49/18 05/34 34 20w w w . s a p . c o m
8/7/2019 Database Security for Oracle[1]
http://slidepdf.com/reader/full/database-security-for-oracle1 3/11
Typographic Conventions
Type Style Represents
Example Text Words or characters quoted fromthe screen. These include fieldnames, screen titles,pushbuttons labels, menunames, menu paths, and menuoptions.
Cross-references to other
documentation.
Example text Emphasized words or phrases inbody text, graphic titles, andtable titles.
EXAMPLE TEXT Technical names of systemobjects. These include reportnames, program names,transaction codes, table names,and key concepts of aprogramming language whenthey are surrounded by bodytext, for example, SELECT and
INCLUDE.
Example text Output on the screen. Thisincludes file and directory namesand their paths, messages,names of variables andparameters, source text, andnames of installation, upgradeand database tools.
Example text Exact user entry. These arewords or characters that youenter in the system exactly asthey appear in the
documentation.
<Example text> Variable user entry. Anglebrackets indicate that youreplace these words andcharacters with appropriateentries to make entries in thesystem.
EXAMPLE TEXT Keys on the keyboard, forexample, F2 or ENTER.
Icons
Icon Meaning
Caution
Example
Note
Recommendation
Syntax
8/7/2019 Database Security for Oracle[1]
http://slidepdf.com/reader/full/database-security-for-oracle1 4/11
Database Security for Oracle
February 2008 4
Contents
Intr odu cti on ....................................................................................................... 5
Requir ements o f the DBA Tools ........................................................................ 5
Database User OPS$<SID>ADM ......................................................................................... 5
BRBACKUP, BRARCHIVE, and BRCONNECT..................................................................... 5
BRRECOVER, BRRESTORE, and BRSPACE....................................................................... 5
Requirements fo r Backups Using RMAN ........................................................... 5
The OPS$ Mechan ism ..................... ....................... ...................... ...................... 6
Examples of User Conf igurations (UNIX)........................................................... 8
Addi tional Info rmat ion ..................................................................................... 11
SAP Lib rary ...................................................................................................................... 11
SAP Notes ........................................................................................................................ 11
8/7/2019 Database Security for Oracle[1]
http://slidepdf.com/reader/full/database-security-for-oracle1 5/11
Database Security for Oracle
February 2008 5
Introduction
The security issues in the two-user concept (ora<sid>, <sid>adm (UNIX) or <SID>ADM,
SAPSERVICE<SID> (Windows)) made it necessary to consider a global solution in the area ofdatabase security. This document is intended to explain the overall context and the improvementsmade in this area.
Requirements of the DBA Tools
Database User OPS$<SID>ADM
The database user OPS$<SID>ADM is created in the database. It has the SAPDBA role and
remote_os_authent is set to TRUE. The SAPDBA role is necessary to schedule BR*Tools fromSAP CCMS.
The parameter remote_os_authent must be set to TRUE, because the SAP database has to set upa remote connection for the SAP system, and the OPS$ mechanism is used to protect the passwordof the user SAP<SID> in the SAPUSER table.
BRBACKUP, BRARCHIVE, and BRCONNECT
Since BRBACKUP has to start up and shut down the database, for Oracle versions lower than 8 theSYSDBA role was necessary, that is, <sid>adm had to belong to the UNIX group dba or to theWindows local group ORA_<SID>_DBA.
In Oracle versions greater than or equal to 8, a SYSOPER role with reduced authorizations can also beused. The analogous UNIX group is oper. On Windows, the local group is ORA_<SID>_OPER.
BRBACKUP calls SQLPLUS with connect / as sysoper.
Therefore, from the point of view of BRBACKUP, the UNIX group of the <sid>adm could be oper,
the Windows group ORA_<SID>_OPER.
Furthermore, BRBACKUP and BRARCHIVE must have full access to the SAP<SID> tables SDBAD,SDBAH, and other DBA tables. The required privileges are part of the SAPDBA role. Thus appropriateoperating system groups and the SAPDBA role are sufficient for BRBACKUP and BRARCHIVE toperform backups using cpio, dd or BACKINT interface.
BRCONNECT also needs the same privileges.
BRRECOVER, BRRESTORE, and BRSPACE
BRRECOVER and BRRESTORE perform database recovery whereas BRSPACE performs, amongother things, tablespace management. These tools need the SYSDBA privilege to perform thesefunctions. This privilege is normally granted through the UNIX group dba or the Windows group
ORA_<SID>_DBA.
Since these tools also need special file system rights to create database files, make sure that you onlycall them as the UNIX user ora<sid> or the Windows user <SID>ADM.
Requirements for Backups Using RMAN
BRBACKUP and BRARCHIVE support backups using the Oracle Recovery Manager (RMAN). Toperform database backups, RMAN requires SYSDBA authority. To enable RMAN backups (forexample, incremental backups) from the transaction DBACOCKPIT or DB13 (DBA PlanningCalendar), the OS users <sid>adm (UNIX) and SAPSERVICE<SID> (Windows) must be entered inthe corresponding operating system groups:
8/7/2019 Database Security for Oracle[1]
http://slidepdf.com/reader/full/database-security-for-oracle1 6/11
Database Security for Oracle
February 2008 6
UNIX
OS User OS Group DB Role DB User
ora<sid> dba
oper
SYSDBA
SYSOPER
SAPDBA
OPS$ORA<SID>
<sid>adm dba
oper
SYSDBA
SYSOPER
SAPDBA
OPS$<SID>ADM
Windows
OS User OS Group DB Role DB User
<SID>ADM ORA_<SID>_DBA
ORA_<SID>_OPER
SYSDBA
SYSOPER
SAPDBA
OPS$<SID>ADM
SAPSERVICE<SID> ORA_<SID>_DBA
ORA_<SID>_OPER
SYSDBA
SYSOPER
SAPDBA
OPS$SAPSERVICE<SID>
We assume that the option –u / is used (see next section).
The OPS$ MechanismThe Oracle OPS$ Mechanism moves the entire database security mechanism to the operating systemlevel. The prerequisite is that a database user OPS$<OS_user>, corresponding to the operating
system user (OS_user) is defined in the database, and identified externally.
When you have successfully logged on with the operating system user, you can then connect to thedatabase with SQL> connect / , without entering a password. You then work there as
OPS$<OS_user>. For example, you can start BRBACKUP in the same way:
OS> brbackup -u /
The OPS$ Mechanism is also always used when, for example, you call BRBACKUP, BRARCHIVE orBRCONNECT from the transaction DBACOCKPIT or DB13 of the SAP system.
8/7/2019 Database Security for Oracle[1]
http://slidepdf.com/reader/full/database-security-for-oracle1 7/11
Database Security for Oracle
February 2008 7
OPS$ Mechanism for SAP
SYSDBASYSOPERSAPDBA
BR-TOOL
OPS$<SID>ADM
User
DatabaseRole
Configuration
Logon Context
unix <sid>adm / <password>
OS userlogon
<sid>admdbaoper
ora<sid> rsx rwx r-x brarchive
User Group
ora<sid> rsx rwx r-x brbackup
OS> brarchive -u /
OS> brbackup -u /
DB
Definition OPS$<SID>ADMidentified “externally”
UNIX ContextDatabase Context
DB Role
8/7/2019 Database Security for Oracle[1]
http://slidepdf.com/reader/full/database-security-for-oracle1 8/11
Database Security for Oracle
February 2008 8
Examples of User Configurations (UNIX)You can use different user configurations at the operating system level to meet the various securityrequirements in your organization.
Configuration 1: A Database Administrator with All Authorizations.
This configuration corresponds to the SAP standard installation. One employee has fullresponsibility for database administration with BR*Tools and other database tools. This employee canalso execute all actions possible in this context as the UNIX user ora<sid>. In this case, you do nothave to take any other security aspects into consideration, and the following user configuration issensible. The database administrator knows the UNIX password of the user ora<sid>. When loggedon under this password, the administrator has a high authorization level.
The user ora<sid> can start BR*Tools directly at operating system level, and can also access thedatabase directly and manipulate database objects.
User Configuration 1
dba+oper
BRBACKUP
ora<sid>
OS user OS group
Configuration
Logon Context
unix ora<sid> / <password>
OS userlogon
<sid>adm dba +oper
ora<sid> rsx rwx r-x brbackup
OS user OS group
OS> brbackup
UNIX contextUNIX context
Configuration 2: An Employee with Operator Authorization
The operator is authorized to back up the database (but not with RMAN), and to call BRCONNECTwith certain command options, such as –f check, -f next, -f stats, -f cleanup. The operatorcan also start up and shut down the database, but only has limited authorization to read or modify data(that is, only data that are needed to run BRBACKUP, BRARCHIVE, and BRCONNECT, but noapplication data). Only the administrator can restore backups.
8/7/2019 Database Security for Oracle[1]
http://slidepdf.com/reader/full/database-security-for-oracle1 9/11
Database Security for Oracle
February 2008 9
User Configuration 2
dba+oper
BRCONNECT
ora<sid>
OS user OS group
Configuration
Logon Context
unix <sid>adm / <password>
OS userlogon
<sid>adm oper
ora<sid> rsx rwx r-x brconnect
OS user OS group
ora<sid> rwx r-x --- sqlplus
OS> brconnect –f check
UNIX contextUNIX context
BRCONNECT belongs to ora<sid>, but can be called by any user. Due to the set s-bit,
BRCONNECT runs with the authorizations of the user ora<sid>.
The operator logs on as the user <sid>adm. This user belongs to the group oper. This allows the
user to start up and shut down the database. This does not fully correspond to the standardconfiguration for SAP, since <sid>adm does not belong to the dba group. The user <sid>adm has a
corresponding OPS$ database user as standard (OPS$<sid>adm). This OPS$ user is granted theSAPDBA role on the database and can, therefore, read the Oracle Dictionary tables and write in theDBA log tables in the database.
The OPS$ mechanism is activated automatically for the standard user <sid>adm during installation.
You can use the OPS$ mechanism by calling BRCONNECT with the option -u /.
brconnect -u / -f check
brbackup -u / -q
The operator then has full administration authorization for the SAP system (but not for thedatabase). If you want to keep privileges for the database separate from privileges for theSAP system, you must set up a separate OS user with the operator authorizationsdescribed above (see “Configuration 3” below).
If the standard password is changed from user SYSTEM and the OPS$ Mechanism is not
used, then you must call BRCONNECT, BRBACKUP, and so on, with the option -u.
8/7/2019 Database Security for Oracle[1]
http://slidepdf.com/reader/full/database-security-for-oracle1 10/11
8/7/2019 Database Security for Oracle[1]
http://slidepdf.com/reader/full/database-security-for-oracle1 11/11
Database Security for Oracle
February 2008 11
Additional Information
SAP Library
You can find more information on Oracle database administration and the contents of this document inthe SAP Library as follows:
All paths refer to Release SAP NetWeaver Process Integration 7.1 of the SAP Library.
1. Call up the SAP Help Portal at help.sap.com/nwpi71 → KNOWLEDGE CENTER FOR SAP
NETWEAVER PROCESS INTEGRATION 7.1 → SAP NetWeaver Process Integration Library English .
2. Choose one of the following:
o Administrator’s Guide → Technical Operations for SAP NetWeaver → Administration of
Databases → Database Administration for Oracle → SAP Database Guide: Oracle o Administrator’s Guide → Security Guide → Security Guides for the Operating System
and Database Platforms → Database Access Protection → Oracle Under UNIX or Oracle on Windows
You can also find these plus selected extracts from the SAP Library at:
www.sdn.sap.com/irj/sdn/ora → SAP on Oracle Knowledge Center → SAPDocumentation in Help Portal
SAP Notes
You can find SAP Notes at:
service.sap.com/notes