database security for oracle[1]

8/7/2019 Database Security for Oracle[1]

http://slidepdf.com/reader/full/database-security-for-oracle1 1/11

W h i t e P a p e r :

O r a c l e D a t a b a s e A d m i n is t r a t i o n

D a t a b a s e S e c u r i t y f o r

O r a c l e

F e b r u a r y 2 0 0 8



SAP Copyrights and Trademarks

© Copyright 2008 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in anyform or for any purpose without the express permission of SAP AG.

The information contained herein may be changed without prior

notice..

Some software products marketed by SAP AG and its distributors

contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered

trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex,

MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries,

xSeries, zSeries, System i, System i5, System p, System p5, System x,

System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere,

Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+,

OpenPower and PowerPC are trademarks or registered trademarks of

IBM Corporation.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either

trademarks or registered trademarks of Adobe Systems Incorporated in

the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the

Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,

VideoFrame, and MultiWin are trademarks or registered trademarks of

Citrix Systems, Inc.

HTML, XML, XHTML, and W3C are trademarks or registered

trademarks of W3C®, World Wide Web Consortium, Massachusetts

Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used

under license for technology invented and implemented by Netscape.

SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge,

ByDesign, SAP Business ByDesign, and other SAP products and

services mentioned herein as well as their respective logos are

trademarks or registered trademarks of SAP AG in Germany and in

several other countries all over the world. All other product and

service names mentioned are the trademarks of their respective

companies. Data contained in this document serves informational

purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials

are provided by SAP AG and its affiliated companies ("SAP Group")

for informational purposes only, without representation or warranty of

any kind, and SAP Group shall not be liable for errors or omissions

with respect to the materials. The only warranties for SAP Group

products and services are those that are set forth in the express

warranty statements accompanying such products and services, if any.

Nothing herein should be construed as constituting an additional

warranty.

Where to Find this Documentation

You can find this documentation at the following address:

h t t p : //w w w . s d n . s a p . c o m /i r j /s d n / o r a

S A P A GNeurottstraße 1669190 WalldorfGermany

T +49/18 05/34 34 24F +49/18 05/34 34 20w w w . s a p . c o m



Typographic Conventions

Type Style Represents

Example Text Words or characters quoted fromthe screen. These include fieldnames, screen titles,pushbuttons labels, menunames, menu paths, and menuoptions.

Cross-references to other

documentation.

Example text Emphasized words or phrases inbody text, graphic titles, andtable titles.

EXAMPLE TEXT Technical names of systemobjects. These include reportnames, program names,transaction codes, table names,and key concepts of aprogramming language whenthey are surrounded by bodytext, for example, SELECT and

INCLUDE.

Example text Output on the screen. Thisincludes file and directory namesand their paths, messages,names of variables andparameters, source text, andnames of installation, upgradeand database tools.

Example text Exact user entry. These arewords or characters that youenter in the system exactly asthey appear in the

documentation.

<Example text> Variable user entry. Anglebrackets indicate that youreplace these words andcharacters with appropriateentries to make entries in thesystem.

EXAMPLE TEXT Keys on the keyboard, forexample, F2 or ENTER.

Icons

Icon Meaning

Caution

Example

Note

Recommendation

Syntax



Database Security for Oracle

February 2008 4

Contents

Intr odu cti on ....................................................................................................... 5

Requir ements o f the DBA Tools ........................................................................ 5

Database User OPS$<SID>ADM ......................................................................................... 5

BRBACKUP, BRARCHIVE, and BRCONNECT..................................................................... 5

BRRECOVER, BRRESTORE, and BRSPACE....................................................................... 5

Requirements fo r Backups Using RMAN ........................................................... 5

The OPS$ Mechan ism ..................... ....................... ...................... ...................... 6

Examples of User Conf igurations (UNIX)........................................................... 8

Addi tional Info rmat ion ..................................................................................... 11

SAP Lib rary ...................................................................................................................... 11

SAP Notes ........................................................................................................................ 11




February 2008 5

Introduction

The security issues in the two-user concept (ora<sid>, <sid>adm (UNIX) or <SID>ADM,

SAPSERVICE<SID> (Windows)) made it necessary to consider a global solution in the area ofdatabase security. This document is intended to explain the overall context and the improvementsmade in this area.

Requirements of the DBA Tools

Database User OPS$<SID>ADM

The database user OPS$<SID>ADM is created in the database. It has the SAPDBA role and

remote_os_authent is set to TRUE. The SAPDBA role is necessary to schedule BR*Tools fromSAP CCMS.

The parameter remote_os_authent must be set to TRUE, because the SAP database has to set upa remote connection for the SAP system, and the OPS$ mechanism is used to protect the passwordof the user SAP<SID> in the SAPUSER table.

BRBACKUP, BRARCHIVE, and BRCONNECT

Since BRBACKUP has to start up and shut down the database, for Oracle versions lower than 8 theSYSDBA role was necessary, that is, <sid>adm had to belong to the UNIX group dba or to theWindows local group ORA_<SID>_DBA.

In Oracle versions greater than or equal to 8, a SYSOPER role with reduced authorizations can also beused. The analogous UNIX group is oper. On Windows, the local group is ORA_<SID>_OPER.

BRBACKUP calls SQLPLUS with connect / as sysoper.

Therefore, from the point of view of BRBACKUP, the UNIX group of the <sid>adm could be oper,

the Windows group ORA_<SID>_OPER.

Furthermore, BRBACKUP and BRARCHIVE must have full access to the SAP<SID> tables SDBAD,SDBAH, and other DBA tables. The required privileges are part of the SAPDBA role. Thus appropriateoperating system groups and the SAPDBA role are sufficient for BRBACKUP and BRARCHIVE toperform backups using cpio, dd or BACKINT interface.

BRCONNECT also needs the same privileges.

BRRECOVER, BRRESTORE, and BRSPACE

BRRECOVER and BRRESTORE perform database recovery whereas BRSPACE performs, amongother things, tablespace management. These tools need the SYSDBA privilege to perform thesefunctions. This privilege is normally granted through the UNIX group dba or the Windows group

ORA_<SID>_DBA.

Since these tools also need special file system rights to create database files, make sure that you onlycall them as the UNIX user ora<sid> or the Windows user <SID>ADM.

Requirements for Backups Using RMAN

BRBACKUP and BRARCHIVE support backups using the Oracle Recovery Manager (RMAN). Toperform database backups, RMAN requires SYSDBA authority. To enable RMAN backups (forexample, incremental backups) from the transaction DBACOCKPIT or DB13 (DBA PlanningCalendar), the OS users <sid>adm (UNIX) and SAPSERVICE<SID> (Windows) must be entered inthe corresponding operating system groups:




February 2008 6

UNIX

OS User OS Group DB Role DB User

ora<sid> dba

oper

SYSDBA

SYSOPER

SAPDBA

OPS$ORA<SID>

<sid>adm dba

oper

SYSDBA

SYSOPER

SAPDBA

OPS$<SID>ADM

Windows

OS User OS Group DB Role DB User

<SID>ADM ORA_<SID>_DBA

ORA_<SID>_OPER

SYSDBA

SYSOPER

SAPDBA

OPS$<SID>ADM

SAPSERVICE<SID> ORA_<SID>_DBA

ORA_<SID>_OPER

SYSDBA

SYSOPER

SAPDBA

OPS$SAPSERVICE<SID>

We assume that the option –u / is used (see next section).

The OPS$ MechanismThe Oracle OPS$ Mechanism moves the entire database security mechanism to the operating systemlevel. The prerequisite is that a database user OPS$<OS_user>, corresponding to the operating

system user (OS_user) is defined in the database, and identified externally.

When you have successfully logged on with the operating system user, you can then connect to thedatabase with SQL> connect / , without entering a password. You then work there as

OPS$<OS_user>. For example, you can start BRBACKUP in the same way:

OS> brbackup -u /

The OPS$ Mechanism is also always used when, for example, you call BRBACKUP, BRARCHIVE orBRCONNECT from the transaction DBACOCKPIT or DB13 of the SAP system.




February 2008 7

OPS$ Mechanism for SAP

SYSDBASYSOPERSAPDBA

BR-TOOL

OPS$<SID>ADM

User

DatabaseRole

Configuration

Logon Context

unix <sid>adm / <password>

OS userlogon

<sid>admdbaoper

ora<sid> rsx rwx r-x brarchive

User Group

ora<sid> rsx rwx r-x brbackup

OS> brarchive -u /

OS> brbackup -u /

DB

Definition OPS$<SID>ADMidentified “externally”

UNIX ContextDatabase Context

DB Role




February 2008 8

Examples of User Configurations (UNIX)You can use different user configurations at the operating system level to meet the various securityrequirements in your organization.

Configuration 1: A Database Administrator with All Authorizations.

This configuration corresponds to the SAP standard installation. One employee has fullresponsibility for database administration with BR*Tools and other database tools. This employee canalso execute all actions possible in this context as the UNIX user ora<sid>. In this case, you do nothave to take any other security aspects into consideration, and the following user configuration issensible. The database administrator knows the UNIX password of the user ora<sid>. When loggedon under this password, the administrator has a high authorization level.

The user ora<sid> can start BR*Tools directly at operating system level, and can also access thedatabase directly and manipulate database objects.

User Configuration 1

dba+oper

BRBACKUP

ora<sid>

OS user OS group

Configuration

Logon Context

unix ora<sid> / <password>

OS userlogon

<sid>adm dba +oper

ora<sid> rsx rwx r-x brbackup

OS user OS group

OS> brbackup

UNIX contextUNIX context

Configuration 2: An Employee with Operator Authorization

The operator is authorized to back up the database (but not with RMAN), and to call BRCONNECTwith certain command options, such as –f check, -f next, -f stats, -f cleanup. The operatorcan also start up and shut down the database, but only has limited authorization to read or modify data(that is, only data that are needed to run BRBACKUP, BRARCHIVE, and BRCONNECT, but noapplication data). Only the administrator can restore backups.




February 2008 9

User Configuration 2

dba+oper

BRCONNECT

ora<sid>

OS user OS group

Configuration

Logon Context

unix <sid>adm / <password>

OS userlogon

<sid>adm oper

ora<sid> rsx rwx r-x brconnect

OS user OS group

ora<sid> rwx r-x --- sqlplus

OS> brconnect –f check

UNIX contextUNIX context

BRCONNECT belongs to ora<sid>, but can be called by any user. Due to the set s-bit,

BRCONNECT runs with the authorizations of the user ora<sid>.

The operator logs on as the user <sid>adm. This user belongs to the group oper. This allows the

user to start up and shut down the database. This does not fully correspond to the standardconfiguration for SAP, since <sid>adm does not belong to the dba group. The user <sid>adm has a

corresponding OPS$ database user as standard (OPS$<sid>adm). This OPS$ user is granted theSAPDBA role on the database and can, therefore, read the Oracle Dictionary tables and write in theDBA log tables in the database.

The OPS$ mechanism is activated automatically for the standard user <sid>adm during installation.

You can use the OPS$ mechanism by calling BRCONNECT with the option -u /.

brconnect -u / -f check

brbackup -u / -q

The operator then has full administration authorization for the SAP system (but not for thedatabase). If you want to keep privileges for the database separate from privileges for theSAP system, you must set up a separate OS user with the operator authorizationsdescribed above (see “Configuration 3” below).

If the standard password is changed from user SYSTEM and the OPS$ Mechanism is not

used, then you must call BRCONNECT, BRBACKUP, and so on, with the option -u.




February 2008 11

Additional Information

SAP Library

You can find more information on Oracle database administration and the contents of this document inthe SAP Library as follows:

All paths refer to Release SAP NetWeaver Process Integration 7.1 of the SAP Library.

1. Call up the SAP Help Portal at help.sap.com/nwpi71 → KNOWLEDGE CENTER FOR SAP

NETWEAVER PROCESS INTEGRATION 7.1 → SAP NetWeaver Process Integration Library English .

2. Choose one of the following:

o Administrator’s Guide → Technical Operations for SAP NetWeaver → Administration of

Databases → Database Administration for Oracle → SAP Database Guide: Oracle o Administrator’s Guide → Security Guide → Security Guides for the Operating System

and Database Platforms → Database Access Protection → Oracle Under UNIX or Oracle on Windows

You can also find these plus selected extracts from the SAP Library at:

www.sdn.sap.com/irj/sdn/ora → SAP on Oracle Knowledge Center → SAPDocumentation in Help Portal

SAP Notes

You can find SAP Notes at:

service.sap.com/notes

database security for oracle[1]

Documents