Protecting the SAP Database User

To protect access to the SAPUSER table and the SAP database user SAP<SAPSID>, or SAPR3 note the following:

·        Change the passwords for SAP<SAPSID> or SAPR3, and <sapsid>adm regularly.

·        Only define OPS$ users for the Windows users that are necessary for operating the SAP system. These are typically the users SAPService<SAPSID> and <sapsid>adm; however, you may assign them other names. (In this guide, we refer to SAPService<SAPSID> and <sapsid>adm.) For more information about creating OPS$ users under Windows, see SAP Note 50088.

·        With the Oracle network protocol SQL*Net, you can also use the file sqlnet.ora to restrict access to the database using IP addresses. In this file, you specify invited and excluded IP addresses.

For example:

tcp.validnode_checking = yes
tcp.invited_nodes = (, ...)


tcp.excluded_nodes = (, ...)

In this way, you can make sure that only specific hosts (for example, only the application server host) can access the database.

See also:

Changing Passwords for SAP Database Users Using BRCONNECT