Apply Security Settings for Database-Related File System Resources

Use

Under Windows, you should protect all data files, all executable files, all Oracle files, and all SAP system files.

The following  table below shows the Oracle files and the corresponding access rights:

Access Privileges for Oracle Directories and Files

Oracle Directories

Access Privilege

For User or Group

%ORACLE_HOME%

Full Control

SYSTEM,

Administrators,

SAP_<SAPSID>_GlobalAdmin (domain installation),

SAP_<SAPSID>_LocalAdmin
(local installation)

<drive>:\oracle\<dbsid>

Full Control

SYSTEM,

Administrators,

SAP_<SAPSID>_GlobalAdmin (domain installation),

SAP_<SAPSID>_LocalAdmin
(local installation)

Procedure

For all Oracle directories and the ORACLE_HOME set  the security settings for the built-in accounts and groups SYSTEM, Administrators, SAP_<SAPSID>_GlobalAdmin (domain installation), and SAP_<SAPSID>_LocalAdmin (local installation) as follows:

       1.      In the Windows Explorer, right-click the Oracle root directory and choose Properties.

       2.      Under Security, choose Advanced.

       3.      Uncheck Allow inheritable permissions from the parent …. (Windows Server 2003), or  Inherit from parent the permission entries that apply to child objects (Windows 2000).

       4.      In the upcoming dialog, choose Copy, to copy the permission entries that were previously applied from the parent to this object.

       5.      Choose OK.

       6.      Set the permissions for the above-mentioned accounts  SYSTEM, Administrators, SAP_<DBSID>_GlobalAdmin, or SAP_<DBSID>_LocalAdmin to Full Control.

       7.      Delete all other accounts.

For more information about measures to take for the other files, see Operating System Protection.