Data Storage Security

The data that comprises the database instance is stored in the file system. There are several operating system users that have comprehensive authorizations for accessing database resources using the commands and functions of the operating system.

Access of Database Resources by Operating System Users

Database Resource

Access
(UNIX/Linux)

Access
(Microsoft Windows)

Volumes

<sdb_user> (owner)

Members of the group <sdba_group>, if there is no support group

Members of the support group

Members of the groups Administrators, System, Creator/Owner

Backups

<sdb_user> (owner)

Members of the group <sdba_group>

Members of the groups Administrators, System, Creator/Owner

Files and directories of the database software

<sdb_user> (owner)

Members of the group <sdba_group>

All

Database processes

<sdb_user> (owner)

Local system account

X Server

<sdb_user> (owner)

Local system account

In SAP systems there can be additional operating system users that have access to database resources and that can replace the <sdb_user> operating system user.

Access of Database Resources by SAP Standard Operating System Users

Database Resource

Access
(UNIX/Linux)

Access

(Microsoft Windows)

All

<sid>adm (SAP system administrator and database administrator in SAP systems)

Member of the group <sdba_group>

For liveCache database instances, also owner

<SID>ADM

All

<sqd>sid

Obsolete, not for liveCache database instances

Owner

<SQD>SID

<sid> = System ID of the SAP system

Hazards

·        Access to unprotected database resources

A normal operating system user uses operating system commands to access database resources that are not protected by restrictions on the operating system level.

·        Unauthorized access to protected database resources using external user data

A normal operating system user learns the password of a privileged operating system user and accesses protected database resources using operating system commands.

Activities

·        Restricting Access to Database Resources (UNIX/Linux up to Database Version 7.4.03)

·        Restricting Access to Database Resources (Microsoft Windows)

·        Changing Passwords of SAP Standard Operating System Users

See also:

Appendix

See Concepts of the Database System, Special Operating System Users and Groups (UNIX/Linux)