Restricting Access to Database Resources (UNIX/Linux up to Database Version 7.4.03)

A new authorization concept came into effect as of database version 7.5. See Concepts of the Database System, Special Operating System Users and Groups (UNIX/Linux) The measures described in the following are relevant only for older database versions.

Up to and including database version 7.4.03, access rights in SAP systems on UNIX/Linux are automatically configured during installation as follows.

Access Rights in SAP Systems up to and Including Database Version 7.4.03: Directories

Directory

Privilege

Owner

Group

Notes

/sapdb/<SID>/sapdata

750

sqd<sid>

sapsys

/sapdb/<SID>/saplog

750

sqd<sid>

sapsys

/sapdb/<SID>/sapsys

750

sqd<sid>

sapsys

/sapdb/<SID>/dbsys

750

sqd<sid>

sapsys

No longer applies as of 7.4

/sapdb/<SID>/db

750

sqd<sid>

sapsys

If a database version 7.5 or higher is installed on a computer together with an older version, change the access privileges for the directory /sapdb/<SID>/db of the older database version to 755 to ensure that the database processes of the newer versions have unrestricted access to it.

Access Rights in SAP Systems up to and Including Database Version 7.4.03: Files

File

Privilege

Owner

Group

Notes

/sapdb/<SID>/sapdata/*

660

sqd<sid>

sapsys

/sapdb/<SID>/saplog/*

660

sqd<sid>

sapsys

/sapdb/<SID>/sapsys/*

660

sqd<sid>

sapsys

/sapdb/<SID>/dbsys/sys

660

sqd<sid>

sapsys

No longer applies as of 7.4

Access Rights in SAP Systems up to and Including Database Version 7.4.03: Raw Devices

Raw device

Privilege

Owner

Group

Notes

Raw devices for the database system

660

sqd<sid>

Link to the raw devices used as data volumes or log volumes

Procedure

To restrict access rights, proceed as follows:

...

       1.      Save the original settings. To do so, enter the following commands:

cd /usr/sap
ls -lR > sap_perm.txt

cd /sapmnt
ls -lR > sap_sw.txt

cd /sapdb/<SID>
ls -lR > sapdb_perm.txt

       2.      Grant the desired access privileges for files and directories with the chmod command:

chmod <access_privileges_in_octal_format> <file_or_directory>

chmod 750 /sapdb/<SID>/sap*

chmod 750 /sapdb/<SID>/sapdata/*

chmod 750 /sapdb/<SID>/saplog/*

...

Do not use chmod recursively. It is very easy to make unintended changes to authorizations when doing so.