new user concept for sap netweaver · installations on unix and ... -rwxr-xr-x 1 prdadm sapsys...
TRANSCRIPT
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Andreas Becker, Principal Member Technical StaffOracle Server TechnologiesSAP DevelopmentNovember 2015 17 Years Oracle for SAP
New User Concept for SAP NetWeaveron Oracle Database 12c
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
3Oracle and SAP
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 4Oracle and SAP
New User Concept with Oracle 12c – what to consider and how to prepare?
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Agenda
Introduction
User Concept SAP Classic
User Concept Oracle Standard
User Concept Oracle Flex
Summary / Outlook / References
1
2
3
4
5
5Oracle and SAP
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Agenda
Introduction
User Concept SAP Classic
User Concept Oracle Standard
User Concept Oracle Flex
Summary / Outlook / References
1
2
3
4
5
6Oracle and SAP
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Introduction
• User concept for SAP NetWeaver based installations on Oracle on Unix
• User, roles and corresponding tasks
– SAP System Administration
–Oracle Database Administration
–Oracle Database Operation
–Oracle Software installation
• Technical configuration of OS users
• SAP System Security
• SAP Integration and SAP Support
7Oracle and SAP
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Different User Concepts for Different Installation TypesSAP on Oracle Database 10g Release 2
8Oracle and SAP
SAP NetWeaveron Oracle
Oracle Single Instance on File System
Oracle RAC
SAP Classic
SAP Classic
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Different User Concepts for Different Installation TypesSAP on Oracle Database 11g Release 2
9Oracle and SAP
SAP NetWeaveron Oracle
Oracle Single Instance on File System
Oracle ASM(Custom)
Oracle RAC(Custom)
Oracle Engineered Systems
Oracle Standard
Oracle Standard
Oracle Standard
SAP Classic
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
One User Concept for all Installation TypesSAP on Oracle Database 12c Release 1
10Oracle and SAP
SAP NetWeaveron Oracle
Oracle Single Instance on File System
Oracle ASM(Custom)
Oracle RAC(Custom)
Oracle Engineered Systems
Oracle Standard
Oracle Standard
Oracle Standard
Oracle Standard
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Starting Oracle Database 12c Release 1, for all SAP installations on Unix and Linux the Oracle database software is installed by software owner 'oracle'.
When you upgrade an SAP installation from an earlier Oracle release to 12c, you have to migrate the software owner from ora<dbsid> to oracle as part of the upgrade. For details see SAP Note 1915317.
For a detailed description of the new user concept see SAP Note 1915323.
Reference: SAP Note 1914631 (V27 and before)
11Oracle and SAP
User ConceptStatus until July 28, 2015
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Comments from Customers on User Concept Change
• Why change the user concept? Can we use the classic user concept? We don't use RAC, ASM or Exadata. We only have SAP on Oracle with SI/FS only.
• With software owner 'oracle' all instances run under the same user. How can we find the processes of a certain instance?
• With 'oracle' all database files are owned by 'oracle'. This is not secure.
• User 'oracle' has no environment. It is difficult to manage databases from this user. When patching Oracle homes, there is the risk to patch the wrong Oracle home.
• We need to upgrade to 12.1 until 2016. There is not enough time to test the new concept. We need to adapt our scripts and processes.
12Oracle and SAP
PROBLEMS AHEAD
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
For SAP standard installations with Oracle single instance on file system (SI/FS) on Unix platforms SAP supports user concept 'Oracle Standard' with software owner 'oracle' in addition to the classic user concept 'SAP Classic' with software owner 'ora<dbsid>'.
For details and recommendations see SAP Note 1915323. You can change the user concept from 'SAP Classic' to 'Oracle Standard' - e.g. as part of the upgrade to 12.1. - as described in SAP Note 1915317.
Reference: SAP Note 1914631 (V31)
13Oracle and SAP
User ConceptStatus since August 17, 2015
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Agenda
Introduction
User Concept SAP Classic
User Concept Oracle Standard
User Concept Oracle Flex
Summary / Outlook / References
1
2
3
4
5
14Oracle and SAP
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
User Concept SAP Classic
• User concept for SAP NetWeaver based SAP products on Oracle
– For Single instance on file system (SI/FS)
–On Unix/Linux platforms
• This is the classic user concept for SAP R/3 on Oracle.
• SAP System Administrator '<sapsid>adm'– Responsible for SAP system administration including Oracle database operation
• Oracle Database Administrator 'ora<dbsid>'
– Responsible for Oracle software installation (Software Owner)
– Responsible for Oracle database administration
15Oracle and SAP
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Technical Configuration Overview – SAP ClassicFor SI/FS in 12c R1 and beforeSAP System Administrator
<sapsid>adm
brarchivebrbackupbrconnect
ora<dbsid>
Oracle Administrator
dba
dba
BR*ENV
brarchive, brbackup, brconnectbrrecover, brrestore, brspace
Accounts and Roles<sapsid>adm: SAP System Administrator
Oracle database operatorora<dbsid> : Oracle software owner
Oracle database administrator
ORACLE_HOMEdba
oper
sqlplus
DBSID
16Oracle and SAP
.dbenv.sh
.dbenv.sh
oper
oper
BR*ENV
sapsys
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Technical Configuration Overview – SAP ClassicMultiple Databases on one Database ServerSAP System Administrator
Oracle Administrator
<sapsid>adm
ora<dbsid>
dba oper
dba oper
dba
oper
SAP System Administrator
Oracle Administrator
<sapsid>adm
ora<dbsid>
ORACLE_HOME
dbaoper
dbaoper
dba
oper
BR*ENV
BR*ENV BR*ENV
BR*ENV
brarchivebrbackupbrconnect
brarchivebrbackup
brconnect
br*toolsbr*tools DBSID1 DBSID2
ORACLE_HOME
17Oracle and SAP
.dbenv.sh
.dbenv.sh
.dbenv.sh
.dbenv.sh
sapsys sapsys
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
SAP BR*Tools Configuration for SAP Classic
-rwsrwxr-- 1 orasid sapsys 10022600 Aug 23 2012 brarchive-rwsrwxr-- 1 orasid sapsys 10251536 Aug 23 2012 brbackup-rwsrwxr-- 1 orasid sapsys 12179560 Aug 23 2012 brconnect-rwxr-xr-x 1 sidadm sapsys 10708840 Aug 23 2012 brrecover-rwxr-xr-x 1 sidadm sapsys 4140576 Aug 23 2012 brrestore-rwxr-xr-x 1 sidadm sapsys 12778384 Aug 23 2012 brspace-rwxr-xr-x 1 sidadm sapsys 4711664 Aug 23 2012 brtools
• Both the operating system (OS) user ora<sid> and the OS user <sid>adm (for example, from SAP R/3, transactions DB13 or DBACOCKPIT) must be able to call these tools (brarchive, brbackup, brconnect).
• These tools (brrecover, brrestore, brspace, brtools) may be used only by OS user ora<sid>, but not by <sid>adm. This ensures that the user <sid>adm does not have write permission for the log directories and therefore cannot create any logs. For this, no s-bit is set, and it is not necessary to define an owner other than the standard owner <sid>adm.
• SAP Note 113747 - Owners and authorizations for BR*Tools
Oracle and SAP 18
SAP Classic – SAP Note 113747
Executableswith s-bit
Executableswithout s-bit
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
SAP Classic
Advantages Disadvantages
Oracle and SAP Environment variables for <DBSID> are set simple and easy to use
User Concept SAP Classic is not compatible withinstallations with RAC, ASM and Grid Infrastructure
Separation between SAP administration with <sapsid>adm and Oracle administration with ora<dbsid>
No separation between Oracle software installation/maintenance and database administration
"Optical" separation between different databases on same host
No true / secure separation between database installations on the same host: Same 'dba' and 'oper'group for different 'ora<dbsid>' / different Oracle Homes
Database files and database instance processes are owned by different 'ora<dbsid>'
RMAN requires SYSDBA for Database Backups <sapsid>adm needs SYSDBA privilege
Advantages and Disadvantages
19Oracle and SAP
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Agenda
Introduction
User Concept SAP Classic
User Concept Oracle Standard
User Concept Oracle Flex
Summary / Outlook / References
1
2
3
4
5
20Oracle and SAP
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
User Concept Oracle Standard
• User concept for SAP NetWeaver based SAP products on Oracle
– For RAC, ASM and Oracle Engineered Systems (Exadata, ODA, SuperCluster)
–On Unix / Linux platforms
• Starting with Oracle release 11.2, … – this user concept was new introduced into SAP environments for all installations with
Oracle Grid Infrastructure.
• Starting with Oracle release 12.1, …
– this user concept can be used for SI/FS.
21Oracle and SAP
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
User Concept Oracle Standard
• SAP System Administrator '<sapsid>adm'
– Responsible for SAP system administration including Oracle database operation
– Responsible for Oracle database administration (SAP Default DBA Account)
• Oracle Database Administrator 'ora<dbsid>'– Eliminated in 11.2 because not needed for SAP BR*Tools
– re-introduced with 12.1 first only as optional account, but now mandatory account again (SAP standard account)
– Responsible for Oracle database administration (SAP Secondary DBA Account)
• Oracle Software Owner 'oracle' – Responsible for Oracle software installation (Software Owner) only (!)
22Oracle and SAP
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Technical Configuration Overview – Oracle StandardImplementation in Release 11g R2 without ora<dbsid> (RAC, ASM, Engineered Systems)SAP System Administrator
<sapsid>adm
brarchivebrbackupbrconnect
RUNINSTALLER
dba oper
ORACLE_HOMEdba
oper
BR*ENV
oracle
dba oper
oinstall
MOpatch/Opatchoraenv
Oracle Administrator
DBSID
23Oracle and SAP
oinstall
sapsys
.dbenv.sh
Accounts and Roles<sapsid>adm: SAP System Administrator
SAP Default DBA
oracle : Oracle software owner
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Technical Configuration Overview – Oracle StandardImplementation in Release 12c R1 with ora<dbsid> as Secondary DBASAP System Administrator
<sapsid>adm
brarchivebrbackupbrconnect
RUNINSTALLERORACLE_HOME
dba
oper
BR*ENV
oracle
oinstall
MOpatch/Opatch
Oracle Administrator
ora<dbsid>brarchive, brbackup, brconnectbrrecover, brrestore, brspace
Accounts and Roles<sapsid>adm: SAP System Administrator
SAP Default DBA
ora<dbsid> : SAP Secondary DBA
oracle : Oracle software owner
oraenv
BR*ENV oinstallsqlplus, srvctl
DBSID
24Oracle and SAP
oinstall
sapsys
dba oper
dba oper
dba oper
.dbenv.sh
.dbenv.sh
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
SAP BR*Tools Configuration for Oracle Standard
-rwsrwsr-- 1 oracle oinstall 7732338 May 31 16:30 brarchive-rwsrwsr-- 1 oracle oinstall 7908129 May 31 16:30 brbackup-rwsrwsr-- 1 oracle oinstall 9970354 May 31 16:30 brconnect-rwsrwsr-- 1 oracle oinstall 8376747 May 31 16:31 brrecover-rwsrwsr-- 1 oracle oinstall 2783544 May 31 16:31 brrestore-rwsrwsr-- 1 oracle oinstall 10479944 May 31 16:31 brspace
-rwxr-xr-x 1 prdadm sapsys 4103679 May 31 16:31 brtools
Runtime environment of BR*ToolsAll BR*Tools programs can be used with the OS user <sapsid>adm and the OS user ora<dbsid>. By default, they are started with the user <sapsid>adm. For both OS users, the DB instance is uniquely defined via the environment variables ORACLE_SID and ORACLE_HOME (plus ORACLE_BASE if appropriate).
The BR*Tools programs should not be used with the OS user "oracle". However, to start the BR*Tools programs with the user "oracle" in exceptional circumstances, you must set the corresponding Oracle environment variables (ORACLE_SID, ORACLE_HOME) and the BR*Tools-specific environment variables (such as SAPDATA_HOME, SAPEXE) beforehand. For more information, see SAP Note 1554661.
Oracle and SAP 25
SAP Note 1598594 - BR*Tools configuration for Oracle installation using user "oracle"
Executables with s-bit
Executables without s-bit
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Oracle Standard
Advantages Disadvantages
Unified user concept for all Oracle installations All database files are owned by 'oracle'
Support for shared Oracle Home All instance processes belong to 'oracle'
Separate accounts for database administration and software installation/patching (ora<dbsid> + oracle)
'oracle' has no environment for database <DBSID> risk of patching the wrong Oracle Home
Separation between database administration and SAP administration (ora<dbsid> + <sapsid>adm)
Without 'ora<dbsid>' account there was no separationbetween administration of SAP and administration ofOracle
Advantages and Disadvantages
26Oracle and SAP
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Agenda
Introduction
User Concept SAP Classic
User Concept Oracle Standard
User Concept Oracle Flex
Summary / Outlook / References
1
2
3
4
5
27Oracle and SAP
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
User Concept Oracle FlexSAP Note 1915323 V6
NEWS
July 29, 2015
In addition to the current user concept with software owner 'oracle' SAP is planning to provide an additional user concept. This additional user concept is a combination of the classic user concept with software owner 'ora<dbsid>' and the user concept with software owner 'oracle'. It will allow a separation of Oracle database installations on the same host with database-specific software owners. The already existing user 'ora<dbsid>' remains unchanged as Oracle database administrator. An additional user will act as Oracle software owner for software installation and patching for a specific database.
A detailed description of the extended concept will be provided soon.
28Oracle and SAP
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
User Concept Oracle Flex
• Is a flexible extension of user concept Oracle Standard "Oracle Flex"
• Is a combination of SAP Classic and Oracle Standard "SAP Classic 2.0"
• Removes limitations of Oracle Standard in SI/FS environments
• Is not restricted to SI/FS only, also for RAC, ASM, Engineered Systems
• Is a proposal / draft that is not yet supported by SAP (planned for future)
29Oracle and SAP
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
User Concept Oracle Flex
• SAP System Administrator '<sapsid>adm'
– Responsible for SAP system administration including Oracle database operation
– Responsible for Oracle database administration for <DBSID>SAP Default DBA Account for <DBSID> (SAP Primary DBA Account)
• Oracle Database Administrator 'ora<dbsid>'– Responsible for Oracle database administration for <DBSID>
SAP Secondary DBA account for <DBSID>
• Oracle Software Owner 'orcl<dbsid>'
– Responsible for Oracle software installation for database <DBSID>SAP Super DBA account for <DBSID> (only for exceptional situations)
30Oracle and SAP
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
User Concept Oracle Flex
• Database-specific OS groups for OSDBA, OSOPER for secure separationbetween different <DBSID>
– 'dba' 'dba<dbsid>'
– 'oper' 'oper<dbsid>
31Oracle and SAP
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Technical Configuration Overview – Oracle FlexConcept IdeaSAP System Administrator
<sapsid>adm
brarchivebrbackupbrconnect
RUNINSTALLER
dba<dbsid> oper<dbsid>
ORACLE_HOMEdba<dbsid>
oper<dbsid>
BR*ENV
orcl<dbsid>
oinstall
MOpatch/Opatch
Oracle Administrator
ora<dbsid>
BR*ENV
brarchive, brbackup, brconnectbrrecover, brrestore, brspace
oinstall
Accounts and Roles<sapsid>adm: SAP System Administrator
SAP Default DBA
ora<dbsid> : SAP Secondary DBA
orcl<dbsid>: Oracle software owner+ SAP Super DBA
oinstall
BR*ENV
dba<dbsid> oper<dbsid>
dba<dbsid> oper<dbsid>
sqlplus
DBSID
32Oracle and SAP
sapsys
.dbenv.sh
.dbenv.sh
.dbenv.sh
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Technical Configuration Overview – Oracle FlexMultiple Databases on one Database ServerSAP System Administrator
Oracle Administrator
<sapsid>adm
ora<dbsid>
BR*ENV
BR*ENV
DBSID1 DBSID2
brarchivebrbackupbrconnect
br*tools
dba<dbsid> oper<dbsid>
dba<dbsid> oper<dbsid>
oinstall
oinstall
orcl<dbsid>
BR*ENV
dba<dbsid>
ORACLE_HOMEdba<dbsid>
oper<dbsid>
oper<dbsid>
SAP System Administrator
Oracle Administrator
<sapsid>adm
ora<dbsid>
BR*ENV
BR*ENV
brarchivebrbackupbrconnect
br*tools
RUNINSTALLERMopatch/Opatch
sqlplusbr*tools
dba<dbsid>oper<dbsid>
dba<dbsid>oper<dbsid>
oinstall
oinstall
orcl<dbsid>
BR*ENV
dba<dbsid>
ORACLE_HOMEdba<dbsid>
oper<dbsid>
oper<dbsid>
RUNINSTALLERMopatch/Opatchsqlplusbr*tools
33Oracle and SAP
oinstall
sapsys sapsys
oinstall
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
SAP BR*Tools Configuration for Oracle Flex
-rwsrwsr-- 1 orcl<dbsid> oinstall 7732338 May 31 16:30 brarchive-rwsrwsr-- 1 orcl<dbsid> oinstall 7908129 May 31 16:30 brbackup-rwsrwsr-- 1 orcl<dbsid> oinstall 9970354 May 31 16:30 brconnect-rwsrwsr-- 1 orcl<dbsid> oinstall 8376747 May 31 16:31 brrecover-rwsrwsr-- 1 orcl<dbsid> oinstall 2783544 May 31 16:31 brrestore-rwsrwsr-- 1 orcl<dbsid> oinstall 10479944 May 31 16:31 brspace
-rwxr-xr-x 1 prdadm sapsys 4103679 May 31 16:31 brtools
Details will be described when user concept Oracle Flex is supported by SAP.
Oracle and SAP 34
Not yet described in an SAP Note
Executables with s-bit
Executables without s-bit
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Oracle Flex
Advantages
Unified user concept for all Oracle installations
Separation between Oracle database administration and Oracle software owner
Separation between Oracle database administration and SAP administration
Instance processes can be identified by OS 'ps' command
Database files for database <DBSID> are owned by 'orcl<dbsid>'
No access to DB files on OS level for DBAs other than orcl<dbsid>
Optional use of dedicated DBA account ora<dbsid>
Environment variables for <DBSID> are set for all accounts
Advantages
35Oracle and SAP
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Agenda
Introduction
User Concept SAP Classic
User Concept Oracle Standard
User Concept Oracle Flex
Summary / Outlook / References
1
2
3
4
5
36Oracle and SAP
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
User Concept Comparison
SAP Classic Oracle Standard Oracle Flex
Has restrictions/limitations regarding separation and security
Has restrictions/limitations regarding separation and security
Can fulfill requirements regarding separation and security out-of-the-boxflexible and universal user conceptCombination of SAP Classic and Oracle Standard
For SI/FS only For all types of installations For all types of installations
- Support for Shared Oracle Homes -
Release 12.1: still supported by SAP for SI/FS only, deprecated
Release 12.1: SAP standard user concept for all installation types
Release 12.1: Not yet supported bySAP, planned for future
Oracle and SAP 37
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
SWPM 1.0 SP 09 (or higher): Dialog for Oracle Software Owner: oracle or ora<dbsid>
Oracle and SAP 38
SWPM 1.0 SP 09 (or higher): Dialog for Oracle Database Administrator
Support for SAP Classic and Oracle Standard in SWPM
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
User ConceptHistory, Current Status and Future
Oracle and SAP 39
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Different User Concepts for Different Installation TypesSAP on Oracle Database 11g Release 2
40Oracle and SAP
SAP NetWeaveron Oracle
Oracle Single Instance on File System
Oracle ASM(Custom)
Oracle RAC(Custom)
Oracle Engineered Systems
Oracle Standard
Oracle Standard
Oracle Standard
SAP Classic
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
One User Concept for all Installation TypesSAP on Oracle Database 12c Release 1 (original plan)
41Oracle and SAP
SAP NetWeaveron Oracle
Oracle Single Instance on File System
Oracle ASM(Custom)
Oracle RAC(Custom)
Oracle Engineered Systems
Oracle Standard
Oracle Standard
Oracle Standard
SAP Classic
Oracle Standard
New in 12.1
De-supported
Original planfor 12.1
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
One User Concept for all Installation TypesSAP on Oracle Database 12c Release 1
42Oracle and SAP
SAP NetWeaveron Oracle
Oracle Single Instance on File System
Oracle ASM(Custom)
Oracle RAC(Custom)
Oracle Engineered Systems
Oracle Standard
Oracle Standard
Oracle Standard
SAP Classic
Oracle Standard
New in 12.1
SupportedDeprecated
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
User Concepts Supported by SAP in FutureSAP on Oracle Database higher than 12c Release 1
43Oracle and SAP
SAP NetWeaveron Oracle
Oracle Single Instance on File System
Oracle ASM(Custom)
Oracle RAC(Custom)
Oracle Engineered Systems
Oracle Flex
Oracle Standard
Oracle Standard
Oracle Flex
Oracle Standard
Oracle Standard
Oracle Flex
Oracle Flex
SAP Classic
Desupported
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
User Concept Customizations
Oracle and SAP 44
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Remove 'oinstall' from DBA Accounts
• 'oinstall' group is required for OS accounts that use SAP BR*Tools
– see 1598594 - BR*Tools configuration for Oracle installation using user "oracle"
• If you remove 'oinstall' from <sapsid>adm or from ora<dbsid>, these accounts can not run BR*Tools any more.
• For DBA accounts in an SAP environment that do not run BR*Tools, the 'oinstall' group is not required
Oracle and SAP 45
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
SYSBACKUP for Backup and Recovery
• SYSBACKUP is a new administrative privilege in 12c
• For RMAN backup and recovery tasks you can replace SYSDBA by SYSBACKUP
– 11g R2 and before, backup with RMAN requires SYSDBA
– 12c R1 and later: RMAN backup with SYSDBA or SYSBACKUP
Oracle and SAP 46
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
SYSBACKUP for Backup and Recovery
1. Remove SYSDBA from <sapsid>adm (= remove 'dba' OS group)
2. Grant SYSBACKUP privilege to <sapsid>adm
• With 'SYSOPER' and 'SYSBACKUP' privileges <sapsid>adm can performdatabase backup with RMAN and other database operations (e.g. startup/shutdown).
• Role of <sapsid>adm changes
– from 'Full Database Administrator' to 'Normal Database Operator'
• If you remove s-bit from brrestore <sapsid>adm can not use brrestore anymore for restore/recovery operations
Oracle and SAP 47
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
SYSBACKUP Configuration for User Concept Oracle StandardOS group 'sback' for SYSBACKUP privilegeSAP System Administrator
<sapsid>adm
brarchivebrbackupbrconnect
RUNINSTALLERORACLE_HOME
BR*ENV
oracle
oinstall
MOpatch/Opatch
Oracle Administrator
ora<dbsid>brarchive, brbackup, brconnectbrrecover, brrestore, brspace
oinstall
oraenv
BR*ENV oinstall
dba
oper
sbackdba opersback
sqlplus
dba oper
opersback
DBSIDAdministrative PrivilegesOSDBA : SYSDBA : dbaOSOPER : SYSOPER : operOSBACKUPDBA: SYSBACKUP : sback
48Oracle and SAP
sapsys
Accounts and Roles<sapsid>adm: SAP System Administrator +
SAP Default DBAora<dbsid> : SAP Secondary DBAoracle : Oracle software owner +
SAP Super DBA
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
SYSBACKUP Configuration for User Concept Oracle StandardOS group 'oper' for SYSBACKUP privilege (SAP Standard)SAP System Administrator
<sapsid>adm
brarchivebrbackupbrconnect
RUNINSTALLERORACLE_HOME
BR*ENV
oracle
oinstall
MOpatch/Opatch
Oracle Administrator
ora<dbsid>brarchive, brbackup, brconnectbrrecover, brrestore, brspace
Accounts and Roles<sapsid>adm: SAP System Administrator +
SAP Default DBAora<dbsid> : SAP Secondary DBAoracle : Oracle software owner +
SAP Super DBA
oinstall
oraenv
BR*ENV oinstall
dba
oper
dba oper
sqlplus
dba oper
oper
DBSIDAdministrative PrivilegesOSDBA : SYSDBA : dbaOSOPER : SYSOPER : operOSBACKUPDBA: SYSBACKUP : oper
49Oracle and SAP
sapsys
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
ReferencesSAP Notes
Oracle Database 12c Release 1
1914631 - Central Technical Note for Oracle Database 12c Release 1 (12.1)
1915323 - OS User Concept for Oracle Database 12c and higher
1915317 - Migrating Software Owner to 'oracle'
Oracle Database Administration / Database Security
1710997 - Using Personalized Database Administrator Accounts
1755636 - Database Administrators Segregation
51Oracle and SAP
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Too busy to improve?
53Oracle and SAP