Search This Blog

Showing posts with label DBACOCKPIT. Show all posts
Showing posts with label DBACOCKPIT. Show all posts

Friday, February 10, 2012

Owners and authorizations for BR*Tools

The following setup is essentail to call the BR*Tools with out any error, especially while using transaction DB13 or DBACOCKPIT:

(1) ora and adm groups on DB server have a search path on /sapmnt//exe.

(All br* are contained in this directory.)

ora belongs to the dba group,

adm belongs to the sapsys group,


(2) adm group on the DB server has the rhosts entry: "+ adm".


(3) The ops$adm Oracle user has to be created within the DB and should have the sapdba role (not DBA!) (refer SNote 134592 for more information about the role).


(4) brarchive, brbackup, and brconnect belongs to ora and should have authorization 4775:

-rwsrwxr-x ora sapsys ...


Reason:

Both the operating system (OS) user ora and the OS user adm (for example, from SAP R/3, transactions DB13 or DBACOCKPIT) must be able to call these tools. These tools require access authorization to the database directories and files also on the log directories (saparch,

sapbackup, sapcheck, and sapreorg) of the BR*Tools. To ensure that they will be executed by both ora and by adm, they need to belong to the user ora, and therefore the s-bit must be set.

(5) brrestore, brrecover, brspace, and brtools belongs to adm and should have authorization 755:

-rwxr-xr-x adm sapsys ...

Reason:

These tools could also be used only by OS user ora, but not by adm. This ensures that the user adm doesn't have write authorization for the log directories and thus cannot create any logs. For this, no s-bit is about , and it's not necessary to define an owner aside from the standard owner adm.

If the tools were started using adm, they might terminate immediately after the beginning thanks to the missing log authorization. However, the user ora can start the programs despite this and also has the specified authorization for the log directories.