Skip to Content
avatar image
Former Member

Question regarding removing OSDBA and OSOPER from <SID>adm

I'm a member of the DBA team that supports the SAP applications for our company. We need to implement fairly strict security requirements on all of our database environments. The team that manages the SAP infrastructure (known as the Basis team) has no responsibility for the Oracle database infrastructure, performance, or management (and vice verse). The teams are in 2 different organizations and must segregate responsibilities. With this segregation comes the need to restrict access to the SYS/SYSTEM accounts within each database. Only members of the DBA team are authorized to have access to the SYS and SYSTEM accounts (as well as sysdba and sysoper roles), and we need to audit all other users that access the database.

Currently in our SAP environment the <SID>adm account is a member of both the OSDBA and the OSOPER groups. In order to eliminate access to the SYS account through the sysdba/sysoper roles, we want to remove the OSDBA and OSOPER groups from the <SID>adm account. What we donu2019t know is the impact to the system:

What is the impact to the overall SAP environment if we remove these groups from the <SID>adm account?

We understand that the Basis team will no longer be capable of using brarchive, brbackup, brrecover, and brrestore. Currently the only utilities they do use are brconnect, brspace, and brtools. Itu2019s these tools that we are unsure of the impact of this potential change.

Weu2019ve read the Database Security for Oracle white paper from SAP and OSS Note 832662. These help us to a point, but we need to secure things a little tighter. Are there any other specific SAP OSS notes or white papers that we could review that would help us in determining the best course of action to resolve this configuration issue? Any insight or recommendations that can be shared and passed along would be greatly appreciated.

Has anyone else had to address this question?

Thanks.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • May 20, 2009 at 03:07 PM

    > Currently in our SAP environment the <SID>adm account is a member of both the OSDBA and the OSOPER groups. In order to eliminate access to the SYS account through the sysdba/sysoper roles, we want to remove the OSDBA and OSOPER groups from the <SID>adm account. What we donu2019t know is the impact to the system:

    >

    > What is the impact to the overall SAP environment if we remove these groups from the <SID>adm account?

    >

    > We understand that the Basis team will no longer be capable of using brarchive, brbackup, brrecover, and brrestore. Currently the only utilities they do use are brconnect, brspace, and brtools. Itu2019s these tools that we are unsure of the impact of this potential change.

    Well if you remove the <sid>adm user from those groups then some functionality of the BRTOOLS won't work anymore.

    In fact every function that requires SYSDBA or SYSOPER privieleges will fail then.

    The BRTOOLS do need these functions and if you remove the privileges you'll get error messages.

    On the other hand, the workprocesses don't need those roles.

    So, apart from disabling the BRTOOLS - you won't get any problems with that 😊

    regards,

    Lars

    Add comment
    10|10000 characters needed characters exceeded