My client, a LARGE telecom company, has 150+ SAP instances and is in the process of moving most of them from PARISC to Itanium HP servers.
As part of the replatforming effort, we have to create <sapsid>adm ids on the new servers. As per SAP installation Manuals, <sapsid>adm should have "sapsys" as primary and "dba" as secondary group. The Basis, DBA and SA support functions are performed by different work groups and due to SOX and other internal security policies, the DBA groups feels it is against "separation of duties", etc, to have someone other than DBAs have access to the "dba" group and is unwilling to approve "dba" as secondary group for <sapsid>adm. The Basis Admins feel that the failure to allow access to "dba" will negatively impact our ability to perform our Basis support activities, For example: unable to start & stop the database when using start|stopsap scripts; inability to perform any activity that uses sapinst (as sapinst checks for existence of <sapsid>adm and its membership of "sapsys" and "dba" groups; probably some of the database related transactions within the SAP gui, etc).
Have any other Basis Admins run across these SOX restrictions? How are they handled in other companies? What other impacts could the failure to have access to the "dba" group have?
Sharing of Any experiences in this area would be greatly appreciated.
Alex