SAP从业者联盟 门户 SAP notes 查看内容

113747 - Owners and authorizations for BR*Tools

2013-11-19 15:36| 发布者: isap| 查看: 5091| 评论: 0|来自: SAP SMP

摘要: Version 22 Validity: 2013.10.10 - activeHeader DataReleased On 2013.10.10 16:54:41Release Status Released for CustomerComponent BC-DB-ORA-DBA Database Administration with OracleOther Components BC-DB ...
Version 22   Validity: 2013.10.10 - active
Header Data
Released On 2013.10.10 16:54:41
Release Status Released for Customer
Component BC-DB-ORA-DBA Database Administration with Oracle
Other Components BC-DB-ORA-CCM CCMS/Database Monitors for Oracle
Priority Recommendations / Additional Info
Category Consulting
This note provides information about how to set the authorizations for the BR*Tools correctly.
Other Terms
DB13, DB14, DB16, DB20, DB24, RZ11
Reason and Prerequisites
Authorization problems
The following settings are required to call the BR*Tools correctly, especially when using transaction DB13 or DBACOCKPIT:
ora<sid> and <sid>adm on DB server have a search path on /sapmnt/<SID>/exe. (All br* are contained in this directory.)
ora<sid> belongs to the dba group,
<sid>adm belongs to the sapsys group,
<sid>adm on the database server has the rhosts entry: "+ <sid>adm".
The Oracle user ops$<sid>adm must be created in the DB and must have the role sapdba (not DBA) (see SAP Note 134592 for more information).
brarchive, brbackup, and brconnect belong to ora<sid> and have authorization 4774:
-rwsrwxr-- ora<sid> sapsys ...
Both the operating system (OS) user ora<sid> and the OS user <sid>adm (for example, from SAP R/3, transactions DB13 or DBACOCKPIT) must be able
to call these tools. These tools require access authorization to the database directories and files as well as to the log directories (saparch,
sapbackup, sapcheck, and sapreorg) of the BR*Tools. To ensure that they can be executed by both ora<sid> and by <sid>adm, they must belong to
the user ora<sid>, and the s-bit must be set.
brrestore, brrecover, brspace, and brtools belong to <sid>adm and have authorization 755:
-rwxr-xr-x <sid>adm sapsys ...
These tools may be used only by OS user ora<sid>, but not by <sid>adm. This ensures that the user <sid>adm does not have write permission for
the log directories and therefore cannot create any logs. For this, no s-bit is set, and it is not necessary to define an owner other than the
standard owner <sid>adm.
If the tools were started using <sid>adm, they would terminate immediately after the start due to the missing log authorization. However, the
user ora<sid> can start the programs despite this and also has the required authorization for the log directories.
For example:
-rwsrwxr-- 1 orasid sapsys 10022600 Aug 23 2012 brarchive
-rwsrwxr-- 1 orasid sapsys 10251536 Aug 23 2012 brbackup
-rwsrwxr-- 1 orasid sapsys 12179560 Aug 23 2012 brconnect
-rwxr-xr-x 1 sidadm sapsys 10708840 Aug 23 2012 brrecover
-rwxr-xr-x 1 sidadm sapsys 4140576 Aug 23 2012 brrestore
-rwxr-xr-x 1 sidadm sapsys 12778384 Aug 23 2012 brspace
-rwxr-xr-x 1 sidadm sapsys 4711664 Aug 23 2012 brtools
Note 1:
On Linux and Solaris 11, you have to adjust the authorization for brarchive, brbackup, and brconnect manually if you want to create RMAN
backups with the OS user <sid>adm. For more information, see SAP Note 776505.
Note 2:
Other BR*Tool authorizations apply for Oracle installations with the OS user oracle. For more information, see SAP Note 1598594.

This document refers to:
SAP Notes
1598594 BR*Tools configuration for Oracle inst. under "oracle" user
651351 BR tools on UNIX: Error due to executable permissions
776505 ORA-01017/ORA-01031 in BR*Tools on Linux and Solaris 11
113746 SAPXPG_COMMAND failed: DB14/16/17/20/24
This document is referenced by:
SAP Notes (3)
651351 BR tools on UNIX: Error due to executable permissions
776505 ORA-01017/ORA-01031 in BR*Tools on Linux and Solaris 11
1598594 BR*Tools configuration for Oracle inst. under "oracle" user






刚表态过的朋友 (1 人)

Archiver|SAP从业者联盟 ( 京ICP备09055458号-2 

GMT+8, 2017-7-24 14:49 , Processed in 0.029299 second(s), 13 queries .

Powered by X2

© 2001-2011 Comsenz Inc.