SAP Security - Databases

It is critical and essential to protect your database users in a SAP system. A database can be an Oracle database, SQL Server or a MYSQL Database. You need to protect the standard users from these databases. Password should be protected for standard users and they should be changed regularly.

Oracle Standard Users

The following table shows the list of standard users in the Windows environment. Password should be maintained for all these users.

User Name Type Password Change Method
<SID>ADM Operating System User OPS$ mechanism
SAPServic<SID> Operating System User OPS$ mechanism
SYS (internal) Operating System User SAPDBA
SYSTEM Operating System User SAPDBA
SAPR3 Operating System User SAPDBA

How to Create an OPS$ user for <SID>ADM?

To create an OPS$ user, you need to login with the <SID>ADM. You should first stop SAP System if it is running and then execute the command given below.

Create user OPS$<adm_user> default tablespace psapuserid temporary tablespace psaptemp identified externally;

Here the <adm_user> is −

  • <SID>ADM for older Oracle releases

  • <domain_name>\<SID>ADM latest releases

Then you should follow the steps given below −

  • Grant connect, resource to OPS$ <adm_user>l;

  • Connect /

  • Create table SAPUSER ( USERID Varchar(20), PASSWD VARCHAR2(20));

  • Insert into SAPUSER values (‘SAPR3’,’<password>);

  • Connect internal

  • Alter user SAPR3 identified by <password>;

In a similar way, you can create OPS$ for SAPService<SID>. In the following command, you should use SAP_service_user instead of adm_user.

Create user OPS$<SAP_service_user> default tablespace psapuserid temporary tablespace psaptemp identified externally;

Here the <SAP_service_user> is −

  • SAPService<SID> for older Oracle releases

  • <domain_name>\SAPservice<SID> for latest releases

Password Management for DB Users

It is necessary to manage passwords for standard users in your database. There are various utilities that you can use for a password change.

How to Change Password for a DBA User Using SAPDBA?

Password can be changed for a DBA user using the command line or GUI. To change the password using the command line, you should use the following command −

Sapdba [-u <user1>/<user1_password>] –user2 <user2_password>

In above command, user1 is the database user that SAPDBA uses to logon into the database.

  • <user1_password> is the password for user1’s password.

  • <user2> shows the database user for which the password should be changed.

  • <user2_password> is the new password for the same user.

In case you want to login using username “SYSTEM” with its default password, you can omit –u from the command.

Sapdba –u system/<system_password>] –sapr3 <sapr3_password>

How to Change Password for SAPR3 Using SVRMGRL?

The SVRMGRL is an old utility that was shipped with prior releases of Oracle and has been used to perform database functions mentioned below. In the latest releases, the Server Manager commands are now available in SQL*Plus.

  • Creating Database
  • Start and Shut down Database
  • Recovery of Database
  • Password Management

To change the password, you should follow the steps given below −

  • Start SVRMGRL.
  • Connect to the database using the connect internal command.
  • SVRMGR> connect internal.
  • Connected.

The next step is to update the SAPUSER table by entering the command given below −

Update OPS$ <SID>ADM.SAPUSER set PASSWD = ’<new_password>’ where USERID = ’SAPR3’;

You should update the password for SAPR3 in the database using the command line.

Alter user sapr3 is identified by <new_password>

SQL Command Prompt