- SAP Security Tutorial
- SAP Security - Home
- SAP Security - Overview
- User Authentication & Management
- Network Communication Security
- Protecting Standard Users
- Un-authorizing Logons Protections
- System Authorization Concept
- SAP Security - Unix Platform
- SAP Security - Windows Platform
- SAP Security - Databases
- User Authentication & Single SignOn
- SAP Security - Logon Tickets
- SAP Security Useful Resources
- SAP Security - Quick Guide
- SAP Security - Useful Resources
- SAP Security - Discussion
SAP Security - Databases
It is critical and essential to protect your database users in a SAP system. A database can be an Oracle database, SQL Server or a MYSQL Database. You need to protect the standard users from these databases. Password should be protected for standard users and they should be changed regularly.
Oracle Standard Users
The following table shows the list of standard users in the Windows environment. Password should be maintained for all these users.
User Name | Type | Password Change Method |
---|---|---|
<SID>ADM | Operating System User | OPS$ mechanism |
SAPServic<SID> | Operating System User | OPS$ mechanism |
SYS (internal) | Operating System User | SAPDBA |
SYSTEM | Operating System User | SAPDBA |
SAPR3 | Operating System User | SAPDBA |
How to Create an OPS$ user for <SID>ADM?
To create an OPS$ user, you need to login with the <SID>ADM. You should first stop SAP System if it is running and then execute the command given below.
Create user OPS$<adm_user> default tablespace psapuserid temporary tablespace psaptemp identified externally;
Here the <adm_user> is −
<SID>ADM for older Oracle releases
<domain_name>\<SID>ADM latest releases
Then you should follow the steps given below −
Grant connect, resource to OPS$ <adm_user>l;
Connect /
Create table SAPUSER ( USERID Varchar(20), PASSWD VARCHAR2(20));
Insert into SAPUSER values (‘SAPR3’,’<password>);
Connect internal
Alter user SAPR3 identified by <password>;
In a similar way, you can create OPS$ for SAPService<SID>. In the following command, you should use SAP_service_user instead of adm_user.
Create user OPS$<SAP_service_user> default tablespace psapuserid temporary tablespace psaptemp identified externally;
Here the <SAP_service_user> is −
SAPService<SID> for older Oracle releases
<domain_name>\SAPservice<SID> for latest releases
Password Management for DB Users
It is necessary to manage passwords for standard users in your database. There are various utilities that you can use for a password change.
How to Change Password for a DBA User Using SAPDBA?
Password can be changed for a DBA user using the command line or GUI. To change the password using the command line, you should use the following command −
Sapdba [-u <user1>/<user1_password>] –user2 <user2_password>
In above command, user1 is the database user that SAPDBA uses to logon into the database.
<user1_password> is the password for user1’s password.
<user2> shows the database user for which the password should be changed.
<user2_password> is the new password for the same user.
In case you want to login using username “SYSTEM” with its default password, you can omit –u from the command.
Sapdba –u system/<system_password>] –sapr3 <sapr3_password>
How to Change Password for SAPR3 Using SVRMGRL?
The SVRMGRL is an old utility that was shipped with prior releases of Oracle and has been used to perform database functions mentioned below. In the latest releases, the Server Manager commands are now available in SQL*Plus.
- Creating Database
- Start and Shut down Database
- Recovery of Database
- Password Management
To change the password, you should follow the steps given below −
- Start SVRMGRL.
- Connect to the database using the connect internal command.
- SVRMGR> connect internal.
- Connected.
The next step is to update the SAPUSER table by entering the command given below −
Update OPS$ <SID>ADM.SAPUSER set PASSWD = ’<new_password>’ where USERID = ’SAPR3’;
You should update the password for SAPR3 in the database using the command line.
Alter user sapr3 is identified by <new_password>