New User Concept for SAP NetWeaver - DOAG

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Andreas Becker, Principal Member Technical StaffOracle Server TechnologiesSAP DevelopmentNovember 2015 17 Years Oracle for SAP

New User Concept for SAP NetWeaveron Oracle Database 12c

Copyright © 2015, Oracle and/or its affiliates. All rights reserved.

Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

3Oracle and SAP

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 4Oracle and SAP

New User Concept with Oracle 12c – what to consider and how to prepare?


Agenda

Introduction

User Concept SAP Classic

User Concept Oracle Standard

User Concept Oracle Flex

Summary / Outlook / References

1

2

3

4

5

5Oracle and SAP


Agenda

Introduction





1

2

3

4

5

6Oracle and SAP


Introduction

• User concept for SAP NetWeaver based installations on Oracle on Unix

• User, roles and corresponding tasks

– SAP System Administration

–Oracle Database Administration

–Oracle Database Operation

–Oracle Software installation

• Technical configuration of OS users

• SAP System Security

• SAP Integration and SAP Support

7Oracle and SAP


Different User Concepts for Different Installation TypesSAP on Oracle Database 10g Release 2

8Oracle and SAP

SAP NetWeaveron Oracle

Oracle Single Instance on File System

Oracle RAC

SAP Classic

SAP Classic



9Oracle and SAP



Oracle ASM(Custom)

Oracle RAC(Custom)

Oracle Engineered Systems

Oracle Standard

Oracle Standard

Oracle Standard

SAP Classic


One User Concept for all Installation TypesSAP on Oracle Database 12c Release 1

10Oracle and SAP



Oracle ASM(Custom)

Oracle RAC(Custom)


Oracle Standard

Oracle Standard

Oracle Standard

Oracle Standard


Starting Oracle Database 12c Release 1, for all SAP installations on Unix and Linux the Oracle database software is installed by software owner 'oracle'.

When you upgrade an SAP installation from an earlier Oracle release to 12c, you have to migrate the software owner from ora<dbsid> to oracle as part of the upgrade. For details see SAP Note 1915317.

For a detailed description of the new user concept see SAP Note 1915323.

Reference: SAP Note 1914631 (V27 and before)

11Oracle and SAP

User ConceptStatus until July 28, 2015

http://service.sap.com/sap/support/notes/1915317



Comments from Customers on User Concept Change

• Why change the user concept? Can we use the classic user concept? We don't use RAC, ASM or Exadata. We only have SAP on Oracle with SI/FS only.

• With software owner 'oracle' all instances run under the same user. How can we find the processes of a certain instance?

• With 'oracle' all database files are owned by 'oracle'. This is not secure.

• User 'oracle' has no environment. It is difficult to manage databases from this user. When patching Oracle homes, there is the risk to patch the wrong Oracle home.

• We need to upgrade to 12.1 until 2016. There is not enough time to test the new concept. We need to adapt our scripts and processes.

12Oracle and SAP

PROBLEMS AHEAD


For SAP standard installations with Oracle single instance on file system (SI/FS) on Unix platforms SAP supports user concept 'Oracle Standard' with software owner 'oracle' in addition to the classic user concept 'SAP Classic' with software owner 'ora<dbsid>'.

For details and recommendations see SAP Note 1915323. You can change the user concept from 'SAP Classic' to 'Oracle Standard' - e.g. as part of the upgrade to 12.1. - as described in SAP Note 1915317.

Reference: SAP Note 1914631 (V31)

13Oracle and SAP

User ConceptStatus since August 17, 2015




Agenda

Introduction





1

2

3

4

5

14Oracle and SAP



• User concept for SAP NetWeaver based SAP products on Oracle

– For Single instance on file system (SI/FS)

–On Unix/Linux platforms

• This is the classic user concept for SAP R/3 on Oracle.

• SAP System Administrator '<sapsid>adm'– Responsible for SAP system administration including Oracle database operation

• Oracle Database Administrator 'ora<dbsid>'

– Responsible for Oracle software installation (Software Owner)

– Responsible for Oracle database administration

15Oracle and SAP


Technical Configuration Overview – SAP ClassicFor SI/FS in 12c R1 and beforeSAP System Administrator

<sapsid>adm

brarchivebrbackupbrconnect

ora<dbsid>

Oracle Administrator

dba

dba

BR*ENV

brarchive, brbackup, brconnectbrrecover, brrestore, brspace

Accounts and Roles<sapsid>adm: SAP System Administrator

Oracle database operatorora<dbsid> : Oracle software owner

Oracle database administrator

ORACLE_HOMEdba

oper

sqlplus

DBSID

16Oracle and SAP

.dbenv.sh

.dbenv.sh

oper

oper

BR*ENV

sapsys


Technical Configuration Overview – SAP ClassicMultiple Databases on one Database ServerSAP System Administrator


<sapsid>adm

ora<dbsid>

dba oper

dba oper

dba

oper

SAP System Administrator


<sapsid>adm

ora<dbsid>

ORACLE_HOME

dbaoper

dbaoper

dba

oper

BR*ENV

BR*ENV BR*ENV

BR*ENV


brarchivebrbackup

brconnect

br*toolsbr*tools DBSID1 DBSID2

ORACLE_HOME

17Oracle and SAP

.dbenv.sh

.dbenv.sh

.dbenv.sh

.dbenv.sh

sapsys sapsys


SAP BR*Tools Configuration for SAP Classic

-rwsrwxr-- 1 orasid sapsys 10022600 Aug 23 2012 brarchive-rwsrwxr-- 1 orasid sapsys 10251536 Aug 23 2012 brbackup-rwsrwxr-- 1 orasid sapsys 12179560 Aug 23 2012 brconnect-rwxr-xr-x 1 sidadm sapsys 10708840 Aug 23 2012 brrecover-rwxr-xr-x 1 sidadm sapsys 4140576 Aug 23 2012 brrestore-rwxr-xr-x 1 sidadm sapsys 12778384 Aug 23 2012 brspace-rwxr-xr-x 1 sidadm sapsys 4711664 Aug 23 2012 brtools

• Both the operating system (OS) user ora<sid> and the OS user <sid>adm (for example, from SAP R/3, transactions DB13 or DBACOCKPIT) must be able to call these tools (brarchive, brbackup, brconnect).

• These tools (brrecover, brrestore, brspace, brtools) may be used only by OS user ora<sid>, but not by <sid>adm. This ensures that the user <sid>adm does not have write permission for the log directories and therefore cannot create any logs. For this, no s-bit is set, and it is not necessary to define an owner other than the standard owner <sid>adm.

• SAP Note 113747 - Owners and authorizations for BR*Tools

Oracle and SAP 18

SAP Classic – SAP Note 113747

Executableswith s-bit

Executableswithout s-bit



SAP Classic

Advantages Disadvantages

Oracle and SAP Environment variables for <DBSID> are set simple and easy to use

User Concept SAP Classic is not compatible withinstallations with RAC, ASM and Grid Infrastructure

Separation between SAP administration with <sapsid>adm and Oracle administration with ora<dbsid>

No separation between Oracle software installation/maintenance and database administration

"Optical" separation between different databases on same host

No true / secure separation between database installations on the same host: Same 'dba' and 'oper'group for different 'ora<dbsid>' / different Oracle Homes

Database files and database instance processes are owned by different 'ora<dbsid>'

RMAN requires SYSDBA for Database Backups <sapsid>adm needs SYSDBA privilege

Advantages and Disadvantages

19Oracle and SAP


Agenda

Introduction





1

2

3

4

5

20Oracle and SAP



• User concept for SAP NetWeaver based SAP products on Oracle

– For RAC, ASM and Oracle Engineered Systems (Exadata, ODA, SuperCluster)

–On Unix / Linux platforms

• Starting with Oracle release 11.2, … – this user concept was new introduced into SAP environments for all installations with

Oracle Grid Infrastructure.

• Starting with Oracle release 12.1, …

– this user concept can be used for SI/FS.

21Oracle and SAP



• SAP System Administrator '<sapsid>adm'

– Responsible for SAP system administration including Oracle database operation

– Responsible for Oracle database administration (SAP Default DBA Account)

• Oracle Database Administrator 'ora<dbsid>'– Eliminated in 11.2 because not needed for SAP BR*Tools

– re-introduced with 12.1 first only as optional account, but now mandatory account again (SAP standard account)

– Responsible for Oracle database administration (SAP Secondary DBA Account)

• Oracle Software Owner 'oracle' – Responsible for Oracle software installation (Software Owner) only (!)

22Oracle and SAP


Technical Configuration Overview – Oracle StandardImplementation in Release 11g R2 without ora<dbsid> (RAC, ASM, Engineered Systems)SAP System Administrator

<sapsid>adm


RUNINSTALLER

dba oper

ORACLE_HOMEdba

oper

BR*ENV

oracle

dba oper

oinstall

MOpatch/Opatchoraenv


DBSID

23Oracle and SAP

oinstall

sapsys

.dbenv.sh


SAP Default DBA

oracle : Oracle software owner


Technical Configuration Overview – Oracle StandardImplementation in Release 12c R1 with ora<dbsid> as Secondary DBASAP System Administrator

<sapsid>adm


RUNINSTALLERORACLE_HOME

dba

oper

BR*ENV

oracle

oinstall

MOpatch/Opatch


ora<dbsid>brarchive, brbackup, brconnectbrrecover, brrestore, brspace


SAP Default DBA

ora<dbsid> : SAP Secondary DBA

oracle : Oracle software owner

oraenv

BR*ENV oinstallsqlplus, srvctl

DBSID

24Oracle and SAP

oinstall

sapsys

dba oper

dba oper

dba oper

.dbenv.sh

.dbenv.sh


SAP BR*Tools Configuration for Oracle Standard

-rwsrwsr-- 1 oracle oinstall 7732338 May 31 16:30 brarchive-rwsrwsr-- 1 oracle oinstall 7908129 May 31 16:30 brbackup-rwsrwsr-- 1 oracle oinstall 9970354 May 31 16:30 brconnect-rwsrwsr-- 1 oracle oinstall 8376747 May 31 16:31 brrecover-rwsrwsr-- 1 oracle oinstall 2783544 May 31 16:31 brrestore-rwsrwsr-- 1 oracle oinstall 10479944 May 31 16:31 brspace

-rwxr-xr-x 1 prdadm sapsys 4103679 May 31 16:31 brtools

Runtime environment of BR*ToolsAll BR*Tools programs can be used with the OS user <sapsid>adm and the OS user ora<dbsid>. By default, they are started with the user <sapsid>adm. For both OS users, the DB instance is uniquely defined via the environment variables ORACLE_SID and ORACLE_HOME (plus ORACLE_BASE if appropriate).

The BR*Tools programs should not be used with the OS user "oracle". However, to start the BR*Tools programs with the user "oracle" in exceptional circumstances, you must set the corresponding Oracle environment variables (ORACLE_SID, ORACLE_HOME) and the BR*Tools-specific environment variables (such as SAPDATA_HOME, SAPEXE) beforehand. For more information, see SAP Note 1554661.

Oracle and SAP 25

SAP Note 1598594 - BR*Tools configuration for Oracle installation using user "oracle"

Executables with s-bit

Executables without s-bit



Oracle Standard

Advantages Disadvantages

Unified user concept for all Oracle installations All database files are owned by 'oracle'

Support for shared Oracle Home All instance processes belong to 'oracle'

Separate accounts for database administration and software installation/patching (ora<dbsid> + oracle)

'oracle' has no environment for database <DBSID> risk of patching the wrong Oracle Home

Separation between database administration and SAP administration (ora<dbsid> + <sapsid>adm)

Without 'ora<dbsid>' account there was no separationbetween administration of SAP and administration ofOracle

Advantages and Disadvantages

26Oracle and SAP


Agenda

Introduction





1

2

3

4

5

27Oracle and SAP


User Concept Oracle FlexSAP Note 1915323 V6

NEWS

July 29, 2015

In addition to the current user concept with software owner 'oracle' SAP is planning to provide an additional user concept. This additional user concept is a combination of the classic user concept with software owner 'ora<dbsid>' and the user concept with software owner 'oracle'. It will allow a separation of Oracle database installations on the same host with database-specific software owners. The already existing user 'ora<dbsid>' remains unchanged as Oracle database administrator. An additional user will act as Oracle software owner for software installation and patching for a specific database.

A detailed description of the extended concept will be provided soon.

28Oracle and SAP



• Is a flexible extension of user concept Oracle Standard "Oracle Flex"

• Is a combination of SAP Classic and Oracle Standard "SAP Classic 2.0"

• Removes limitations of Oracle Standard in SI/FS environments

• Is not restricted to SI/FS only, also for RAC, ASM, Engineered Systems

• Is a proposal / draft that is not yet supported by SAP (planned for future)

29Oracle and SAP



• SAP System Administrator '<sapsid>adm'

– Responsible for SAP system administration including Oracle database operation

– Responsible for Oracle database administration for <DBSID>SAP Default DBA Account for <DBSID> (SAP Primary DBA Account)

• Oracle Database Administrator 'ora<dbsid>'– Responsible for Oracle database administration for <DBSID>

SAP Secondary DBA account for <DBSID>

• Oracle Software Owner 'orcl<dbsid>'

– Responsible for Oracle software installation for database <DBSID>SAP Super DBA account for <DBSID> (only for exceptional situations)

30Oracle and SAP



• Database-specific OS groups for OSDBA, OSOPER for secure separationbetween different <DBSID>

– 'dba' 'dba<dbsid>'

– 'oper' 'oper<dbsid>

31Oracle and SAP


Technical Configuration Overview – Oracle FlexConcept IdeaSAP System Administrator

<sapsid>adm


RUNINSTALLER

dba<dbsid> oper<dbsid>

ORACLE_HOMEdba<dbsid>

oper<dbsid>

BR*ENV

orcl<dbsid>

oinstall

MOpatch/Opatch


ora<dbsid>

BR*ENV

brarchive, brbackup, brconnectbrrecover, brrestore, brspace

oinstall


SAP Default DBA

ora<dbsid> : SAP Secondary DBA

orcl<dbsid>: Oracle software owner+ SAP Super DBA

oinstall

BR*ENV



sqlplus

DBSID

32Oracle and SAP

sapsys

.dbenv.sh

.dbenv.sh

.dbenv.sh


Technical Configuration Overview – Oracle FlexMultiple Databases on one Database ServerSAP System Administrator


<sapsid>adm

ora<dbsid>

BR*ENV

BR*ENV

DBSID1 DBSID2


br*tools



oinstall

oinstall

orcl<dbsid>

BR*ENV

dba<dbsid>


oper<dbsid>

oper<dbsid>

SAP System Administrator


<sapsid>adm

ora<dbsid>

BR*ENV

BR*ENV


br*tools

RUNINSTALLERMopatch/Opatch

sqlplusbr*tools

dba<dbsid>oper<dbsid>

dba<dbsid>oper<dbsid>

oinstall

oinstall

orcl<dbsid>

BR*ENV

dba<dbsid>


oper<dbsid>

oper<dbsid>

RUNINSTALLERMopatch/Opatchsqlplusbr*tools

33Oracle and SAP

oinstall

sapsys sapsys

oinstall


SAP BR*Tools Configuration for Oracle Flex

-rwsrwsr-- 1 orcl<dbsid> oinstall 7732338 May 31 16:30 brarchive-rwsrwsr-- 1 orcl<dbsid> oinstall 7908129 May 31 16:30 brbackup-rwsrwsr-- 1 orcl<dbsid> oinstall 9970354 May 31 16:30 brconnect-rwsrwsr-- 1 orcl<dbsid> oinstall 8376747 May 31 16:31 brrecover-rwsrwsr-- 1 orcl<dbsid> oinstall 2783544 May 31 16:31 brrestore-rwsrwsr-- 1 orcl<dbsid> oinstall 10479944 May 31 16:31 brspace

-rwxr-xr-x 1 prdadm sapsys 4103679 May 31 16:31 brtools

Details will be described when user concept Oracle Flex is supported by SAP.

Oracle and SAP 34

Not yet described in an SAP Note

Executables with s-bit

Executables without s-bit


Oracle Flex

Advantages

Unified user concept for all Oracle installations

Separation between Oracle database administration and Oracle software owner

Separation between Oracle database administration and SAP administration

Instance processes can be identified by OS 'ps' command

Database files for database <DBSID> are owned by 'orcl<dbsid>'

No access to DB files on OS level for DBAs other than orcl<dbsid>

Optional use of dedicated DBA account ora<dbsid>

Environment variables for <DBSID> are set for all accounts

Advantages

35Oracle and SAP


Agenda

Introduction





1

2

3

4

5

36Oracle and SAP


User Concept Comparison

SAP Classic Oracle Standard Oracle Flex

Has restrictions/limitations regarding separation and security

Has restrictions/limitations regarding separation and security

Can fulfill requirements regarding separation and security out-of-the-boxflexible and universal user conceptCombination of SAP Classic and Oracle Standard

For SI/FS only For all types of installations For all types of installations

- Support for Shared Oracle Homes -

Release 12.1: still supported by SAP for SI/FS only, deprecated

Release 12.1: SAP standard user concept for all installation types

Release 12.1: Not yet supported bySAP, planned for future

Oracle and SAP 37


SWPM 1.0 SP 09 (or higher): Dialog for Oracle Software Owner: oracle or ora<dbsid>

Oracle and SAP 38

SWPM 1.0 SP 09 (or higher): Dialog for Oracle Database Administrator

Support for SAP Classic and Oracle Standard in SWPM


User ConceptHistory, Current Status and Future

Oracle and SAP 39



40Oracle and SAP



Oracle ASM(Custom)

Oracle RAC(Custom)


Oracle Standard

Oracle Standard

Oracle Standard

SAP Classic


One User Concept for all Installation TypesSAP on Oracle Database 12c Release 1 (original plan)

41Oracle and SAP



Oracle ASM(Custom)

Oracle RAC(Custom)


Oracle Standard

Oracle Standard

Oracle Standard

SAP Classic

Oracle Standard

New in 12.1

De-supported

Original planfor 12.1


One User Concept for all Installation TypesSAP on Oracle Database 12c Release 1

42Oracle and SAP



Oracle ASM(Custom)

Oracle RAC(Custom)


Oracle Standard

Oracle Standard

Oracle Standard

SAP Classic

Oracle Standard

New in 12.1

SupportedDeprecated


User Concepts Supported by SAP in FutureSAP on Oracle Database higher than 12c Release 1

43Oracle and SAP



Oracle ASM(Custom)

Oracle RAC(Custom)


Oracle Flex

Oracle Standard

Oracle Standard

Oracle Flex

Oracle Standard

Oracle Standard

Oracle Flex

Oracle Flex

SAP Classic

Desupported


User Concept Customizations

Oracle and SAP 44


Remove 'oinstall' from DBA Accounts

• 'oinstall' group is required for OS accounts that use SAP BR*Tools

– see 1598594 - BR*Tools configuration for Oracle installation using user "oracle"

• If you remove 'oinstall' from <sapsid>adm or from ora<dbsid>, these accounts can not run BR*Tools any more.

• For DBA accounts in an SAP environment that do not run BR*Tools, the 'oinstall' group is not required

Oracle and SAP 45



SYSBACKUP for Backup and Recovery

• SYSBACKUP is a new administrative privilege in 12c

• For RMAN backup and recovery tasks you can replace SYSDBA by SYSBACKUP

– 11g R2 and before, backup with RMAN requires SYSDBA

– 12c R1 and later: RMAN backup with SYSDBA or SYSBACKUP

Oracle and SAP 46


SYSBACKUP for Backup and Recovery

1. Remove SYSDBA from <sapsid>adm (= remove 'dba' OS group)

2. Grant SYSBACKUP privilege to <sapsid>adm

• With 'SYSOPER' and 'SYSBACKUP' privileges <sapsid>adm can performdatabase backup with RMAN and other database operations (e.g. startup/shutdown).

• Role of <sapsid>adm changes

– from 'Full Database Administrator' to 'Normal Database Operator'

• If you remove s-bit from brrestore <sapsid>adm can not use brrestore anymore for restore/recovery operations

Oracle and SAP 47


SYSBACKUP Configuration for User Concept Oracle StandardOS group 'sback' for SYSBACKUP privilegeSAP System Administrator

<sapsid>adm



BR*ENV

oracle

oinstall

MOpatch/Opatch



oinstall

oraenv

BR*ENV oinstall

dba

oper

sbackdba opersback

sqlplus

dba oper

opersback

DBSIDAdministrative PrivilegesOSDBA : SYSDBA : dbaOSOPER : SYSOPER : operOSBACKUPDBA: SYSBACKUP : sback

48Oracle and SAP

sapsys

Accounts and Roles<sapsid>adm: SAP System Administrator +

SAP Default DBAora<dbsid> : SAP Secondary DBAoracle : Oracle software owner +

SAP Super DBA


SYSBACKUP Configuration for User Concept Oracle StandardOS group 'oper' for SYSBACKUP privilege (SAP Standard)SAP System Administrator

<sapsid>adm



BR*ENV

oracle

oinstall

MOpatch/Opatch



Accounts and Roles<sapsid>adm: SAP System Administrator +

SAP Default DBAora<dbsid> : SAP Secondary DBAoracle : Oracle software owner +

SAP Super DBA

oinstall

oraenv

BR*ENV oinstall

dba

oper

dba oper

sqlplus

dba oper

oper

DBSIDAdministrative PrivilegesOSDBA : SYSDBA : dbaOSOPER : SYSOPER : operOSBACKUPDBA: SYSBACKUP : oper

49Oracle and SAP

sapsys


References

Oracle and SAP 50


ReferencesSAP Notes

Oracle Database 12c Release 1

1914631 - Central Technical Note for Oracle Database 12c Release 1 (12.1)

1915323 - OS User Concept for Oracle Database 12c and higher

1915317 - Migrating Software Owner to 'oracle'

Oracle Database Administration / Database Security

1710997 - Using Personalized Database Administrator Accounts

1755636 - Database Administrators Segregation

51Oracle and SAP






Copyright © 2015, Oracle and/or its affiliates. All rights reserved. Oracle and SAP 52


Too busy to improve?

53Oracle and SAP

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 54Oracle and SAP

Date post:	19-Jan-2022
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

New User Concept for SAP NetWeaver - DOAG

Documents