Skip to end of metadata
Go to start of metadata

SAP® MaxDB - User Concept

 

 

Moderators: Christiane Hienger

WIKI Space Editor: Christiane Hienger, Thiago Lüttig.

Details

Database System Administrator

This user is the first database user. It is created when the database is installed. This is the most important database user. This database system administrator is specified during the database installation with the DBM command db_activate. In each SAP MaxDB database exactly one user of type database system administrator exists. The database system administrator has the permissions of a database administrator (user class DBA) and additionally of a Database Manager operator (DBM operator). Therefore it is the user with most permissions. User name and password can be specified during the installation.

There are two copies of this user. One is stored in the UPC file and the other one in the persistent representation of the catalog. The database kernel loads the user record from the catalog in its memory. The DBM server maintains both copies.

  • Up to version 7.5 any SQL client may change name and password of the database system administrator. In this case an explicit maintenance of the copy in the UPC file is necessary.
  • As of version 7.6 only the Database Manager has the permission to change name and password of the database system administrator so it maintains always both copies automatically.

The Database Manager uses the copy in the UPC file for authorization if the special privileges of the database system administrator are necessary for an action. An example for such an action is the DBM command load_systab.

Also a DBM client may use the database system administrator for authorization at the DBM server.
If the UPC file does not contain the database system administrator or a wrong database system administrator you can store the user information with DBM commands user_sysdba or load_systab. Of course command load_systab will additionally load the system tables.

  • As of version 7.5. the property DBA is part of the user data record in the UPC file.
  • Up to version 7.4. there was no special property DBA but key SAPDB5 in file dbm.cfg (maintained with the DBM commands dbm_configget and dbm_configset) contained the name of the database system administrator.

    Example:
    dbmcli -d <database_name> -u <dbm_operator>,<password> user_get <database_system_administrator>
    OK
    SERVERRIGHTS=DBInfoRead,SystemCmd,ExecLoad,...
    GUIRIGHTS=
    SECONDPASSWORD=NO
    DISABLED=NO
    COMMENT=
    USERTYPE=DBA

    In an SAP System, e.g. installed with SAPinst this database system administrator is named SUPERDBA user.
    (warning) Please note: If you are doing a system copy with SAP software provisioning manager tool (SWPM)  the database system administrator must be named  SUPERDBA.

    The documentation gives detailed information about the Database System Administrator.

 back to top

Database Manager Operators

The first Database Manager operator (DBM operator) is the most important DBM operator (names for example DBM or CONTROL). This user is specified during the database installation with the DBM command db_create. User name and password of this first DBM operator are specified during the installation. In SAP System this first DBM operator is named CONTROL by default.
The primary copy of this user is stored in the UPC file. A secondary copy of this user is stored in the parameter file of the database. So this user ist also a database user. It is the task of the DBM server to maintain these two copies of this user entry. A running database kernel has read the parameter file and therefore during runtime of the database kernel a third copy of DBM operator exists in the memory representation of the catalog. This is the only user the DBM server can use for authorization at the database kernel in operational state ADMIN. This DBM operator also has special priviliges needed for administrative tasks like backup or add volume. Normally the DBM server uses this DBM operator for authorization against the database kernel.

  • From version 7.5. the property first DBM operator is part of the user data record in the UPC file.
  • Up to version 7.4. there was no special property first DBM operator but key SAPDB12 in file dbm.cfg (maintained with the DBM commands dbm_configget and dbm_configset) contained the name of the first DBM operator.
  • As of version 7.5 this key is a fallback if the UPC file has lost the property first DBM operator in the user record of this DBM operator.

Example:

dbmcli -d <database_name> -u <dbm_operator>,<password> user_get <dbm_operator>
OK
SERVERRIGHTS=DBInfoRead,SystemCmd,ExecLoad,...
GUIRIGHTS=
SECONDPASSWORD=NO
DISABLED=NO
COMMENT=
USERTYPE=DBM

You can create several Database Manager Operator users of type DBM. Users of type DBM are used for maintenance issues performed with the Database Studio or Database Manager Command Line Interface (DBMCLI). DBM operators differ from database users as they don't have permissions to execute SQL statements. Therefore you cannot logon to SQL Studio to perform SQL statements with a DBM operator.

The documentation gives detailed information about the Database Manager Operators.

 back to top

Database User

Database users access the data in the database using SQL statements. They do not perform administrative tasks. Therefore they cannot logon to the Database Studio/Database Manager.
Every database user belongs to a database user class (user mode DBA, RESOURCE, STANDARD). These database user classes have different authorization levels for the database.

The documentation gives detailed information about the Database Users.

back to top

Database Administrator (User class DBA)

 A database administrator is a database user of the database user class DBA. Database administrators can manage database users and database objects.

(green star) The work processes of an SAP system always connect as database administrator user SAPR3 resp. as of SAP Basis 6.10 as user SAP<SID>  to the database.

(blue star) Content Sever databases are connected from application side using the database dba user SAPR3.

The documentation gives detailed information about the Database Administror (DBA User).

back to top

Database User (User class STANDARD)

User of class STANDARD are database users who have only limited rights regarding the management of database objects and no rights regarding user management.
Users of class STANDARD are not used in SAP Systems.

Users belonging to this class can:

  • Access data and database procedures for which they have been granted the necessary privileges

  • Define view tables, synonyms, and temporary tables 

back to top

Database User (User class RESOURCE)

RESOURCE users are database users who have additional rights compared to STANDARD database users. They can, for example, grant certain privileges to other users.
Users of class RESOURCE are not used in SAP Systems.

Users belonging to this class can:

  • Define data

  • Create database procedures

  • Grant privileges for their database objects to other database users 

back to top

User Profile Container

dbm.upc/ <SID>.upc is a configuration file of the database manager - it is called user profile container. This file contains encrypted information about the DBM operator and database system administrator.
For each database the DBM operators and the database system administrator  are stored in file <SID>.upc (upc means User Profile Container).

  • This file <SID>.upc  is located in directory <independent_data_path>/config.
  • A copy of this file is located in the run directory and is called dbm.upc.
    Both files are binary files.

Users which are stored in file <SID>.upc can logon to the DBM server and execute administrative tasks. .

  • To determine which users are stored in the file <SID>.upc, you can use the following command:
    dbmcli -d <database_name> -u <dbm_operator>,<password> user_getall
  • For each user the property USERTYPE is stored in file <SID>.upc. You can show this property using the following command:
    dbmcli -d <database_name> -u <dbm_operator>,<password> user_get <user_name>

Some administrative tasks can be executed using the Database Studio whithout specifying the actually needed user (e.g. load_systab).

  • This works only if the needed user is stored in file <SID>.upc.
  • If such a command is executed, the DBM server checks if a user with the needed USERTYPE is stored in the file <SID>.upc.
  • If this is the case, this user information is used to execute the statement.
  • If no such user is stored, the DBM server returns an error message and you have to specify the needed user.

Load_System Tables:

When DBM command load_systab is executed with options -u <database_system_administrator>,<password> -ud <domain_password> this information is stored in the file <SID>.upc.

example: dbmcli -d <database_name> -u <dbm_operator>,<password> load_systab -u <database_system_administrator>,<password> -ud <domain_password>

For a SAP liveCache you have to store the SAP user in the file <SID>.upc (if it is not user SAPR3 with default password). This entry is needed to perform special actions like exec_lcinit (e.g. to initialize or start the SAP liveCache). The entry is created using the following command:

dbmcli -d <database_name> -u <dbm_operator>,<password> user_sap <user>,<password>

Additional Information can be found in SAP note 1542818.

back to top

Unix/Linux

On Unix/Linux the SAP system is running as user <sid>adm. This user should be member of database administrator group sdba.

 back to top

Microsoft Windows

On Microsoft Windows the SAP system is running as user SAPService<SID>. As of SAP MaxDB version 7.7 this user has to be member of the local group SDB Operators which is the special operating system user group for SAP MaxDB. You can check this using the following command: net localgroup "SDB Operators"
Note: That the SAP system is able to connect the SAP MaxDB database an XUSER file entry must be availble (in registry) created by user SAPService<SID>.

 back to top

Operating System User SDB and User Group SDBA

The database user group (sdb) and database administrator group (sdba) are owner/GID of:

  • the installed SAP MaxDB/liveCache software
  • all database processes
  • the files and directories shared by application programs and database (independent data directory, global configuration files)
  • database specific files and directories of all databases as of version 7.5.00 (parameter file, parameter history, user profile container, working directory of the database, all subdirectories and files contained in them, volumes, backups, resources (IPC, temporary files))
  • the X server process and its resources

If all permissions are set correctly, the database administrator group (sdba) has:

  • Access to <independent data>/wrk
  • Access to the working directories (RUNDIRECTORY) of databases
  • Access to log files and dump files
  • Access to the database console (XCONS)
  • Access to the volumes (data and log volumes)

Users <sid>adm and sqd<sid> should be members of group sdba. This is not required for the database operation. However, it makes it easier to access log files and diagnose tools on operating system level.

back to top

XUSER

It is possible to store user information (e.g. name, password, database name, ...) in a special file (.XUSER.62 in the HOME directory of the OS user - Unix/Linux) resp. in the registry (Microsoft Windows). The data can only be accessed by the operating system user who owns the data. When you want to connect to the database, you only have to specify the defined user key. You don't have to enter user and password anymore.

Each SAP application server whose work processes want to connect the related SAP MaxDB database must have an XUSER file.
The SAP system uses this concept for the authorization of the work processes. Therefore the XUSER data must be entered for the user <sid>adm (Unix/Linux/Microsoft Windows) and for the user SAPService<SID> (Microsoft Windows) as which the SAP system is running.

Handy Hint
(warning)  As of WebAS 6.40, the SAPService<SID> user has the restrictive right "Deny logon locally". Before you can log onto the system locally as SAPService<SID>, you must remove this right for this user and then add it again after you have maintained the XUSER data. To do this please choose Start -> All Programs -> Administrative Tools -> Local Security Policy. On the left hand side please choose Local Policies -> User Rights Assignment. In the policy list choose entry "Deny logon locally" and open the dialog Properties from the context menu (right mouse button). Now you can see all users who are assigned to this policy and can remove or add users. Alternatively you can maintain the XUSER data of user SAPService<SID> while you are logged on as the administrator by using XUSER option -c <account_name> Example: xuser -c <domain>\SAPService<SID> ...

For SAP liveCache the XUSER data is not needed, when the central authorization is used. In this case the user information is stored in tables DBCON and DBCONUSR (< SAP NW 740)  of the SCM database or in the ABAP Secure Store (SAP note 2148115 as of SAP NW 7.4) . In case of connect problems of an SAP system (e.g. R3trans, the work processes, ...) you should always check the XUSER data. To maintain the XUSER data you can use Database Manager CLI (DBMCLI).

(blue star) SAP Content Server does not use XUSER entries to connect. As of SAP Content Server version 6.50 SSFS is used.

How the XUSER entries should look like for an SAP system is described in SAP note 39439.

back to top

ABAP Secure Store

As of SAP Kernel 7.42 PL 111 / SAP Kernel 7.43 PL 20 SAP MaxDB  supports the SSFS CONNECT (ABAP Secure Store).

For Multi-DB-Connect ( e.g. in SAP liveCache) or SQL connects to any external database ( e.g. DB2, MSSQL, MaxDB, ASE....) CONNECT data is stored in the file SSFS_<SAPSYSTEMNAME>.DAT in the directory <rsec_ssfs_datapath>. Only the password must be encrypted; all other data may/can be stored in legible form.

The documentation contains detailed information about where the DAT file is to be stored and which rights the directories are allowed to have. You can use the tool rsecssfx to define the CONNECT access data in ABAP Secure Store. For more details see SAP note 2148115.

(blue star) As of SAP Content Sever version 7.50 the SSFS is used to connect the SAP Content Server database (SAP note 1983930). 

back to top

Parameter File

The parameter file of the database is located in directory <independent_data_path>/config and is called <database_name>. The parameter file contains the user name and password (crypted) of the first DBM operator only.

You can check the first DBM operator's name stored in the parameter file with the DBM command user_directget CONTROLUSERID.

 back to top