I'm a member of the DBA team that supports the SAP applications for our company. We need to implement fairly strict security requirements on all of our database environments. The team that manages the SAP infrastructure (known as the Basis team) has no responsibility for the Oracle database infrastructure, performance, or management (and vice verse). The teams are in 2 different organizations and must segregate responsibilities. With this segregation comes the need to restrict access to the SYS/SYSTEM accounts within each database. Only members of the DBA team are authorized to have access to the SYS and SYSTEM accounts (as well as sysdba and sysoper roles), and we need to audit all other users that access the database.

Currently in our SAP environment the <SID>adm account is a member of both the OSDBA and the OSOPER groups. In order to eliminate access to the SYS account through the sysdba/sysoper roles, we want to remove the OSDBA and OSOPER groups from the <SID>adm account. What we donu2019t know is the impact to the system:

What is the impact to the overall SAP environment if we remove these groups from the <SID>adm account?

We understand that the Basis team will no longer be capable of using brarchive, brbackup, brrecover, and brrestore. Currently the only utilities they do use are brconnect, brspace, and brtools. Itu2019s these tools that we are unsure of the impact of this potential change.

Weu2019ve read the Database Security for Oracle white paper from SAP and OSS Note 832662. These help us to a point, but we need to secure things a little tighter. Are there any other specific SAP OSS notes or white papers that we could review that would help us in determining the best course of action to resolve this configuration issue? Any insight or recommendations that can be shared and passed along would be greatly appreciated.

Has anyone else had to address this question?

Thanks.