06-23-2009 10:34 AM
Hi All,
I am trying to analyze the risk associated with data that resides in the below directories.
Following directories can be accessed using transaction AL11.
I am working on the feasibilty to restrict the access to specific directory.
DIR_ATRA /usr/sap/UK4/DVEBMGS01/data
DIR_BINARY /usr/sap/UK4/SYS/exe/run
DIR_CT_LOGGING /usr/sap/UK4/SYS/global
DIR_CT_RUN /usr/sap/UK4/SYS/exe/ctrun
DIR_DATA /usr/sap/UK4/DVEBMGS01/data
DIR_DBMS /usr/sap/UK4/SYS/SAPDB
DIR_EXECUTABLE /usr/sap/UK4/SYS/exe/run
DIR_EXE_ROOT /usr/sap/UK4/SYS/exe
DIR_GEN /usr/sap/UK4/SYS/gen/dbg
DIR_GEN_ROOT /usr/sap/UK4/SYS/gen
DIR_GLOBAL /usr/sap/UK4/SYS/global
DIR_GRAPH_EXE /usr/sap/UK4/SYS/exe/run
DIR_GRAPH_LIB /usr/sap/UK4/SYS/exe/run
DIR_HOME /usr/sap/UK4/DVEBMGS01/work
DIR_INSTALL /usr/sap/UK4/SYS
DIR_INSTANCE /usr/sap/UK4/DVEBMGS01
DIR_LIBRARY /usr/sap/UK4/SYS/exe/run
DIR_LOGGING /usr/sap/UK4/DVEBMGS01/log
DIR_MEMORY_INSPECTOR /usr/sap/UK4/DVEBMGS01/data
DIR_ORAHOME /oracle/UK4/920_64
DIR_PAGING /usr/sap/UK4/DVEBMGS01/data
DIR_PUT /usr/sap/put
DIR_PERF /usr/sap/tmp
DIR_PROFILE /usr/sap/UK4/SYS/profile
DIR_PROTOKOLLS /usr/sap/UK4/DVEBMGS01/log
DIR_REORG /usr/sap/UK4/DVEBMGS01/data
DIR_ROLL /usr/sap/UK4/DVEBMGS01/data
DIR_RSYN /usr/sap/UK4/SYS/exe/run
DIR_SAPUSERS ./
DIR_SETUPS /usr/sap/UK4/SYS/profile
DIR_SORTTMP /usr/sap/UK4/DVEBMGS01/data
DIR_SOURCE /usr/sap/UK4/SYS/src
DIR_TEMP /tmp
DIR_TRANS /usr/sap/trans
DIR_TRFILES /usr/sap/trans
DIR_TRSUB /usr/sap/trans
interfaces /interfaces
DIR_STREAMSERV /streamserve
DIR_ZEBFTP /home/zebftp
It will be really great, If someone can let me know what is the data that actually resides in above directories or just route me to the proper channel.
Most of the directories mentioned above seems like SAP standard, I want to have a fair idea of data that each directory contain.
06-23-2009 11:18 AM
Hi,
Basically all the directories are sap standard directories.
/usr - unique system resource, this contains all the files and executable related to the particular host.
/usr/sap - this is basically a mount point, in UNIX its SAPMNT and in windows there would be an additional mount point called SAPLOC.
/usr/sap/UK4 - UK4 is the SID (system identification)
/usr/sap/UK4/SYS/exe/run - its the place where all the executables are located.
/oracle/UK4/920_64 - this is the oracle home directory.
/usr/sap/trans - transport directory.
But as far i understand, its only the files that are displayed and nothing could be done out of it. I think its not necessary, but still if you want to restrict the directories then go to PFCG create a new role and assign AL11, and change the authorization for S_DATASET change the activity to 33.
let me know if you have any questions on this.
06-23-2009 12:26 PM
repetition removed by moderator
Edited by: Bernhard Hochreiter on Jun 23, 2009 1:32 PM
06-23-2009 11:30 AM
06-23-2009 12:34 PM
Hi,
Restriction of Directory access can be done by the following ways in authorization object s_dataset.
S_DATASET has 3 fields viz. 1. Activity 2. Physical File name 3. Program Name.
a. Restriction via Activity: Following values are possible:
06 Delete
33 Read
34 Write
A6 Read with filter
A7 Write with filter
You can only give 33 for read access to files.
b. Physical file name: Here we can mention the file names which we can give access like if we want to avoid access to any directory we can omit that file name and give a range. Eg /usr/sap/a* to /usr/sap/t* etc. Please let me know if you require further clarification.
Regards
Aveek.