What data resides in directories?

Former Member · ‎06-23-2009

Hi All,

I am trying to analyze the risk associated with data that resides in the below directories.

Following directories can be accessed using transaction AL11.

I am working on the feasibilty to restrict the access to specific directory.

DIR_ATRA /usr/sap/UK4/DVEBMGS01/data

DIR_BINARY /usr/sap/UK4/SYS/exe/run

DIR_CT_LOGGING /usr/sap/UK4/SYS/global

DIR_CT_RUN /usr/sap/UK4/SYS/exe/ctrun

DIR_DATA /usr/sap/UK4/DVEBMGS01/data

DIR_DBMS /usr/sap/UK4/SYS/SAPDB

DIR_EXECUTABLE /usr/sap/UK4/SYS/exe/run

DIR_EXE_ROOT /usr/sap/UK4/SYS/exe

DIR_GEN /usr/sap/UK4/SYS/gen/dbg

DIR_GEN_ROOT /usr/sap/UK4/SYS/gen

DIR_GLOBAL /usr/sap/UK4/SYS/global

DIR_GRAPH_EXE /usr/sap/UK4/SYS/exe/run

DIR_GRAPH_LIB /usr/sap/UK4/SYS/exe/run

DIR_HOME /usr/sap/UK4/DVEBMGS01/work

DIR_INSTALL /usr/sap/UK4/SYS

DIR_INSTANCE /usr/sap/UK4/DVEBMGS01

DIR_LIBRARY /usr/sap/UK4/SYS/exe/run

DIR_LOGGING /usr/sap/UK4/DVEBMGS01/log

DIR_MEMORY_INSPECTOR /usr/sap/UK4/DVEBMGS01/data

DIR_ORAHOME /oracle/UK4/920_64

DIR_PAGING /usr/sap/UK4/DVEBMGS01/data

DIR_PUT /usr/sap/put

DIR_PERF /usr/sap/tmp

DIR_PROFILE /usr/sap/UK4/SYS/profile

DIR_PROTOKOLLS /usr/sap/UK4/DVEBMGS01/log

DIR_REORG /usr/sap/UK4/DVEBMGS01/data

DIR_ROLL /usr/sap/UK4/DVEBMGS01/data

DIR_RSYN /usr/sap/UK4/SYS/exe/run

DIR_SAPUSERS ./

DIR_SETUPS /usr/sap/UK4/SYS/profile

DIR_SORTTMP /usr/sap/UK4/DVEBMGS01/data

DIR_SOURCE /usr/sap/UK4/SYS/src

DIR_TEMP /tmp

DIR_TRANS /usr/sap/trans

DIR_TRFILES /usr/sap/trans

DIR_TRSUB /usr/sap/trans

interfaces /interfaces

DIR_STREAMSERV /streamserve

DIR_ZEBFTP /home/zebftp

It will be really great, If someone can let me know what is the data that actually resides in above directories or just route me to the proper channel.

Most of the directories mentioned above seems like SAP standard, I want to have a fair idea of data that each directory contain.

Former Member · ‎06-23-2009

Hi,

Basically all the directories are sap standard directories.

/usr - unique system resource, this contains all the files and executable related to the particular host.

/usr/sap - this is basically a mount point, in UNIX its SAPMNT and in windows there would be an additional mount point called SAPLOC.

/usr/sap/UK4 - UK4 is the SID (system identification)

/usr/sap/UK4/SYS/exe/run - its the place where all the executables are located.

/oracle/UK4/920_64 - this is the oracle home directory.

/usr/sap/trans - transport directory.

But as far i understand, its only the files that are displayed and nothing could be done out of it. I think its not necessary, but still if you want to restrict the directories then go to PFCG create a new role and assign AL11, and change the authorization for S_DATASET change the activity to 33.

let me know if you have any questions on this.

Former Member · ‎06-23-2009

repetition removed by moderator

Edited by: Bernhard Hochreiter on Jun 23, 2009 1:32 PM

Former Member · ‎06-23-2009

This message was moderated.

former_member701183 · ‎06-23-2009

Hi,

Restriction of Directory access can be done by the following ways in authorization object s_dataset.

S_DATASET has 3 fields viz. 1. Activity 2. Physical File name 3. Program Name.

a. Restriction via Activity: Following values are possible:

06 Delete

33 Read

34 Write

A6 Read with filter

A7 Write with filter

You can only give 33 for read access to files.

b. Physical file name: Here we can mention the file names which we can give access like if we want to avoid access to any directory we can omit that file name and give a range. Eg /usr/sap/a* to /usr/sap/t* etc. Please let me know if you require further clarification.

Regards

Aveek.