cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP ECC 6.0 on Oracle 10G

Former Member

on ‎01-31-2011 8:51 AM

0 Kudos

Hi,

My company is using SAP ECC6.0 installed with a Oracle 10G database. On the Oracle database, there are SYS and SYSTEM default system user IDs which have privileged access rights on the database. However, I am not sure if the user IDs are able to perform direct database level changes (e.g. change a value in a SAP table containing employee payroll information) on the oracle database as I was posted this question by the auditor. They have asked me to secure the IDs properly but to my knowledge, these IDs can only perform administrative database level configurations and not direct data level changes.

Can someone shed some light on this?

Thanks!

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

audunlea_hansen
Active Participant
‎01-31-2011 9:14 AM
0 Kudos

Hi!

You need to change the password for SYS and SYSTEM. Do not change access privs on those two users!

The following users can be locked (and get a new password):

ORACLE_OCM

DBSNMP (This user are in user if you user Oracle Grid Control)

DIP

OUTLN

APPQOSSYS

Regards

Audun

DBA

Show replies
Show replies
Former Member
‎01-31-2011 9:44 AM
0 Kudos

Hi!

Thanks for the replies.

I would really not want to secure the SYS and SYSTEM user IDs if possible.

Are there any data integrity features in SAP which will restrict direct data level modifications on the Oracle database (i.e. data in the Oracle database is locked)?

Thanks!

Former Member
‎01-31-2011 9:55 AM
0 Kudos

Hello,

If by securing you mean setting non-default passwords and restricting access to SYS and SYSTEM to database administrators, then that is exactly what you should do. Database users with administrative privileges, in the case of Oracle: SYS and SYSTEM, always have the ability to read or modify any object in the databases/schemas that they manage. This is not just true for Oracle but for any DBMS.

Regards,

Mark

fidel_vales
Employee
Employee
‎01-31-2011 10:59 AM
0 Kudos

Hello,

if you want to avoid "data" access to those users then you must use "Database Vault"

For more information you should read the following note:

1503634 FAQ: Oracle Database Vault

Former Member
‎01-31-2011 9:04 AM
0 Kudos

Hello,

The SYS and SYSTEM users exist in all Oracle databases and both have full DBA rights. This means they will be able to change anything in the database, including data in tables in the SAP schema. These users must be properly protected by passwords, and access to tools allowing anyone to log on with these IDs (e.g. terminal server access to the database server, which would enable users to access SQLPLUS) must be restricted. You should refrain however from lowering the privileges of either user. As far as I can see this might perhaps be feasible for the SYSTEM user, alhough I have never seen a database where this is done, but it is certainly not allowed for SYS.

Regards,

Mark

Show replies
Show replies
Ask a Question