Restricting Access to Database Resources (Unix and Linux up to Database Version 7.4.03) 
Note
A new authorization concept came into effect with database version 7.5.
See Database Administration, Special Operating System Users and Groups (Unix and Linux).
The measures described in the following are relevant only for database versions < 7.5.
Up to and including database version 7.4.03, access rights in SAP systems on Unix and Linux were automatically configured during installation as follows.
Directory |
Privilege |
Owner |
Group |
Comments |
|---|---|---|---|---|
/sapdb/<SID>/sapdata |
750 |
sqd<sid> |
sapsys |
- |
/sapdb/<SID>/saplog |
750 |
sqd<sid> |
sapsys |
- |
/sapdb/<SID>/sapsys |
750 |
sqd<sid> |
sapsys |
- |
/sapdb/<SID>/dbsys |
750 |
sqd<sid> |
sapsys |
No longer applies as of 7.4 |
/sapdb/<SID>/db |
750 |
sqd<sid> |
sapsys |
If a database version 7.5 or higher is installed on a computer together with an older version, change the access privileges for the directory /sapdb/<SID>/db of the older database version to 755. With this, you ensure that the database processes of the newer versions have unrestricted access to the directory. |
File |
Privilege |
Owner |
Group |
Comments |
|---|---|---|---|---|
/sapdb/<SID>/sapdata/* |
660 |
sqd<sid> |
sapsys |
- |
/sapdb/<SID>/saplog/* |
660 |
sqd<sid> |
sapsys |
- |
/sapdb/<SID>/sapsys/* |
660 |
sqd<sid> |
sapsys |
- |
/sapdb/<SID>/dbsys/sys |
660 |
sqd<sid> |
sapsys |
No longer applies as of version 7.4 |
Raw Device |
Privilege |
Owner |
Group |
Comments |
|---|---|---|---|---|
Raw devices for the database system |
660 |
sqd<sid> |
- |
Link to the raw devices used as data volumes or log volumes |
Procedure
To restrict access rights, proceed as follows:
Save the original settings. To do so, enter the following commands:
cd /usr/sap ls -lR > sap_perm.txt
cd /sapmnt ls -lR > sap_sw.txt
cd /sapdb/<SID> ls -lR > sapdb_perm.txt
Grant the desired access privileges for files and directories using the chmod command:
chmod <access_rights_octal> <file_or_directory>
Examplechmod 750 /sapdb/<SID>/sap*
chmod 750 /sapdb/<SID>/sapdata/*
chmod 750 /sapdb/<SID>/saplog/*
...
End of the example.
CautionDo not use chmod recursively. It is easy to make unintended changes to authorizations when doing so.
End of the caution.