SAP Note

113747 - Owners and authorizations for BR*Tools

Version 22 Validity: 10.10.2013 - active

Language English

Header Data
Released On
Release Status
Component

10.10.2013 08:54:41
Released for Customer
BC-DB-ORA-DBA Database Administration with Oracle

Other Components BC-DB-ORA-CCM CCMS/Database Monitors for Oracle

Priority
Category

Recommendations / Additional Info

Consulting

Symptom
This note provides information about how to set the authorizations for the BR*Tools correctly.

Other Terms
DB13, DB14, DB16, DB20, DB24, RZ11

Reason and Prerequisites

Authorization problems

Solution
The following settings are required to call the BR*Tools correctly, especially when using
transaction DB13 or DBACOCKPIT:
(1)
ora<sid> and <sid>adm on DB server have a search path on /sapmnt/<SID>/exe. (All br* are contained
in this directory.)
ora<sid> belongs to the dba group,
<sid>adm belongs to the sapsys group,
(2)
<sid>adm on the database server has the rhosts entry: "+ <sid>adm".
(3)
The Oracle user ops$<sid>adm must be created in the DB and must have the role sapdba (not DBA) (see
SAP Note 134592 for more information).
(4)
brarchive, brbackup, and brconnect belong to ora<sid> and have authorization 4774:
-rwsrwxr-- ora<sid> sapsys ...
Reason:
Both the operating system (OS) user ora<sid> and the OS user <sid>adm (for example, from SAP R/3,
transactions DB13 or DBACOCKPIT) must be able to call these tools. These tools require access
authorization to the database directories and files as well as to the log directories (saparch,
sapbackup, sapcheck, and sapreorg) of the BR*Tools. To ensure that they can be executed by both
ora<sid> and by <sid>adm, they must belong to the user ora<sid>, and the s-bit must be set.
(5)
brrestore, brrecover, brspace, and brtools belong to <sid>adm and have authorization 755:
-rwxr-xr-x <sid>adm sapsys ...
Reason:
These tools may be used only by OS user ora<sid>, but not by <sid>adm. This ensures that the user
<sid>adm does not have write permission for the log directories and therefore cannot create any
logs. For this, no s-bit is set, and it is not necessary to define an owner other than the standard
owner <sid>adm.
If the tools were started using <sid>adm, they would terminate immediately after the start due to
the missing log authorization. However, the user ora<sid> can start the programs despite this and
also has the required authorization for the log directories.
For example:
-rwsrwxr--1
-rwsrwxr--1
-rwsrwxr--1
-rwxr-xr-x1
-rwxr-xr-x1
-rwxr-xr-x1
-rwxr-xr-x1

orasid
orasid
orasid
sidadm
sidadm
sidadm
sidadm

sapsys10022600
sapsys10251536
sapsys12179560
sapsys10708840
sapsys 4140576
sapsys12778384
sapsys 4711664

Aug
Aug
Aug
Aug
Aug
Aug
Aug

23
23
23
23
23
23
23

2012brarchive
2012brbackup
2012brconnect
2012brrecover
2012brrestore
2012brspace
2012brtools

Note 1:
On Linux and Solaris 11, you have to adjust the authorization for brarchive, brbackup, and brconnect

manually if you want to create RMAN backups with the OS user <sid>adm. For more information, see SAP
Note 776505.
Note 2:
Other BR*Tool authorizations apply for Oracle installations with the OS user oracle. For more
information, see SAP Note 1598594.

Other Attributes
Database System

ORACLE

Validity
This document is not restricted to a software component or software component version

References
This document refers to:
SAP Notes
1598594 BR*Tools configuration for Oracle inst. under "oracle" user
776505 ORA-01017/ORA-01031 in BR*Tools on Linux and Solaris 11
651351 BR tools on UNIX: Error due to executable permissions

This document is referenced by:

SAP Notes (3)
651351 BR tools on UNIX: Error due to executable permissions
776505 ORA-01017/ORA-01031 in BR*Tools on Linux and Solaris 11
1598594 BR*Tools configuration for Oracle inst. under "oracle" user