SAP Note 834917 SAPCONN

Note Language: English

Oracle Database 10g: New database role
Version: 31 Validity:
Valid Since 23.08.2010

Summary
Symptom Database role SAPCONN
This note describes the use of the SAP-specific database role

SAPCONN.

If, after you upgrade your database from Oracle Release 9.2 or lower to Oracle Release 10.2 or higher, you receive the error message "ORA-01031: insufficient privileges" when starting SAP, first check whether the role SAPCONN has been installed and assigned correctly and also that it is active (Note 1028220).

Validity of this note
The adjustments concerning the use of the SAPCONN role that are described in this note are optional for Oracle Releases 9.2 and 10.1, but they are mandatory as of Release 10.2.

Other terms
CONNECT, RESOURCE, DBA dba_role_privs, dba_sys_privs, dba_tab_privs user_role_privs, user_sys_privs, user_tab_privs role_role_privs, role_sys_privs, role_tab_privs sapdba.sql, sapconn_role.sql ORA-01031: insufficient privileges session_privs, session_roles

Reason and Prerequisites
For Oracle Release 10.1 and earlier releases, the CONNECT role included extensive database authorizations. As of Release 10.2, Oracle restricts the CONNECT role to the CREATE SESSION privilege for safety reasons (see chapter 7: Security Policies in Oracle Database 10g Security Guide). Experience has shown that the CONNECT role is assigned to most database users as a sort of minimum role so that they could log on to the database. However, the less comprehensive CREATE SESSION authorization is sufficient to log on to the database. We assume that the incorrect use of the role which leads to an excessive number of users with too many authorizations is due to the name of the role, CONNECT, in relation to the "connect <user>/<pwd>" SQL command. This should be prevented for safety reasons. We recommend that you define application-specific database roles. In higher Oracle releases, both the CONNECT and RESOURCE roles no longer exist. You should therefore no longer use either role in future. As of Oracle Release 10.2, SAP database users only use application-specific database roles (SAPDBA, SAPCONN).

24.11.2010

Page 1 of

7

<SAP USER> specifies the SAP database user for an SAP application schema: o o SAP<SCHEMA_ID> or SAPR3 for the ABAP stack SAP<SCHEMA_ID>DB for the Java stack <OPS$-USER> specifies the following database users (the users exist depending on the relevant platform of the database server): o o o OPS$ORA<DBSID> OPS$<SAPSID>ADM OPS$<DOMAIN>\SAPSERVICE<SID> or OPS$SAPSERVICE<SID> 24.1 The role schema for database users as of Oracle Release 10. RESOURCE. you must assign only the SAP-specific database role SAPCONN to a SAP database user.1 System privileges of the CONNECT role as of 10.11. RESOURCE.2010 Page 2 of 7 . It must be assigned separately. and SELECT_CATALOG_ROLE have been integrated into the SAPCONN roles. Definitions used In the following. SELECT_CATALOG_ROLE.2 SAPCONN application-specific database role As of Oracle Release 10. instead of the individual Oracle roles CONNECT.SAP Note 834917 SAPCONN Solution Oracle Database 10g: New database role Contents of this note SAPCONN application-specific database role The role schema for database users up to Oracle Release 9. The role SAPCONN was adjusted especially to the requirements of the SAP application and contains all the required database authorizations. The SAPCONN role is independent from the SAP release you use.2.2 Installing the SAPCONN role Adjusting the authorizations for <SAP USER> Adjusting the SAPDBA role Adjusting the authorizations for <OPS$-USER> Appendix Monitoring of database roles and database system authorizations System privileges of the CONNECT role up to 10.2/10. You cannot assign the system privilege "UNLIMITED TABLESPACE" to a role (ORA-01931: cannot grant UNLIMITED TABLESPACE to a role) and it is therefore not contained in the role SAPCONN. The authorizations contained in the Oracle roles CONNECT.

With the following command.2010 Page 3 of 7 .1: o o <SAP USER>: unlimited tablespace <OPS$-USER>: unlimited tablespace The role schema for database users as of Oracle Release 10. the system authorization 'UNLIMITED TABLESPACE' is automatically revoked at the same time.2: o o <SAP USER>: unlimited tablespace <OPS$-USER>: unlimited tablespace Installing the SAPCONN role To create the SAPCONN role. select_catalog_role from <SAP USER>. For this reason. SQL> grant unlimited tablespace to <SAP USER>. SELECT_CATALOG_ROLE <OPS$-USER>: CONNECT. which includes an installation instruction and is contained in the <SAPEXE> directory. SAPDBA Quota assignment up to Release 9.2: o o <SAP USER>: SAPCONN <OPS$-USER>: SAPDBA Quota assignment as of Release 10. use the sapconn_role. The Oracle roles CONNECT and RESOURCE are taken away from the <SAP USER> database users.11.1: o o <SAP USER>: CONNECT.sql script. the required database authorizations are granted to SAP database users through the role SAPCONN: 24. This script is also attached to this note. Install the SAPCONN role in the database with the following command: OS> sqlplus /nolog @sapconn_role Adjusting the authorizations for <SAP USER> The SAP system should be stopped for these changes.2/10. RESOURCE. resource.2 Role assignment as of Release 10.2/10. this authorization must be granted again afterwards.2/10. When you use 'revoke resource'.SAP Note 834917 SAPCONN o OPS$<DOMAIN>\<SID>ADM Oracle Database 10g: New database role The role schema for database users up to Oracle Release 9. RESOURCE.1 Role assignment up to Release 9. SQL> revoke connect.

The result should look as follows: PRIVILEGE: ---------------------CREATE SESSION ALTER SESSION UNLIMITED TABLESPACE CREATE TABLE CREATE CLUSTER CREATE SYNONYM 24.SAP Note 834917 SAPCONN SQL> grant SAPCONN to <SAP USER>.sql in the <SAPEXE> directory. you do not need to explicitly execute the following command again.11. Oracle Database 10g: New database role Adjusting the SAPDBA role The SAPDBA role must also be modified slightly for Oracle Release 10. Note 134592 contains detailed information about installing and adjusting the new SAPDBA role (see script sapdba_role. SQL> grant unlimited tablespace to <OPS$-USER>. The assignment of the SAPDBA role to <OPS$-USER> occurs implicitly during the execution of the script sapdba_role. The result should look as follows: ROLE ---------------------SAPCONN SELECT_CATALOG_ROLE HS_ADMIN_ROLE Which system privileges are available to the <SAP USER>? SQL> connect <SAP USER>/<pwd> SQL> select * from session_privs. Appendix Monitoring of database roles and database system authorizations Which default roles are available to the <SAP USER>? SQL> connect <SAP USER>/<pwd> SQL> select * from session_roles.sql.2010 Page 4 of 7 . SQL> grant SAPDBA to <OPS$-USER>. Therefore. resource from <OPS$-USER>.2. Adjusting the authorizations for <OPS$-USER> The authorizations of the OPS$ users are adjusted as follows: SQL> revoke connect.

'SAPCONN').2010 Page 5 of 7 . Which roles or system authorizations are assigned to an SAP database user? SQL> select * from dba_role_privs where grantee = '<SAP USER>'.--------------------.11. New view DBA_CONNECT_ROLE_GRANTEES: The DBA_CONNECT_ROLE_GRANTEES view displays to which database users the CONNECT role is assigned.--.--SAPSR3 SAPCONN NO YES SQL> select * from dba_sys_privs where grantee = '<SAP USER>'. SQL> select * from role_tab_privs where role = 'SAPCONN'.--SAPSR3 UNLIMITED TABLESPACE NO System privileges of the CONNECT role up to 10. How is the CONNECT role defined? SQL> select privilege from role_sys_privs where role = 'CONNECT'. GRANTEE PRIVILEGE ADM -------.---------------------.SAP Note 834917 SAPCONN CREATE VIEW CREATE SEQUENCE CREATE PROCEDURE CREATE TRIGGER ANALYZE ANY CREATE TYPE CREATE OPERATOR CREATE INDEXTYPE How is the SAPCONN role defined? Oracle Database 10g: New database role SQL> select granted_role from role_role_privs where role = 'SAPCONN'.1 CREATE VIEW CREATE TABLE ALTER SESSION CREATE CLUSTER CREATE SESSION CREATE SYNONYM CREATE SEQUENCE 24. granted_role from dba_role_privs where granted_role in ('SAPDBA'. To what was the SAPCONN or SAPDBA role assigned? SQL> select grantee. SQL> select * from DBA_CONNECT_ROLE_GRANTEES WHERE GRANTEE like 'SAP%' OR GRANTEE like 'OPS$%'. GRANTEE GRANTED_ROLE ADM DEF -------. SQL> select privilege from role_sys_privs where role = 'SAPCONN'. This view should not display any SAP database users.

2010 Page 6 of 7 .08.2 Oracle 11.2 Attachments 24.11.sql) Attributes Attribute Database system Database system Database system Value ORACLE Oracle 10.SAP Note 834917 SAPCONN CREATE DATABASE LINK Oracle Database 10g: New database role System privileges of the CONNECT role as of 10.2010 08:14:35 German Recommendations/additional info Installation information BC-DB-ORA Oracle The Note is release-independent Related Notes Number 1256322 1078293 1028220 985607 963760 700548 134592 Short Text Establishing a remote database connection in DBACOCKPIT DBACockpit: Submonitor Workload Reporting ORA-01031: Insufficient privileges despite SAPCONN role ORA-01031 Creating views after upgrade to Oracle 10g 'ORA-20000: Insufficient privileges' for creating statistics FAQ: Oracle authorizations Importing the SAPDBA role (sapdba_role.2 CREATE SESSION Header Data Release Status: Released on: Master Language: Priority: Category: Primary Component: Secondary Components: BC-DB-ORA-DBA Database Administration with Oracle Released for Customer 24.

11.SAP Note 834917 SAPCONN File Type SAR File Name SAPCONN_ROLE.2010 Page 7 of 7 .SAR Oracle Database 10g: New database role Language E Size 1 KB 24.

Sign up to vote on this title
UsefulNot useful