Oracle database system contains two administrative user accounts SYS and SYSTEM, which are automatically created during the installation and assigned them the database role DBA.

SYS is the most powerful user in an Oracle database.

• All tables and views of the databases data dictionary are stored in the schema SYS. These tables and views are critical for the operation of Oracle, therefore they should never be modified by any user or database administrator, and no one should create any tables in the schema of user SYS.
• SYS is granted some additional privileges compared to those of role DBA, and can access and modify all data in the database.

Schema is a collection of database objects belonging to a user as owner. A schema is always named after its owner.

SYSTEM is a username used by Oracle for creation of additional internal tables and views that display administrative information. Although SYSTEM can access all database tables, it has no privilege to change Oracle data dictionary tables.

In an SAP installation:

• SYSTEM is additionally assigned the database role SAPDBA to allow BR*Tools access to certain tables of SYS schema.
• SYSTEM is used as default user when you call an SAP tool for Oracle administration and make a connection to the database.

The SAP installation procedure always creates the Oracle user SAP<SCHEMA-ID> (or SAPR3 up to SAP Basis release 4.6D), where SCHEMA-ID is in most cases identical with SAP SID. All tables and indexes of the corresponding SAP system belong to the schema of this database user. However, SAP<SCHEMA-ID> does not have privilege to perform administrative actions on the database; it is neither assigned the database role DBA nor the role SAPDBA.

Other users created in the Oracle database by SAP make use of an Oracle feature called operating system authentication: If the user OPS$<USERNAME> is defined as identified externally at the database level, it has no password, and the operating system user <USERNAME> can connect to the database without authentication, assuming that the following two Oracle parameters are set:

• REMOTE_OS_AUTHENT=TRUE (allows remote operating system authentication for OS users with an OPS$ user on any computer in the network from which the database is accessible)
• OS_AUTHENT_PREFIX=OPS$

These are the default values of the parameters in an SAP system, so normally you do not have to change them. On Windows platform, <USERNAME> used in the definition of the OPS$ user includes the name of the Windows domain from which the operating system user originates (or the host name if it is a local user).

This entry was posted on February 11, 2012 at 12:56 PM. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Posted in SAP Basis Notes by Raj No Comments Yet