Version / Date | 31 / 2010-08-24 |
Priority | Recommendations/additional info |
Category | Installation information |
Primary Component | BC-DB-ORA Oracle |
Secondary Components | BC-DB-ORA-DBA Database Administration with Oracle |
Summary |
---|
Symptom Database role SAPCONN This note describes the use of the SAP-specific database role SAPCONN. If, after you upgrade your database from Oracle Release 9.2 or lower to Oracle Release 10.2 or higher, you receive the error message "ORA-01031: insufficient privileges" when starting SAP, first check whether the role SAPCONN has been installed and assigned correctly and also that it is active (Note 1028220). Validity of this note The adjustments concerning the use of the SAPCONN role that are described in this note are optional for Oracle Releases 9.2 and 10.1, but they are mandatory as of Release 10.2. Other terms CONNECT, RESOURCE, DBA dba_role_privs, dba_sys_privs, dba_tab_privs user_role_privs, user_sys_privs, user_tab_privs role_role_privs, role_sys_privs, role_tab_privs sapdba.sql, sapconn_role.sql ORA-01031: insufficient privileges session_privs, session_roles Reason and Prerequisites For Oracle Release 10.1 and earlier releases, the CONNECT role included extensive database authorizations. As of Release 10.2, Oracle restricts the CONNECT role to the CREATE SESSION privilege for safety reasons (see chapter 7: Security Policies in Oracle Database 10g Security Guide). Experience has shown that the CONNECT role is assigned to most database users as a sort of minimum role so that they could log on to the database. However, the less comprehensive CREATE SESSION authorization is sufficient to log on to the database. We assume that the incorrect use of the role which leads to an excessive number of users with too many authorizations is due to the name of the role, CONNECT, in relation to the "connect <user>/<pwd>" SQL command. This should be prevented for safety reasons. We recommend that you define application-specific database roles. In higher Oracle releases, both the CONNECT and RESOURCE roles no longer exist. You should therefore no longer use either role in future. As of Oracle Release 10.2, SAP database users only use application-specific database roles (SAPDBA, SAPCONN). Solution Contents of this note SAPCONN application-specific database role The role schema for database users up to Oracle Release 9.2/10.1 The role schema for database users as of Oracle Release 10.2 Installing the SAPCONN role Adjusting the authorizations for <SAP USER> Adjusting the SAPDBA role Adjusting the authorizations for <OPS$-USER> Appendix Monitoring of database roles and database system authorizations System privileges of the CONNECT role up to 10.1 System privileges of the CONNECT role as of 10.2 SAPCONN application-specific database role As of Oracle Release 10.2, you must assign only the SAP-specific database role SAPCONN to a SAP database user, instead of the individual Oracle roles CONNECT, RESOURCE, SELECT_CATALOG_ROLE. The authorizations contained in the Oracle roles CONNECT, RESOURCE, and SELECT_CATALOG_ROLE have been integrated into the SAPCONN roles. The role SAPCONN was adjusted especially to the requirements of the SAP application and contains all the required database authorizations. You cannot assign the system privilege "UNLIMITED TABLESPACE" to a role (ORA-01931: cannot grant UNLIMITED TABLESPACE to a role) and it is therefore not contained in the role SAPCONN. It must be assigned separately. The SAPCONN role is independent from the SAP release you use. Definitions used In the following, <SAP USER> specifies the SAP database user for an SAP application schema:
<OPS$-USER> specifies the following database users (the users exist depending on the relevant platform of the database server):
Role assignment up to Release 9.2/10.1:
Role assignment as of Release 10.2:
To create the SAPCONN role, use the sapconn_role.sql script, which includes an installation instruction and is contained in the <SAPEXE> directory. This script is also attached to this note. Install the SAPCONN role in the database with the following command: Adjusting the authorizations for <SAP USER> The SAP system should be stopped for these changes. The Oracle roles CONNECT and RESOURCE are taken away from the <SAP USER> database users. When you use 'revoke resource', the system authorization 'UNLIMITED TABLESPACE' is automatically revoked at the same time. For this reason, this authorization must be granted again afterwards. With the following command, the required database authorizations are granted to SAP database users through the role SAPCONN: Adjusting the SAPDBA role The SAPDBA role must also be modified slightly for Oracle Release 10.2. Note 134592 contains detailed information about installing and adjusting the new SAPDBA role (see script sapdba_role.sql in the <SAPEXE> directory. Adjusting the authorizations for <OPS$-USER> The authorizations of the OPS$ users are adjusted as follows: The assignment of the SAPDBA role to <OPS$-USER> occurs implicitly during the execution of the script sapdba_role.sql. Therefore, you do not need to explicitly execute the following command again. Appendix Monitoring of database roles and database system authorizations Which default roles are available to the <SAP USER>? The result should look as follows: Which system privileges are available to the <SAP USER>? The result should look as follows: PRIVILEGE: ---------------------- CREATE SESSION ALTER SESSION UNLIMITED TABLESPACE CREATE TABLE CREATE CLUSTER CREATE SYNONYM CREATE VIEW CREATE SEQUENCE CREATE PROCEDURE CREATE TRIGGER ANALYZE ANY CREATE TYPE CREATE OPERATOR CREATE INDEXTYPE How is the SAPCONN role defined? How is the CONNECT role defined? New view DBA_CONNECT_ROLE_GRANTEES: The DBA_CONNECT_ROLE_GRANTEES view displays to which database users the CONNECT role is assigned. This view should not display any SAP database users. To what was the SAPCONN or SAPDBA role assigned? Which roles or system authorizations are assigned to an SAP database user? System privileges of the CONNECT role up to 10.1 CREATE VIEW CREATE TABLE ALTER SESSION CREATE CLUSTER CREATE SESSION CREATE SYNONYM CREATE SEQUENCE CREATE DATABASE LINK System privileges of the CONNECT role as of 10.2 CREATE SESSION |
Related Notes | |
---|---|
1256322 | Establishing a remote database connection in DBACOCKPIT |
1078293 | DBACockpit: Submonitor Workload Reporting |
1028220 | ORA-01031: Insufficient privileges despite SAPCONN role |
985607 | ORA-01031 Creating views after upgrade to Oracle 10g |
963760 | 'ORA-20000: Insufficient privileges' for creating statistics |
700548 | FAQ: Oracle authorizations |
134592 | Importing the SAPDBA role (sapdba_role.sql) |
1 comment:
Usually I never comment on blogs but your article is so convincing that I never stop myself to say something about it. You’re doing a great job Man learn Oracle SOA Online Training
Post a Comment