sapsid adm has no access to "dba" group

Similar Messages

• Does anyone know a way to replicate the SAPSID adm user ?

  We are trying to consult to one of our clients that using SAP/r3 with Oracle 10.2 DB.
  The client has a team of 4 DBAs, and the entire team members are using the username <SAPSID>adm in order to login to the DB and conduct changes and other operations.
  We believe this is the wrong way to handle the login authorizations, and we think that each DBA has to have his own user name in order to enable audit trail. The client's IT team manager claims they don't know how to create personal user names with the authorization level of the <SAPSID>adm, and they must use this user name for their needs and operations.
  Does anyone know a way to replicate the <SAPSID>adm user authorizations to some other DB admin user name so they will enable audit trail for each team member?

  Hello,
  You can create any number of users have authorizations similar to sidadm user but I don't think it will serve the purpose because of the way the things are designed to be maintained in SAP.
  However, you can utilize an alternative. Create individual OS IDs for each person who has to log on to OS. Assign 'sudo' access to these individual IDs to logon to 'sidadm' and 'orasid'.
  Thanks

• SQL Server Agent running SSIS package fails Unable to determine if the owner of job has server access

  I have a web application developed through VS 2012 which has a button on a form that when operated starts a SQL Server agent job on the server that runs an SSIS package.  The website and the instance of SQL Server with the agent and SSIS package are
  on the same windows 2008 r2 server.  When the button is operated no exceptions are raised but the SSIS package did not execute.
  When I look in the logfileviewer at the job history of the sql server agent job I see that the job failed with message...
  The job failed.  Unable to determine if the owner (DOMAINNAME\userid) of job runWebDevSmall has server access (reason: Could not obtain information about Windows NT group/user 'DOMAINNAME\userid'<c/> error code 0x6e. [SQLSTATE 42000] (Error 15404)).,00:00:00,0,0,,,,0
  ...even though DOMAINNAME\userid is in the logins for the sql server and has admin authorities.
  Could someone show me what I need to do to get this to run?  Thanks tonnes in advance for any help, Roscoe

  This can happen when the network is too slow to allow a timely completion of the verification. Or the account running has no such right.
  I suggest you try using the SA account for the job as it does not require to poll the AD.
  Arthur My Blog

• To launch SDM tool - using user id other than sapsid adm

  Hi,
  Currently, when we perform deployment using SDM we login as <sapsid>adm to launch the SDM tools (at the central server instance running under UNIX). However, we would like to restrict the usage of the <sapsid>adm due to concern that this id is powerful and can do a lot of other things.
  Is it possible to use another user id (create a new id and grant necessary access), just for the purpose of launching SDM to perform deployment.
  Thanks.

  Hello Wai.
  From my point of view is better if use SDM from desktop connection I'm do it and it's great I strongly recommend that you try to use in the same way
  Steps
  Create new folder in your folder
  Copy program folder and all the files and folders below to your laptop (I thing that you only need the *.bat files and lib folder but i'm not completly sure)
  change bat files with the data of your local machine as an exmple
  @set sdm_gui_options=-Dsun.java2d.noddraw=true -Duser.language=en
  @call "D:\Newfolder\program\sdm_prep_com.bat"
  %sdm_com% remotegui "sdmhome=D:\Newfolder\program"
  @pause
  check all bat's and change server paths with local paths
  Regards

• "change the DBA group" in a windows environment

  I would like to prevent OS-privileged users or connect as SYSDBA without giving password!
  (there would be no passwordfile)
  In a unix environment we can hide the name of dba-group changing config at /rdbms/lib
  and relink:
  Change: #define SS_DBA_GRP "dba" to: #define SS_DBA_GRP "mygroup"
  rm config.o                    
  make -f ins_rdbms.mk config.o ioracle
  ??? How can I do that in a WINDOWS environment ???

  lkahlenb wrote:
  sorry, thats an windows environment.
  I didnt found anything like a config for group name as in unix (there is no relinking at windows).
  If I use windows I can modify the config (another existing group), relink and recopy the default config.
  So a unix.admin with only basic oracle o´know-how is confused.
  I am looking for similar steps on windows...Someone with admin authority on the OS has ultimate authority. Even if you figure out a way to have Oracle use a group other than ora_dba, it won't take a rocket scientist of an SA to figure it out and put himself in the correct group. You need to turn on auditing and have some strong policies regarding DBAs and SAs staying in their lane.

• User has no authorization for function group SWRS

  Dear SRM Gurus,
  We are facing an issue u201CUser has no authorization for function group SWRSu201D.
  Hope the user has no authorization to access function group SWRS and this function group is saying that workflow substitution.
  Can you any one have any idea what scenario are we using Workflow substitution?
  Is there any Roles need to be assigned?
  I would be appreciating if you could let us know more detail on this.
  Thanks.
  Regards,
  Magesh Basavaraj.

  Hi,
     The authorization object is 'S_WF_SUBST' for substitute role..try to assign this object and check..
  Saravanan

• Does idm support maintenance of access manager's group/role/filtered role

  The xml of Access Manager Realm Resource Adapter has object types group, role and filtered role with object feature list,create, update and delete. Does that mean with the adapter installed, we can make use the idm to maintain the access manager's group/role/filteredrole? Is there any customization/configuration needed in order to provision these features in idm?
  Thanks,

  1. The AM agent can return ldap attributes after authentication. What you can do is use Sun Directory Server Proxy to provide a virtual view of both LDAP and your DB to AM.
  2. Sun Role Manager is a tool for role mining and attestation, ie it helps with compliancy verifications which is required by many businesses these days. Sun Identity Manager does not need Sun Role Manager if you just want to provision roles for your users, however, as it appears to be the case in your envirionment, the roles created by IDM are exported to SRM for compliance verifications.

• Multiple instances in Windows 7. & Adding Administrator in DBA group

  i have installed two databases Using DBCA in win7,
  & den used set oracle_sid= <old instance name>
  then when i said  sqlplus / as sysdba
  The new instance is starting.. then i tried sqlplus  sys/sys  as sysdba previous instance password.. it's asking for user name & password.. ??? which i did give & its promting error..
  how to deal with multiple instances in windows 7??
  & i created a user using net user administrator /active:no ... now i cudn't get to add this user to DBA group?? As while editing tnsnames.ora & etc.. it's saying access denied so created admin user.. now cudn't login to dba user using administrtor profile.. how to add this in dba group ??

  Aduke wrote:
  i have installed two databases Using DBCA in win7,
  & den used set oracle_sid= <old instance name>
  Did you create both databases from the same ORACLE_HOME, or did you actually install oracle twice, into separate ORACLE_HOMEs and create your two databases from those separate homes?
  then when i said  sqlplus / as sysdba
  The new instance is starting.. then i tried sqlplus  sys/sys  as sysdba previous instance password.. it's asking for user name & password.. ??? which i did give & its promting error..
  how to deal with multiple instances in windows 7??
  & i created a user using net user administrator /active:no ... now i cudn't get to add this user to DBA group?? As while editing tnsnames.ora & etc.. it's saying access denied so created admin user.. now cudn't login to dba user using administrtor profile.. how to add this in dba group ??
  Control panel
  Computer Management
  Local Users and Groups
  Users  (select your Oracle user)
  Properties
  Member Of
  select orcl_dba
  But then, this IS Windows, who knows if your cascade of applets and options is the same as mine?   To paraphrase Forest Gump, "My momma always said Windows was like a box of chocolates.  You never know what you're going to get."

• What level of access a DBA should have on production Environment

  We are in the process of auditing
  I want to know what level of acccess a DBA has on a production server..How about the Backups ONLINE/EXport backup? Which account should be used for those purposes...
  Can i DBA login as SYSTEM or SYS user? or he should have separate account to do all the activities..
  I am more on protecting the data from unauthorized user..Any standards followed for that
  Best Regards
  Maran

  Hi Maran,
  What level of access a DBA should have on production Environment
  root
  However, there have been cases of dishonest DBA's and SA, manipulating data for profit and stealing data:
  http://www.dba-oracle.com/art_lumigent_whitepaper.htm
  Kevin Mitnick, the noted computer felon likes to show how security breeches are commonly the result of employee errors. In his book “The Art of Deception”, Mitnick talks about his techniques to get trusting employees to disclose confidential information and privileged passwords. In one case Mitnick was able to secure a privileged password using the name Lemonjello, and then bragged about the naïve employee who handed-over a system password to someone called “Lemon Jell-O”. In this case the IT staff was never able to ascertain the root cause of the breech because their mechanism for the dissemination and auditing of secure information was inadequate.
  Today, there are ways to seregate the audit trails, giving the DBA what they need to do their job, while not giving them the keys to the kingdom.
  Hope this helps . . .
  Donald K. Burleson
  Oracle Press author
  Author of "Oracle Tuning: The Definitive Reference"
  http://www.rampant-books.com/book_2005_1_awr_proactive_tuning.htm

• Tcode for DBA group

  What are the common transaction code that should be assigned to the member of the DBA group? I'm trying to use the SAP GUI to support some of the SAP-Database related issue and sometimes I find it very hard, due to the missing access on the tcode.

  only for db admin oracle?
  -> db* (db01, db02, db12, db14, db17 etc.)
  -> st04/st04n (db "cockpit")
  -> st05 (tracing)
  -> st02 & st06 (memory tuning etc.)
  GreetZ, AH

• Grid user in dba group ?

  Hey,
  according to the best practise paper, the grid user should not be part of the dba user group.
  While running cluvy, this fixupscript will put the user grid into this group.
  Is it neccessary to put the grid user into the dba group or can I ignore this message ?
  CHristian

  Christian wrote:
  Hey,
  according to the best practise paper, the grid user should not be part of the dba user group.
  While running cluvy, this fixupscript will put the user grid into this group.
  Is it neccessary to put the grid user into the dba group or can I ignore this message ?
  CHristianHi, GRID user can be part of DBA group there is no problem, this is designed if grid user is supposed to have access to db's which would be running on RAC system.
  See
  http://docs.oracle.com/cd/E11882_01/install.112/e22489/prelinux.htm#BABBIDCF

• DBA Group Initiatives

  I am not sure if I am in the right discussion board or not but here it goes. At our company they want each of the DBAs to lead various initiatives to improve the way we get things done on a day to day basis. They are always looking to us for new ideas to save money or standardize more or use the newest oracle technology. I thought it would be a good idea to start a thread to see what other DBA groups have done to improve their quality. It could be very simple things to not so simple. At our work we have done things like
  standardize the setup on all unix servers by using the same profiles and variables.
  create deployment scripts to create the Oracle Homes and New Database - sets up auditing and locks certain users automatically
  using BMC to monitor processes on servers
  created scripts to monito the alert logs
  I am looking for ideas from others. I was thinking of something with the 10g scheduler or consumer groups. If anyone has done something like this and would like to share let me know. Thanks
  Edited by: user579934 on Jan 27, 2009 5:14 AM

  user579934 wrote:
  I am not sure if I am in the right discussion board or not but here it goes.Nope. wrong place.
  >
  Forum: Community Feedback and Suggestions (Do Not Post Product-Related Questions Here)
  Use this forum for feedback about OTN programs, Web site content, and systems - product-related questions will be deleted.
  >
  This forum is for any issues or matters relating to the OTN site/forums themselves.
  You question sound a bit like it relates to DBA stuff, so perhaps the [Database General Forum|http://forums.oracle.com/forums/forum.jspa?forumID=61] would be a good place.

• Problemm with dba group vs oinstall group

  Hi to all ;
  This is related to oracle as well as some os related security problems. please clarify it.
  I tried but couldn't solve it All information's given here ..
  Testing from user 'A'
  +# useradd -m -g oinstall a+
  +# passwd a+
  Changing password for user a.
  New UNIX password:
  BAD PASSWORD: its WAY too short
  Retype new UNIX password:
  passwd: all authentication tokens updated successfully.
  su - a
  +[a@testorcl ~]$ export+
  ORACLE_HOME=/u01/app/oracle/product/10.2.0/db_1
  +$ export PATH=$PATH:$ORACLE_HOME/bin+
  +$ export ORACLE_SID=testdb+
  +$ sqlplus /nolog+
  SQL*Plus: Release 10.2.0.1.0 - Production on Thu Jan 3 01:33:49 2013
  Copyright (c) 1982, 2005, Oracle.  All rights reserved.
  Testing From user 'b' :
  +# useradd -m -g dba b+
  +# passwd b+
  Changing password for user b.
  New UNIX password:
  BAD PASSWORD: its WAY too short
  Retype new UNIX password:
  passwd: all authentication tokens updated successfully.
  su - b
  Password:
  +$ export ORACLE_HOME=/u01/app/oracle/product/10.2.0/db_1+
  +$ export PATH=$PATH:$ORACLE_HOME/bin+
  +$ export ORACLE_SID=testdb+
  +$ sqlplus /nolog+
  sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory
  *>> From oracle user finding libsqlplus.so >>*
  *[oracle@testorcl ~]$*
  *$ find / -name libsqlplus\* -ls 2>/dev/null*
  +1378188 1296 -rw-r----- 1 oracle oinstall 1319436 Jun 22 2005 /u01/app/oracle/product/10.2.0/db_1/lib/libsqlplus.a+
  +1378193 1028 -rw-r----- 1 oracle oinstall 1047293 Jun 22 2005 /u01/app/oracle/product/10.2.0/db_1/lib/libsqlplus.so+
  SQLPLUS LOCATION with associated group
  +$ ls -l $ORACLE_HOME+
  drwxr-x--- 9 oracle oinstall 4096 Dec 24 03:28 sqlplus
  Please Note :
  USER 'a' belongs oinstall group.
  USER 'b' belongs dba group.
  My questions are :
  *1.why OS user can access database with oinstall group ?*
  *2.why OS user can't access database with dba group ?*
  Note: This is concept of oracle
  **To connect as sysdba using OS Authe*ntication ; UNIX OS user must be a part of OSDBA (dba) group.*
  Once the user is part of OSDBA group.
  but in dba group with os user 'b' , can't connect sqlplus , what's the real problem here ?
  version : 10gr2
  *$ uname -a*
  Linux testorcl 2.6.9-42.0.0.0.1.ELsmp #1 SMP Sun Oct 15 14:02:40 PDT 2006 i686 athlon i386 GNU/Linux
  Edited by: 952909 on Jan 4, 2013 1:03 PM

  Hi dude ;
  Thanks for your reply.
  So , You suggest me to change install directory permission from 750 to 775.
  $ cd install
  [oracle@testorcl install]$ ls -l
  total 240
  -rw-r-----  1 oracle oinstall      0 Jun  7  2005 createseed1.sh
  -rw-r-----  1 oracle oinstall      0 Jun  7  2005 createseed.sh
  -rw-r-----  1 oracle oinstall    977 Dec 24 03:29 envVars.properties
  drwxr-x---  2 oracle oinstall   4096 Dec 24 03:26 jlib
  -rw-r-----  1 oracle oinstall 194849 Dec 24 03:29 make.log
  -rwxr-xr-x  1 oracle oinstall      0 Dec 24 03:29 oratab
  -rw-r-----  1 oracle oinstall    132 Dec 24 04:01 portlist.ini
  -rw-r-----  1 oracle oinstall    221 Dec 24 04:02 readme.txt
  -rwxr-xr-x  1 oracle oinstall    824 Dec 24 03:28 rootdeletenode.sh
  -rw-r-----  1 oracle oinstall   9646 Dec 24 03:28 rootlocaladd
  -rw-r-----  1 oracle oinstall      0 Jun  7  2005 seed.log
  -rw-r-----  1 oracle oinstall   2800 Jun  7  2005 templocal
  drwxr-x---  2 oracle oinstall   4096 Dec 24 03:29 unix
  drwxr-x---  2 oracle oinstall   4096 Dec 24 03:28 utl
  *>> Permission changed as per your suggestion >>*
  *[oracle@testorcl db_1]$ chmod 775 install*
  *[oracle@testorcl db_1]$ ls -l*
  drwxrwxr-x   5 oracle oinstall   4096 Dec 24 04:02 install
  *>> Trying to find changePerm.sh >>*
  [oracle@testorcl db_1]$ cd install
  [oracle@testorcl install]$ ./changePerm.sh
  -bash: ./changePerm.sh: No such file or directory
  [oracle@testorcl install]$ cd
  [oracle@testorcl ~]$ whereis changePerm.sh
  changePerm:
  [oracle@testorcl ~]$
  In my testdb file not found ... Any suggestion  to find DUDE
  Please note :
  http://www.oracle-base.com/articles/10g/oracle-db-10gr2-installation-on-rhel-4.php
  Installation Doc did n't say anything to change permission related to install group +( from 750 to 775 )+
  Can you please clarify this ?
  Thanks Dude ..

• Live chat Oracle dba group

  Is there any live chat oracle dba group to join?

  893874 wrote:
  Hi there,
  who has experties in Oracle table partition and indexes?Lot's of people here do. If you have a question about it, start a thread on it.
  Just remember that this is a peer-supported and world-wide forum. Don't expect instant answers. First, half the world will be asleep when you post your question. Second, the people with answers are working professionals with real jobs which do NOT pay them for monitoring this forum.

• Membership of the DBA group

  Hi
  how to Review the membership of the DBA group on the host to ensure that only authorized accounts are included. This must be limited to users who require DBA access.
  Thanks

  Hello,
  you can use following scripts to find the DBA privilleges given in the database.
  CLEAR COLUMNS BREAKS COMPUTES
  COLUMN grantee FORMAT a70 HEADING 'Grantee'
  COLUMN granted_role FORMAT a35 HEADING 'Granted Role'
  COLUMN admin_option FORMAT a75 HEADING 'Admin. Option?'
  COLUMN default_role FORMAT a75 HEADING 'Default Role?'
  SELECT grantee,granted_role
  , DECODE( admin_option, 'YES', admin_option , 'NO', admin_option ) admin_option
  , DECODE( default_role, 'YES', default_role , 'NO', default_role) default_role
  FROM
  dba_role_privs
  WHERE
  granted_role = 'DBA'
  ORDER BY
  grantee
  , granted_role;
  Regards,
  Anil