Does anyone else support SAP running onto of DB2 in an unix
environment? The consultants we have in here are insisting on
creating a different DB2INST owner/userid for each environment and
server. They say....."In all the installations they have worked on,
this is the way it has been done: different user ids for different
boxes/environments."

This seems quite counter intuitive to me who grew up with ONE userid
for all Informix instances on many, many servers. I would guess that
DB2 could also have one userid for all of its instances provided each
instance was on a separate server.

Oh. I forgot to say; each SAP DB2 instance is on its own server, so
we are going to have 4 sandbox, 4 development, 4 QA, and 4 PRD
instances and all of them will have a different userid.

Anyone find this odd?

it maybe beneficial from security point of view,
but more cumbersome from administration point of view. 16 instances...
16 usernames...possibly 16 passwords....
unless the authentication happens using some central repository like
ldap etc. where the administrator does not have to remember 16 sets of
users/passwd.

regards,

On Aug 9, 4:47 pm, DavidAW...@gmail.com wrote:
> Does anyone else support SAP running onto of DB2 in an unix
> environment? The consultants we have in here are insisting on
> creating a different DB2INST owner/userid for each environment and
> server. They say....."In all the installations they have worked on,
> this is the way it has been done: different user ids for different
> boxes/environments."
>
> This seems quite counter intuitive to me who grew up with ONE userid
> for all Informix instances on many, many servers. I would guess that
> DB2 could also have one userid for all of its instances provided each
> instance was on a separate server.
>
> Oh. I forgot to say; each SAP DB2 instance is on its own server, so
> we are going to have 4 sandbox, 4 development, 4 QA, and 4 PRD
> instances and all of them will have a different userid.
>
> Anyone find this odd?

Thanks for your reply.

My main question is: Are other SAP installations really like
this????


I definitely understand what might be perceived as a benefit from a
security aspect; however, if I were being walked out the door; how
long would it take someone to change all those passwords? A better
security solution is to have the instance userid, db owner userid,
etc, be all different.

And we don't have a central repository like ldap interfaced to AIX ---
so, yes, I will probably have to remember 16 different userids and 16
different passwords.





On Aug 9, 4:06 pm, dotyet <dot...@yahoo.com> wrote:
> it maybe beneficial from security point of view,
> but more cumbersome from administration point of view. 16 instances...
> 16 usernames...possibly 16 passwords....
> unless the authentication happens using some central repository like
> ldap etc. where the administrator does not have to remember 16 sets of
> users/passwd.
>
> regards,
>
> On Aug 9, 4:47 pm, DavidAW...@gmail.com wrote:
>
>
>
> > Does anyone else support SAP running onto of DB2 in an unix
> > environment? The consultants we have in here are insisting on
> > creating a different DB2INST owner/userid for each environment and
> > server. They say....."In all the installations they have worked on,
> > this is the way it has been done: different user ids for different
> > boxes/environments."
>
> > This seems quite counter intuitive to me who grew up with ONE userid
> > for all Informix instances on many, many servers. I would guess that
> > DB2 could also have one userid for all of its instances provided each
> > instance was on a separate server.
>
> > Oh. I forgot to say; each SAP DB2 instance is on its own server, so
> > we are going to have 4 sandbox, 4 development, 4 QA, and 4 PRD
> > instances and all of them will have a different userid.
>
> > Anyone find this odd?- Hide quoted text -
>
> - Show quoted text -

DavidAWeis@gmail.com wrote:
> Thanks for your reply.
>
> My main question is: Are other SAP installations really like
> this????
<quote>
Here is what I got from the SAP residends:
"This is the design SAP is based on. Each system ( if they need to be
part of the transport system) needs a unique SID (3 letters). The SID is
part of the user name
Admin user = <sid>adm
dbuser = db2<sid>, ora<sid>, inf<sid>
schema owner = sap<sid>

This design takes also in account that usually more users are allowed to
maintain a sandbox system then the production box. Especially in large
companies only a few dba's are allowed to work on production. This is
also part of our security design. SAP allows to have multiple systems on
one box and by using the same users to maintain different systems the
risk of working with the wrong system is too big. Besides I don't think
Sarbanes-Oxley would allow such a design.

Since the sid is part of the user there is not much to remember anyway.
You need to know which system you would like to work on like
PRD
QAS
TST
then you know the user to use as well, because they all have the same
pattern. If the customer likes he can use the same password for all
systems. That's his decision.
Btw. we never hat this complain before.
To answer the last question below, yes all SAP installations work like this.
</quote>

Cheers
Serge

--
Serge Rielau
DB2 Solutions Development
IBM Toronto Lab

Hi Serge.

Thanks for the reply. From a security aspect, different accounts
must have different passwords. Password management is the issue.

In our environment, all the SAP instances are on their own server, so
there will not be 2 separate instances on a single server. From a
security aspect, I hope the transport connectivity is not performed at
the DB2INST userid level.

I appreciate you contacting your SAP coharts. I didn't mean to be a
"complaint"; more like an oddity; a question; like WHY does it have to
be this way?

Since we are not a LARGE company, there is only one DBA. *frown*

Thanks, again.




On Aug 10, 9:03 am, Serge Rielau <srie...@ca.ibm.com> wrote:
> DavidAW...@gmail.com wrote:
> > Thanks for your reply.
>
> > My main question is: Are other SAP installations really like
> > this????
>
> <quote>
> Here is what I got from the SAP residends:
> "This is the design SAP is based on. Each system ( if they need to be
> part of the transport system) needs a unique SID (3 letters). The SID is
> part of the user name
> Admin user = <sid>adm
> dbuser = db2<sid>, ora<sid>, inf<sid>
> schema owner = sap<sid>
>
> This design takes also in account that usually more users are allowed to
> maintain a sandbox system then the production box. Especially in large
> companies only a few dba's are allowed to work on production. This is
> also part of our security design. SAP allows to have multiple systems on
> one box and by using the same users to maintain different systems the
> risk of working with the wrong system is too big. Besides I don't think
> Sarbanes-Oxley would allow such a design.
>
> Since the sid is part of the user there is not much to remember anyway.
> You need to know which system you would like to work on like
> PRD
> QAS
> TST
> then you know the user to use as well, because they all have the same
> pattern. If the customer likes he can use the same password for all
> systems. That's his decision.
> Btw. we never hat this complain before.
> To answer the last question below, yes all SAP installations work like this.
> </quote>
>
> Cheers
> Serge
>
> --
> Serge Rielau
> DB2 Solutions Development
> IBM Toronto Lab

<DavidAWeis@gmail.com> wrote in message
news:1186692472.117927.42900@x40g2000prg.googlegro ups.com...
> Does anyone else support SAP running onto of DB2 in an unix
> environment? The consultants we have in here are insisting on
> creating a different DB2INST owner/userid for each environment and
> server. They say....."In all the installations they have worked on,
> this is the way it has been done: different user ids for different
> boxes/environments."
>
> This seems quite counter intuitive to me who grew up with ONE userid
> for all Informix instances on many, many servers. I would guess that
> DB2 could also have one userid for all of its instances provided each
> instance was on a separate server.
>
> Oh. I forgot to say; each SAP DB2 instance is on its own server, so
> we are going to have 4 sandbox, 4 development, 4 QA, and 4 PRD
> instances and all of them will have a different userid.
>
> Anyone find this odd?

I don't work with SAP, but I think it is better to have the same userid's
and different passwords. That way the db2look contains all the SQL to create
or copy the environment to another server.

The instance owner id is a different story. It depends on how many instances
per physical server. If your development, integration, qa, uat, etc are all
on different servers, then you could use the same instance owner id on each,
but that is not typical. Anyway, neither the application nor the developers
should even know about the instance owner id or password.

DavidAWeis@gmail.com wrote:
> I appreciate you contacting your SAP coharts. I didn't mean to be a
> "complaint"; more like an oddity; a question; like WHY does it have to
> be this way?
>
> Since we are not a LARGE company, there is only one DBA. *frown*
Neither I nor the SAP person saw it as a complaint. :-)
Since I'm no subject matter expert on SAP I wouldn't be able to judge
anyway.

Cheers
Serge
--
Serge Rielau
DB2 Solutions Development
IBM Toronto Lab