I hope you can understand me, although my english is not so good.
I have a problem. I have installed 4 SAP Systems with different releases on the same server (AIX). Each SAP system has got its own operating system user through the installation. But all users belong to the group SAPSYS. So in other SAP users to inventory the existing look or read files. Here's my question: How do I implement it that the group SAPSYS will not be deleted but the user can't read or look of any other system-dependent files? It should be borne in mind that I may not use any other right structure for the files because the SAP system would not run otherwise. How can I add the group SAPSYS for all SAP Systems, without that the user of the same group can read other Systemfiles? May sound silly but it's a real problem.
Thanks in advance for your answers.
are all your 4 sap environments writing into the same directory? Or into 4 different directories that are just 'owned' by the same group?
In first case I don't know a solution for you except on filebasis but that will be a real bad amount of ongoing work.
In second case - create 4 additional groups SAPSYS1 SAPSYS2 SAPSYS3 SAPSYS4 and work with acl lists ... allow and forbid access to the directories accordingly to the environments that are writing into them - since the most restrictive permission always wins, only the users that are allowed to access due to the secondary group will be allowed to access the corresponding directory. If you want e.g. root to read all of them, just dont put the user into the subgroups.
I do not know a solution for your problem Muhammet, but I'd be cautious when implementing one. Your SAP systems need to read other systemfiles, like /etc/services which do not belong to group sapsys, to work properly.
You have 4 instances of SAP on one system with 4 different system users. All the system users belong to group SAPSYS, but shouldn't be able to access the system files of the other installations.
Classic UNIX solution would be: remove the read/write access for the group from the top directories of the installations. You won't have to change anything else because rights are inherited top-down: if a user can't access a directory he can't access its subdirectories even if they would allow this by their own file mode.
When you are finished it should look like the following sketch. sap1-4 are the sap users for instance1-4:
