Operating Syatem and Databse Users.
To safeguard your SAP system, you must control user access on three different
levels:
1. Operating system
2. Database
3. SAP system

Database users are needed for two different purposes. First the SAP system
itself connects to the database during operation and second the database
administrators are connecting to the database to perform administrative actions.

Oracle System Privileges

System privileges control operations performed by database users on the instance
or database level. There are over 100 system privileges in Oracle.

Object privileges control operations on object level, such as querying data in
tables or views (SELECT) or modifying data (INSERT, UPDATE, DELETE).

The special system privileges SYSDBA and SYSOPER can be thought of as types
of connections. In an SAP system, we use operating system authentication to
connect to Oracle with the privileges SYSDBA or SYSOPER.

Operating System users and groups
In SAP systems with Oracle, special operating system users created during the
installation have privileges for administration and maintenance of the Oracle
database on two levels:
1. They can access Oracle instance directories and files and call database
maintenance tools on operating system level.
2. They can connect to the Oracle instance with special database users and
either perform administrative work or maintain SAP objects and data in
the database.
operating system users and groups in an SAP system with Oracle:
Unix Environment:
OS user| Oracle-relevant| Privileges in Oracle
ora| dba| Full administration of all instances
oper| Restricted administration of all instances
adm| dba| Full administration of all instances
oper| Restricted administration of all instances

Windows 2002/2003environment:
OS user| Oracle-relevant| Previleges in Oracle
OS Group
adm| ORA__DBA| Full administration of instance
ORA__OPER| Restricted administration of instance
ORA_DBA| Full administration of all instance
SAPService| ORA__DBA|Full administration of instance
ORA__OPER|Restricted administration of instance
ORA_DBA| Full administration of all instance

Oracle Database Roles
Within the database, system and object privileges can be pooled to database roles


Privileges are grouped and granted to users through database roles
DBA, contain all system and object privileges needed for administration of the database, however does not include the SYSDBA and SYSOPER system privileges.

So, DBA is the most important role in the Oracle.
Oracle Data Users
Every Oracle database contains two administrative user accounts, SYS and SYSTEM, which are automatically created during installation and assigned the database role DBA.
SYS: Owner of the database’s data dictionary tables and views, can perform
database administration, has privileges to access and modify all
database tables and data.
SYSTEM: Can perform database administration, has privileges to access
database tables and data, but can not modify data dictionary
tables.