Create Protect4S VM users and roles

Protect4S VM requires two different types of users:

  • Application users with their applicable roles in the Protect4S system

  • Different types of users in the satellite systems

Protect4S system users

Protect4S VM is an application based on SAP WebDynpro and allows for multiple users accessing the functionality at the same time. In order to access the specific parts of the functionality, all Protect4S VM users need to be provided with a suitable user role.

  • ✔ Due to the sensitive nature of the information that Protect4S VM generates, it is recommended to give due consideration to the role distribution.

  • ✔ Please make sure to always use the latest version of these roles as provided in the support packages.

Protect4S VM distinguishes several different functional user types:

Functional user





Is able to start all menu's. Is required for License Administration



Configures all master data like Systems, Companies, etc.



Plans Projects and has read access to master data



Is able to view the reports produced by Protect4S VM

Reviewer (Management Overview)


Can view the Management Overview report only

Background user


Background user that effectively executes the background jobs for Scan notification and the jobs that run all Projects

Scan export users


Is able to export the Scan reports

Mitigation user


Is able to create mitigation reports

Users in the satellite systems

Depending on the satellite system type, the following user types must be created or present in the satellite systems:

  • ABAP RFC type user(s) for ABAP and dual-stack type systems

  • JAVA users for J2EE type systems (Portal, PI) etc. or dual-stack systems

  • Database users

  • Operating System users

  • BusinessObjects users

Roles required in the satellite systems

The following overview shows the purpose of the roles that needs to be distributed to the satellite systems which are to be connected.



This role is required to execute the checks in the satellite system. It does not have authorizations to perform changes to your system.


This is an optional role which is needed if you would like to distribute roles automatically (only works if CUA is not active for the satellite system)


This is an additional role on top of the ESEC_SA_SATELLITE role for the user used in the destination. It is required for the systems that will be used for mitigation of OSS Notes.

In general this applies for single tier system or Development systems.

Notice, the user type will have to be set as Service.

Last updated