Protect4S - VM User Guide
  • Protect4S - VM User Guide
  • Introduction
    • Quick setup
    • Support
    • Protect4S VM place in SAP system landscape
  • Pre-conditions and installation
    • Supported operating system and database types
    • Software version requirements
    • Recommendations
    • Heterogeneous database connections
  • Protect4S VM Software Installation
    • Add-On Installation, import support packages and upgrade
    • Installation post-processing
  • Create Protect4S VM users and roles
    • Distribution of satellite roles
    • satellite system ABAP RFC user using wizard
    • satellite system ABAP RFC user MANUAL SETUP
    • satellite system JAVA user
    • satellite system database user
    • satellite system operating system user
    • Operating system user other than <sid>adm
    • Satellite system BusinessObjects user
  • Check and set Application settings
  • Protect4S VM Menu
  • Execute the Quick setup
    • Company
    • Systems
      • Creating an ABAP system
      • Creating a JAVA system
      • Creating a BusinessObjects BI system
      • Creating a HANA standalone system
      • Creating a SAP Web Dispatcher system
      • Creating a SAProuter system
      • Creating a SAP Cloud Connector system
      • SAPControl security settings
  • Create a project
    • New project
    • New Scan
  • Check Template
  • Contact persons and Scan subscription
    • Contact persons
    • Scan subscriptions
  • Reports
    • Scan result
    • Scan results information
    • System tab
    • Company tab
    • Scan statistics tab
    • Check overview
    • Risk history
    • Scan statistics
    • Scan export
    • Mitigation report
    • Scan comparison
    • Management overview
    • Connection map
  • Mitigation of Vulnerabilities
    • Mitigation menu
  • Check exemptions
  • SIEM Interface
  • Integration
    • Incident Management
  • Information and support
    • Welcome menu
    • Product information
    • Check information
    • Change log
    • User Guide
    • Report a software defect
    • Feature request
  • Deinstallation
  • Appendix A: Troubleshooting Satellite System connection issues
    • SAPControl connections
    • Database connection
    • JAVA connection
    • HTTPS certificate errors
  • Appendix B: Installation database libraries
    • IBM DB2
    • MSSQL
    • MaxDB
    • Oracle
    • SAP Sybase
    • SAP HANA
  • Appendix C: satellite system Communication Ports
  • Appendix D: Protect4S VM SICF Services
  • Appendix E: using a server group
  • Appendix F System context
  • Appendix G DNS resolving
  • Appendix H Dump in Scan subsciptions
  • Appendix I HTTPURLLOC table
  • Appendix J - Risk Matrix
  • Appendix K - Short dump function module "PFL_GET_SINGLE_PARAMETER" not found
  • FAQs
    • General
    • Installation
    • Configuration
    • Projects and scans
  • Contact us
Powered by GitBook
On this page
  • A) Clone the <sid>adm user
  • B) Use a newly created OS user

Was this helpful?

  1. Create Protect4S VM users and roles

Operating system user other than <sid>adm

Previoussatellite system operating system userNextSatellite system BusinessObjects user

Last updated 2 years ago

Was this helpful?

When, for some reason, the default <sid>adm OS user cannot be used, the following alternatives are possible. Alternative A is best here, because a cloned user can be protected using a no-login shell and is in all aspects equivalent to the <sid>adm user. However: Alternative A is not available for the Windows operating system. For Windows, only the (sub-optimal) Alternative B can be used.

You should only consider alternative B when there is really no other option available, because some Protect4S VM checks on operating system level (the ones that need the OSExecute function of SAPControl) will not work.

A) Clone the <sid>adm user

1. Copy the <sid>adm user record in /etc/passwd and /etc/shadow to a new user

Copy the <sid>adm user record in both the /etc/passwd and /etc/shadow files to a new user.

2. In the /etc/passwd file, change the login shell for the new user into: /sbin/nologin and save

In the example above, the smdadm user record was copied to a new user called smcadm and the login shell was changed to: /sbin/nologin (to prevent user logon).

3. Change the password for the newly created user

(as root): set a new password:

> passwd <new user>

Next: Follow step 8-11 from the below procedure and use this new user and password to create the SAPControl connections in the Protect4S system.

There is no equivalent option to clone a user in Windows.

B) Use a newly created OS user

Procedure for Linux / UNIX:

1. Create new OS-user

(root):

> useradd -d /home/<os-user> -g <sapsys GID> -G sapinst <os-user>

2. Set initial password

(root):

> passwd <os-user>:

Set initial passwd

3. Set final passwd

(root):

> su - <os-user>

> passwd

Enter initial password first then set final password twice

4. Set default shell.

(root):

> vi /etc/passwd

Change shell for <os-user> from /bin/bash to /bin/csh to allow user logon.

Change shell for <os-user> from /bin/bash to /sbin/nologin to prevent user logon.

5. Create home directory

(root):

> mkdir /home/<os-user>

> chown <os-user>:sapsys /home/<os-user>

> chmod 755 /home/<os-user>

6. Copy <sid>adm env to <os-user>

(os-user):

> cd > cp /home/<sid>adm/.* . Logout and login and check environment

7. Check and set correct permissions on sapuxuserchk executable

(root):

> cd /sapmnt/<SID>/exe/uc/linuxx86_64

> chown root:sapsys sapuxuserchk

> chmod u+s,o-rwx sapuxuserchk

Also on all local instance exe directories (DVEBMGSxx, Dxx and ASCSxx):

(root):

> cd /usr/sap/<SID>/<instance>/exe

> chown root:sapsys sapuxuserchk

> chmod u+s,o-rwx sapuxuserchk

For SAP HANA Databases also do the above for the HDB executable directory (e.g. /usr/sap/<HANA SID>/SYS/exe/hdb).

**** 8. Add the following 2 lines to the DEFAULT.PFL of the SAP satellite system (and also for the ASCS instance profile and HANA DB instance if applicable)

service/protectedwebmethods = SDEFAULT

service/admin_users = <os-user>

  • On Unix : service/admin_users = **<**user1> <user2>

  • On Windows: service/admin_users = domain\<user1> domain\<user2>

where <user1> is the normal <sid>adm user and <user2> is the user that was created, separated by space.

For HANA Databases do the above in the DEFAULT.PFL in directory /usr/sap/<HANA SID>/SYS/profile

9. Re-Start SAP Control service for all instances (DVEBMGSxx, Dxx, (A)SCSxx)

(official sap-user):

> sapcontrol -nr <instance# xx> -function RestartService\

10. (Re)create the SAPControl connections using the Systems menu

(Re)create the SAPControl connections in the Systems menu for the SAP satellite system in question and wait several minutes after doing so. The connection will not turn green (as is the case with the <sid>adm user), but yellow instead. This is OK. When you hover your cursor over the yellow icon it will show as:

11. Verify that SAPControl works ok

In the Systems menu for the SAP satellite system concerned, go to the System Context, and inspect the SAPControl context. It should now be filled for all instances:

Procedure for Windows:

For Windows you must create a user as a member of the Groups: SAP_LocalAdmin and Users:

Next: Follow step 8-11 from the above procedure for non-windows systems.

Documentation from SAP can be found in SAP note

927637.
Cloned User
SAPControl connection using alternative OS-user
SAPControl context
Windows Roles required for Protect4S satellite OS user