Protect4S - VM User Guide
  • Protect4S - VM User Guide
  • Introduction
    • Quick setup
    • Support
    • Protect4S VM place in SAP system landscape
  • Pre-conditions and installation
    • Supported operating system and database types
    • Software version requirements
    • Recommendations
    • Heterogeneous database connections
  • Protect4S VM Software Installation
    • Add-On Installation, import support packages and upgrade
    • Installation post-processing
  • Create Protect4S VM users and roles
    • Distribution of satellite roles
    • satellite system ABAP RFC user using wizard
    • satellite system ABAP RFC user MANUAL SETUP
    • satellite system JAVA user
    • satellite system database user
    • satellite system operating system user
    • Operating system user other than <sid>adm
    • Satellite system BusinessObjects user
  • Check and set Application settings
  • Protect4S VM Menu
  • Execute the Quick setup
    • Company
    • Systems
      • Creating an ABAP system
      • Creating a JAVA system
      • Creating a BusinessObjects BI system
      • Creating a HANA standalone system
      • Creating a SAP Web Dispatcher system
      • Creating a SAProuter system
      • Creating a SAP Cloud Connector system
      • SAPControl security settings
  • Create a project
    • New project
    • New Scan
  • Check Template
  • Contact persons and Scan subscription
    • Contact persons
    • Scan subscriptions
  • Reports
    • Scan result
    • Scan results information
    • System tab
    • Company tab
    • Scan statistics tab
    • Check overview
    • Risk history
    • Scan statistics
    • Scan export
    • Mitigation report
    • Scan comparison
    • Management overview
    • Connection map
  • Mitigation of Vulnerabilities
    • Mitigation menu
  • Check exemptions
  • SIEM Interface
  • Integration
    • Incident Management
  • Information and support
    • Welcome menu
    • Product information
    • Check information
    • Change log
    • User Guide
    • Report a software defect
    • Feature request
  • Deinstallation
  • Appendix A: Troubleshooting Satellite System connection issues
    • SAPControl connections
    • Database connection
    • JAVA connection
    • HTTPS certificate errors
  • Appendix B: Installation database libraries
    • IBM DB2
    • MSSQL
    • MaxDB
    • Oracle
    • SAP Sybase
    • SAP HANA
  • Appendix C: satellite system Communication Ports
  • Appendix D: Protect4S VM SICF Services
  • Appendix E: using a server group
  • Appendix F System context
  • Appendix G DNS resolving
  • Appendix H Dump in Scan subsciptions
  • Appendix I HTTPURLLOC table
  • Appendix J - Risk Matrix
  • Appendix K - Short dump function module "PFL_GET_SINGLE_PARAMETER" not found
  • FAQs
    • General
    • Installation
    • Configuration
    • Projects and scans
  • Contact us
Powered by GitBook
On this page
  • In the examples below
  • MaxDB
  • DB2
  • ORACLE
  • ASE / Sybase (till 15.70)
  • HANA (non-standalone)
  • HANA standalone
  • MSSQL (support as of MSSQL 2012)

Was this helpful?

  1. Create Protect4S VM users and roles

satellite system database user

Database connections are not mandatory for most systems (apart for Java), but in order to get the most out of Protect4S VM, we recommend to create a database connection using the System connection wizard. For this connection you will need to create a database user in the database of the satellite system.

Also keep in mind that if you connect to a satellite data base type other then the one of the Protect4S system, you might need to install Database libraries for that Database. See Appendix B: Installation database libraries.

✔ If you choose not to create a database connection this implies that some specific database checks might fail with the error message “Unable to process the check by a technical error”.

✔ If the database connection is not available then in some cases a fallback mechanism is used to retrieve database specific information. For example for ABAP systems an RFC is used for MSSQL and MaxDB. For HANA a fallback is implemented via the OS command HDBCLI. This will only work if the SAPControl connection user is the <sid>adm OS user and can access the hdbuserstore.

✔ For Java systems, Database connections are mandatory as many checks rely on this connection type.

In the System connection wizard, a database connection will be created. A user with read-only access (SELECT privilege) is required on the following tables (Depending if you have an ABAP or JAVA stack):

All Database Types ABAP Schema

All Database Types JAVA Schema

Additional tables for MSSQL

Additional tables for HANA

DD09L, USRACL, SEC_POLICY_ATTR, SEC_POLICY_RT, EWOSS, SPTH, USR02 (no pw hashes read), TDDAT, RSAUPROF, VSCAN_PROF, AGR_USERS, SRT_CFG_CLI_ASGN, USR40, UST04, PRGN_CUST, SXPGCOSTAB, RFCDES, RFCCBWHITELIST, SXROUTE, TCCSEC, SSF_PSE_H, SSF_PSE_L, ADIRACCESS, TMSPVERS, /SSF/DHEAD, DEVACCESS, ICF_SESSION_CNTL, VSCAN_SERVER, TMSPCONF, UCONCOCKPIT, SLDW_HEADER, USOBAUTHINACTIVE

J2EE_CONFIGENTRY

sys.objects, sys.server_principals, sys.server_role_members, sys.sql_logins, sys.configurations

CATALOG READ, _SYS_REPO.DELIVERY_UNITS, _SYS_SECURITY._SYS_PASSWORD_BLACKLIST, SYS.GRANTED_PRIVILEGES, SYS.GRANTED_ROLE, SYS.LCM_SOFTWARE_COMPONENTS, SYS.M_DATABASE_HISTORY, SYS.M_INIFILE_CONTENTS, SYS.M_LICENSE, SYS.M_PASSWORD_PASSWORD_POLICY, SYS.USERS

To create the database user you can use the standard database tooling or a SQL scripts. See some examples specifically for creating users for the ABAP stack below).

In the examples below

Please notice the following in the examples below:

  • The placeholders %user% and %password% should be replaced with your own username and password

  • The placeholder %SAPSID% need to be replaced by the SAP Database schema. This depends on the Database used, for Oracle this is typically SAPR3 or SAPSR3 and for MaxDB this is typically SAP%SID% (ABAP) or SAP%SID%DB (JAVA) where %SID% is the SAP System-ID.

  • Where “etc.” is mentioned, proceed executing the same query for other tables shown in the above table overview.

  • If you are connecting a Java system, only 1 table is needed (along with the database specific tables), grant the table for Java Stack instead of the ABAP stack shown in the ABAP examples section.

MaxDB

CREATE USER %user% PASSWORD %password% STANDARD ENABLE CONNECT //
GRANT SELECT ON %SAPSID%.USR40 TO %user% //
GRANT SELECT ON ... (continue granting the tables to the user for your system type ABAP or Java)
etc...

DB2

(The 3rd line is an additional table that is only required for DB2 databases)
CREATE ON THE OPERATING SYSTEM FIRST! Then use SQL:
db2 GRANT CONNECT TO %user%;
db2 GRANT SELECT ON SYSCAT.SCHEMATA TO %user%;
db2 GRANT SELECT ON %SAPSID%.USR40 TO %user%;
db2 GRANT SELECT ON ... (continue granting the tables to the user for your system type ABAP or Java)
etc...

ORACLE

CREATE USER %user% IDENTIFIED BY %password%;
GRANT CONNECT TO %user%;
GRANT SELECT ON %SAPSID%.USR40 TO %user%;
GRANT SELECT ON ... (continue granting the tables to the user for your system type ABAP or Java)
etc...

ASE / Sybase (till 15.70)

(Sybase is also known as Adaptive Server Enterprise (ASE), most queries are the same as ORACLE)

CREATE USER %user% IDENTIFIED BY %password%;
GRANT CONNECT TO %user%;
GRANT SELECT ON %SAPSID%.USR40 TO %user%;
GRANT SELECT ON ... (continue granting the tables to the user for your system type ABAP or Java)
etc...

Sybase version 15.70 and 16.0 onwards

There are some changes in version 16.0 one of them has the impact on the support of legacy query statements. In fact, these changes were introduced since 15.7 but previous statements could still be executed prior version 16. If your Sybase database version is 16 or higher it is possible that you can no longer execute the legacy query statements. The affected part is namely the part to create a user.

Create users with (sapsa or sa, is by default not allowed, use a different user either sapsso / sap_sso or an equivalent user).

isql -S<SID> -U<user> -P<Password> -X
use <SID>
go
sp_addlogin <newUser>,<Password>
go
sp_adduser <newUser>
go

Granting the permissions to tables cannot by executed by sapsso / sap_sso. Use sapsa / sa or an equivalent user in terms of permission.

The query for the granting permission is the same as prior versions. The same query can be used to grant mentioned in the Sybase section.

Note: If you cannot grant select permission to the table <SchemaName>./SSF/DHEAD using quotes due to syntax error, make sure the following database property is switched on: quoted_identifier on

HANA (non-standalone)

/*** RUN AS SYSTEM OWNER:
CREATE USER %user% PASSWORD %password%; (Create the user with password)
ALTER USER %user% DISABLE PASSWORD LIFETIME; (Disable PW change on logon)
GRANT RESTRICTED_USER_ODBC_ACCESS TO %user%; (Provide grant for ODBC access)
GRANT SELECT ON _SYS_SECURITY._SYS_PASSWORD_BLACKLIST TO %user%;
GRANT SELECT ON ... (continue granting the user for Hana specific tables)
etc...

/*** RUN AS SCHEMA OWNER OR SYSTEM OWNER:
GRANT SELECT ON %SCHEMA%.USR40 TO %user%; (Provide grants for individual tables, SELECT only)
GRANT SELECT ON ... (continue granting the tables to the user for your system type ABAP or Java)
etc...

HANA standalone

/*** RUN AS SYSTEM OWNER:
CREATE USER %user% PASSWORD %password%; (Create the user with password)
ALTER USER %user% DISABLE PASSWORD LIFETIME; (Disable PW change on logon)
GRANT RESTRICTED_USER_ODBC_ACCESS TO %user%; (Provide grant for ODBC access)
GRANT CATALOG READ TO %user%;
GRANT SELECT ON _SYS_SECURITY._SYS_PASSWORD_BLACKLIST TO %user%;
GRANT SELECT ON ... (the rest of the Hana specific tables)
etc...

MSSQL (support as of MSSQL 2012)

Run from MSSQL while logged on as <SID>adm:
USE [<DBSID>]
GO
CREATE LOGIN [%user%] WITH PASSWORD='%password%', DEFAULT_DATABASE=[<DBSID>]
GO
CREATE USER test FOR LOGIN %user% 
GO
ALTER USER [%user%] WITH DEFAULT_SCHEMA=[<SAPSID>]
GO
GRANT CONNECT TO [%user%]
GO
EXEC master..sp_addsrvrolemember @loginame = N'%user%', @rolename = N'sysadmin'
GO
GRANT SELECT ON %SAPSID%.USR40 TO %user%
GO
GRANT SELECT ON ... (continue granting the tables to the user for your system type ABAP or Java)
GO
etc...
Previoussatellite system JAVA userNextsatellite system operating system user

Last updated 2 years ago

Was this helpful?

For Sybase releases higher than 15.70 see .

Reference:

In case of problems with the database user, please check Appendix A: .

2219100 - How to set option quoted_identifier for user tables, system tables and sp_help
Database connection
here