Comment on page
satellite system database user
Database connections are not mandatory for most systems (apart for Java), but in order to get the most out of Protect4S VM, we recommend to create a database connection using the System connection wizard. For this connection you will need to create a database user in the database of the satellite system.
Also keep in mind that if you connect to a satellite data base type other then the one of the Protect4S system, you might need to install Database libraries for that Database. See Appendix B: Installation database libraries.
✔ If you choose not to create a database connection this implies that some specific database checks might fail with the error message “Unable to process the check by a technical error”.
✔ If the database connection is not available then in some cases a fallback mechanism is used to retrieve database specific information. For example for ABAP systems an RFC is used for MSSQL and MaxDB. For HANA a fallback is implemented via the OS command HDBCLI. This will only work if the SAPControl connection user is the <sid>adm OS user and can access the hdbuserstore.
✔ For Java systems, Database connections are mandatory as many checks rely on this connection type.
In the System connection wizard, a database connection will be created. A user with read-only access (SELECT privilege) is required on the following tables (Depending if you have an ABAP or JAVA stack):
All Database Types
ABAP Schema | All Database Types
JAVA Schema | Additional tables
for MSSQL | Additional tables
for HANA |
DD09L, USRACL, SEC_POLICY_ATTR, SEC_POLICY_RT, EWOSS, SPTH, USR02 (no pw hashes read), TDDAT, RSAUPROF, VSCAN_PROF, AGR_USERS, SRT_CFG_CLI_ASGN, USR40, UST04, PRGN_CUST, SXPGCOSTAB, RFCDES, RFCCBWHITELIST, SXROUTE, TCCSEC, SSF_PSE_H, SSF_PSE_L, ADIRACCESS, TMSPVERS, /SSF/DHEAD, DEVACCESS, ICF_SESSION_CNTL, VSCAN_SERVER, TMSPCONF, UCONCOCKPIT, SLDW_HEADER, USOBAUTHINACTIVE | J2EE_CONFIGENTRY | sys.objects, sys.server_principals, sys.server_role_members, sys.sql_logins, sys.configurations | CATALOG READ, _SYS_REPO.DELIVERY_UNITS, _SYS_SECURITY._SYS_PASSWORD_BLACKLIST, SYS.GRANTED_PRIVILEGES, SYS.GRANTED_ROLE, SYS.LCM_SOFTWARE_COMPONENTS, SYS.M_DATABASE_HISTORY, SYS.M_INIFILE_CONTENTS, SYS.M_LICENSE, SYS.M_PASSWORD_PASSWORD_POLICY, SYS.USERS |
To create the database user you can use the standard database tooling or a SQL scripts. See some examples specifically for creating users for the ABAP stack below).
Please notice the following in the examples below:
- The placeholders %user% and %password% should be replaced with your own username and password
- The placeholder %SAPSID% need to be replaced by the SAP Database schema. This depends on the Database used, for Oracle this is typically SAPR3 or SAPSR3 and for MaxDB this is typically SAP%SID% (ABAP) or SAP%SID%DB (JAVA) where %SID% is the SAP System-ID.
- Where “etc.” is mentioned, proceed executing the same query for other tables shown in the above table overview.
- If you are connecting a Java system, only 1 table is needed (along with the database specific tables), grant the table for Java Stack instead of the ABAP stack shown in the ABAP examples section.
CREATE USER %user% PASSWORD %password% STANDARD ENABLE CONNECT //
GRANT SELECT ON %SAPSID%.USR40 TO %user% //
GRANT SELECT ON ... (continue granting the tables to the user for your system type ABAP or Java)
etc...
(The 3rd line is an additional table that is only required for DB2 databases)
CREATE ON THE OPERATING SYSTEM FIRST! Then use SQL:
db2 GRANT CONNECT TO %user%;
db2 GRANT SELECT ON SYSCAT.SCHEMATA TO %user%;
db2 GRANT SELECT ON %SAPSID%.USR40 TO %user%;
db2 GRANT SELECT ON ... (continue granting the tables to the user for your system type ABAP or Java)
etc...
CREATE USER %user% IDENTIFIED BY %password%;
GRANT CONNECT TO %user%;
GRANT SELECT ON %SAPSID%.USR40 TO %user%;
GRANT SELECT ON ... (continue granting the tables to the user for your system type ABAP or Java)
etc...
(Sybase is also known as Adaptive Server Enterprise (ASE), most queries are the same as ORACLE)
CREATE USER %user% IDENTIFIED BY %password%;
GRANT CONNECT TO %user%;
GRANT SELECT ON %SAPSID%.USR40 TO %user%;
GRANT SELECT ON ... (continue granting the tables to the user for your system type ABAP or Java)
etc...
There are some changes in version 16.0 one of them has the impact on the support of legacy query statements. In fact, these changes were introduced since 15.7 but previous statements could still be executed prior version 16.
If your Sybase database version is 16 or higher it is possible that you can no longer execute the legacy query statements. The affected part is namely the part to create a user.
Create users with (sapsa or sa, is by default not allowed, use a different user either sapsso / sap_sso or an equivalent user).
isql -S<SID> -U<user> -P<Password> -X
use <SID>
go
sp_addlogin <newUser>,<Password>
go
sp_adduser <newUser>
go
Granting the permissions to tables cannot by executed by sapsso / sap_sso. Use sapsa / sa or an equivalent user in terms of permission.
The query for the granting permission is the same as prior versions. The same query can be used to grant mentioned in the Sybase section.
Note: If you cannot grant select permission to the table <SchemaName>./SSF/DHEAD using quotes due to syntax error, make sure the following database property is switched on: quoted_identifier on
/*** RUN AS SYSTEM OWNER:
CREATE USER %user% PASSWORD %password%; (Create the user with password)
ALTER USER %user% DISABLE PASSWORD LIFETIME; (Disable PW change on logon)
GRANT RESTRICTED_USER_ODBC_ACCESS TO %user%; (Provide grant for ODBC access)
GRANT SELECT ON _SYS_SECURITY._SYS_PASSWORD_BLACKLIST TO %user%;
GRANT SELECT ON ... (continue granting the user for Hana specific tables)
etc...
/*** RUN AS SCHEMA OWNER OR SYSTEM OWNER:
GRANT SELECT ON %SCHEMA%.USR40 TO %user%; (Provide grants for individual tables, SELECT only)
GRANT SELECT ON ... (continue granting the tables to the user for your system type ABAP or Java)
etc...
/*** RUN AS SYSTEM OWNER:
CREATE USER %user% PASSWORD %password%; (Create the user with password)
ALTER USER %user% DISABLE PASSWORD LIFETIME; (Disable PW change on logon)
GRANT RESTRICTED_USER_ODBC_ACCESS TO %user%; (Provide grant for ODBC access)
GRANT CATALOG READ TO %user%;
GRANT SELECT ON _SYS_SECURITY._SYS_PASSWORD_BLACKLIST TO %user%;
GRANT SELECT ON ... (the rest of the Hana specific tables)
etc...
Run from MSSQL while logged on as <SID>adm:
USE [<DBSID>]
GO
CREATE LOGIN [%user%] WITH PASSWORD='%password%', DEFAULT_DATABASE=[<DBSID>]
GO
CREATE USER test FOR LOGIN %user%
GO
ALTER USER [%user%] WITH DEFAULT_SCHEMA=[<SAPSID>]
GO
GRANT CONNECT TO [%user%]
GO
EXEC master..sp_addsrvrolemember @loginame = N'%user%', @rolename = N'sysadmin'
GO
GRANT SELECT ON %SAPSID%.USR40 TO %user%
GO
GRANT SELECT ON ... (continue granting the tables to the user for your system type ABAP or Java)
GO
etc...
Last modified 7mo ago