satellite system database user
Database connections are not mandatory for most systems (apart for Java), but in order to get the most out of Protect4S VM, we recommend to create a database connection using the System connection wizard. For this connection you will need to create a database user in the database of the satellite system.
Also keep in mind that if you connect to a satellite data base type other then the one of the Protect4S system, you might need to install Database libraries for that Database. See Appendix B: Installation database libraries.
✔ If you choose not to create a database connection this implies that some specific database checks might fail with the error message “Unable to process the check by a technical error”.
✔ If the database connection is not available then in some cases a fallback mechanism is used to retrieve database specific information. For example for ABAP systems an RFC is used for MSSQL and MaxDB. For HANA a fallback is implemented via the OS command HDBCLI. This will only work if the SAPControl connection user is the <sid>adm OS user and can access the hdbuserstore.
✔ For Java systems, Database connections are mandatory as many checks rely on this connection type.
In the System connection wizard, a database connection will be created. A user with read-only access (SELECT privilege) is required on the following tables (Depending if you have an ABAP or JAVA stack):
All Database Types ABAP Schema
All Database Types JAVA Schema
Additional tables for MSSQL
Additional tables for HANA
DD09L, USRACL, SEC_POLICY_ATTR, SEC_POLICY_RT, EWOSS, SPTH, USR02 (no pw hashes read), TDDAT, RSAUPROF, VSCAN_PROF, AGR_USERS, SRT_CFG_CLI_ASGN, USR40, UST04, PRGN_CUST, SXPGCOSTAB, RFCDES, RFCCBWHITELIST, SXROUTE, TCCSEC, SSF_PSE_H, SSF_PSE_L, ADIRACCESS, TMSPVERS, /SSF/DHEAD, DEVACCESS, ICF_SESSION_CNTL, VSCAN_SERVER, TMSPCONF, UCONCOCKPIT, SLDW_HEADER, USOBAUTHINACTIVE
J2EE_CONFIGENTRY
sys.objects, sys.server_principals, sys.server_role_members, sys.sql_logins, sys.configurations
CATALOG READ, _SYS_REPO.DELIVERY_UNITS, _SYS_SECURITY.
_
SYS_PASSWORD_BLACKLIST, SYS.GRANTED_PRIVILEGES, SYS.GRANTED_ROLE, SYS.LCM_SOFTWARE_COMPONENTS, SYS.M_DATABASE_HISTORY, SYS.M_INIFILE_CONTENTS, SYS.M_LICENSE, SYS.M_PASSWORD_PASSWORD_POLICY, SYS.USERS
To create the database user you can use the standard database tooling or a SQL scripts. See some examples specifically for creating users for the ABAP stack below).
In the examples below
Please notice the following in the examples below:
The placeholders %user% and %password% should be replaced with your own username and password
The placeholder %SAPSID% need to be replaced by the SAP Database schema. This depends on the Database used, for Oracle this is typically SAPR3 or SAPSR3 and for MaxDB this is typically SAP%SID% (ABAP) or SAP%SID%DB (JAVA) where %SID% is the SAP System-ID.
Where “etc.” is mentioned, proceed executing the same query for other tables shown in the above table overview.
If you are connecting a Java system, only 1 table is needed (along with the database specific tables), grant the table for Java Stack instead of the ABAP stack shown in the ABAP examples section.
MaxDB
DB2
ORACLE
For Sybase releases higher than 15.70 see here.
ASE / Sybase (till 15.70)
(Sybase is also known as Adaptive Server Enterprise (ASE), most queries are the same as ORACLE)
Sybase version 15.70 and 16.0 onwards
There are some changes in version 16.0 one of them has the impact on the support of legacy query statements. In fact, these changes were introduced since 15.7 but previous statements could still be executed prior version 16. If your Sybase database version is 16 or higher it is possible that you can no longer execute the legacy query statements. The affected part is namely the part to create a user.
Create users with (sapsa or sa, is by default not allowed, use a different user either sapsso / sap_sso or an equivalent user).
Granting the permissions to tables cannot by executed by sapsso / sap_sso. Use sapsa / sa or an equivalent user in terms of permission.
The query for the granting permission is the same as prior versions. The same query can be used to grant mentioned in the Sybase section.
Note: If you cannot grant select permission to the table <SchemaName>./SSF/DHEAD using quotes due to syntax error, make sure the following database property is switched on: quoted_identifier on
Reference: 2219100 - How to set option quoted_identifier for user tables, system tables and sp_help
HANA (non-standalone)
HANA standalone
MSSQL (support as of MSSQL 2012)
In case of problems with the database user, please check Appendix A: Database connection.
Last updated