New Scan

This will start a new wizard for the scan. You may create multiple scans inside a single project. Each time you do, the scan wizard is started again.

Scan overview (New Scan)

Scan configuration

In "Scan configuration" you must supply a description and you may optionally select the “Active” and “Save system context” flags:

  • ✔ “Active” means that the scan will be executed whenever the project is started for execution.


  • ✔ The flag “Save System context” means that the complete state of the target system will be recorded for each Scan. When this flag is not selected, it means that it is not possible to inspect the actual state of the target system during the time that the scan was executed. See Appendix F for a detailed description of the system context.

Scan configuration

When done, press next in order to select a target system.

System selection

System selection

In this step, you must select a target system. Press the selector button attached to the right hand side of the System ID field and a secondary list will open for which you may select any target system that was created earlier.

After selection, the system header data and that of the company that owns the system, will show.

System header and Company data

Template selection

In the next step you may either select an existing check template or you may skip this and manually select the checks that will be executed on the target system.

Check template selection

If you select a template in this step, then it will run and execute the check with the default template values. You cannot change a template that has been delivered by ERP-SEC.

  • ✔ Should you want to run all checks on a System, then ERP-SEC recommends to use the check template "All Checks with default value". This ensures that all checks will always be run even after the delivery of new checks via a support package.

Alternatively, you may skip the template selection and manually select the required checks:

Check selection

Check selection (Tree view)

When this list is displayed, it means that the application has determined which check are suited to be executed on the target system. protect4S has made a pre-selection of all available checks from its repository. For instance: no UNIX type Checks will be shown if the target System runs on Windows.

By pressing the button “Adapt check template” it will be possible to select a template and adapt the values that it is checking against.

By selecting the Display type, it is possible to toggle between a “Tree” or a “Group / Subgroup” type overview. The latter overview shows a hierarchical selection possibility in which a subset of checks may be selected:

Check overview (Group / Subgroup view)

For instance: In the picture above the subgroup "ABAP Security Notes" is selected. In the list overview in the bottom of the picture, only this category is shown.

In both views it is possible to select all available checks in one go by using the “Select all” button.

reference values

Some checks will execute a check against a reference value. For instance, the length of a SAP password as specified by SAP parameter login/min_password_lng may be checked and compared with a reference value of 10.

However, if a company security policy dictates that the password length should be 9 characters instead of 10, then it is possible to change the reference value:

Changing a Check reference value

The change can be made by selecting the pencil button in the record that belongs to the check. This will start a popup containing the reference value. This value can be changed and saved. After the change has been made, the check record is shown as:

Check containing a changed reference value

After changing the reference value, it is possible to identify the check because it now shows a change Icon next to it. If you click this indicator, the value will be reset to its standard, best practice value.

After all relevant checks have been selected and all relevant check reference values have been adapted, you may select the button “Back to the Project” and leave the scan wizard:

Back to project

Scan overview after creating the first Scan

Now you may either:

  • Configure a new scan

  • Schedule or start the project directly

Scheduling the Project

The 3rd step in the project configuration is the "Schedule" step.

Schedule a Project

It is possible to schedule a Project for:

  • immediate execution (default)

  • scheduled execution one-time at a later time

  • repeated execution starting immediately

  • repeated execution starting at a later time

By de-selecting the Immediate flag, it becomes possible to schedule the Project to run on a specific date and at a specific time:

Scheduling options

In addition, by selection of the Periodic flag it becomes possible to select a suitable interval for repeated project execution. In order to activate the schedule, press the button " Back to project" and press the Save button. you will see the schedule data in the list:

Saving a Project schedule

The project will be scheduled as a standard SAP Background job called "/ESEC/SAPROJECT<Project number>".

The program that it runs is called: /ESEC/SA_PROJECT_EXECUTOR and the variant contains the number of the Project.