A dedicated SAP User must be created (type System or Service) in all applicable clients of the satellite system and provided with the role ESEC_SA_SATELLITE_V0XX.SAP that is delivered as part of the installation. This role only grants the rights to execute the security checks but not to change data. The role must be downloaded from the Solution Manager using transaction PFCG and uploaded in the satellite system.
ERP-SEC recommends to create the SAP RFC users as type "System". This prevents misuse of this user via the SAPGui. For short term assessments also limit the validity period of the user to the period of the assessment. This can be set on the LOGON DATA tab.
Make sure that both the background user in the SAP Solution Manager and the Protect4S RFC users in the satellite systems have the same date-format settings so that date and time calculations are executed correctly.
This must be configured using transaction SU01 on the DEFAULTS tab and set as displayed in the figure below:
Date and Time settings