The ABAP RFC users in the satellite systems may be created by different methods:

• using a wizard. This method is not possible when Central User Administration (CUA) is active. If this is the case, please use the CUA in order to create the required users

• manually

• using the Central User Administration

Protect4S VM needs to be able to connect to at least 1 ABAP client. However, in order to have a complete overview it is recommended to create ABAP connections to all clients of the satellite system. The best method of achieving this is using the wizard labeled “Create a satellite system user” from the launch pad.

The wizard needs an existing SAP super user ID that has the required authorizations to create a user in the satellite system and upload and attach the required security role. After selecting “Create a satellite system user” from the launch pad the following wizard starts:

Supply:

• the ABAP central instance (or primary application server) name or IP-address

• the Instance number

• the productive client

• the name of the SAP administrative user

• the password of the SAP administrative user

Optionally you may:

• set the “Trusted system” flag if the super user has trusted system access.

• Set the SNC active flag and provide the SNC partner if the super user is able to use SNC to logon to the target system.

After you press the Next button, the available clients will be determined in the satellite system and the second step of the wizard appears:

The wizard assumes that the same super user will be used to setup the satellite user for all clients. The password for these user ID must be supplied. Optionally you may use another super user ID or skip a client.

• ✔ It is recommended to connect all clients in order to produce a complete result during vulnerability analysis

Please note that the trusted flag may be selected only if:

• the user already has been created in the satellite system

• the user has the required S_RFCACL authorization

• the trust between the Prtect4S system and satellite system already has been configured

When all passwords are provided, press the Next button to continue. In the last screen the actual satellite users can be specified along with their initial passwords. The users will be created as “SYSTEM type” users. Optionally you may change their user names.

IMPORTANT:

• ✔ The flag “Auto. Update role” adds a security role to the satellite user that makes it possible to push new roles from the Protect4S system to all users in all satellite systems, for example, following an upgrade or update of Protect4S VM. When set, this flag adds the role ESEC_SA_SATELLITE_PUSH to the satellite system user. This role has authorizations to alter the satellite system remotely, with certain restrictions. Please review whether this mechanism matches corporate policies and if not, deselect this functionality.”

• ✔ The flag "Allow mitigation" adds a security role /ESEC/SA_MITIGATOR to the satellite user that is used in Development systems to download and apply missing security notes. For the mitigation of OSS Notes, a "SERVICE" type user is required and will be created when this flag is set.

After supplying the passwords for the satellite users and pressing the button Next, a confirmation screen appears and the satellite users have been created as specified.

For short term assessments also limit the validity period of the created user to the period of the assessment. This can be set on the LOGON DATA tab in SU01.