satellite system ABAP RFC user using wizard

The ABAP RFC users in the satellite systems may be created by different methods:

  • using a wizard (not suited when Central user Administration is active)

  • manually

  • using the central User Administration (CUA)

    ✔ This method is not possible when Central user Administration is active. If this is the case, please use the CUA in order to create the required users.

Protect4S needs to be able to connect to at least 1 ABAP client. However, in order to have a complete overview ERP-SEC recommends to create ABAP connections to all clients of the satellite system. The best method of doing this is using the wizard labeled “Create a satellite system user” from the launch pad.

The wizard needs a SAP user ID that has the required authorisations to create a user in the satellite system and upload and attach the required security role (typically a super user). After selecting “Create a satellite system user” from the launch pad the following wizard starts:

Create satellite system user wizard


  • the ABAP central instance (or primary application server) name or IP-address

  • the Instance number

  • the business client

  • the name of the administrative user

  • the password of the administrative user

Optionally you may:

  • set the “Trusted system” flag if the super user has trusted system access.

  • Set the SNC active flag and provide the SNC partner if the super user is able to use SNC to logon to the target system.

In both cases, the password does not have to be provided.

After you press the Next button, the available clients will be determined in the satellite system and a second popup appears:

Create a satellite system user for SAP system ID: <SID> (1)

The wizard assumes that the same super user will be used to setup the satellite user for all clients. The password for these user ID must be supplied. Optionally you may use another super user ID or skip a client.

  • ✔ ERP-SEC recommends to connect all clients in order to produce a complete result during vulnerability analysis

Please note that the trusted flag may be selected only if :

  • the user already has been created in the satellite system

  • the user has the required S_RFCACL authorization

  • the trust between the Solution Manager and satellite system already has been configured

Create a satellite system user for SAP system ID: <SID> (2)

When all passwords are provided, press the Next button to continue. In the last screen the actual satellite users can be specified along with their initial passwords. The users will be created as “SYSTEM type” users. Optionally you may change their user names.


  • ✔ The flag “Auto. Update role” adds a second security role to the satellite user that makes it possible to push new roles from the Solution Manager to all users in all satellite systems, for example, following an upgrade or update of Protect4s. When set, this flag adds the role ESEC_SA_SATELLITE_PUSH to the satellite system user. This role has authorisations to alter the satellite system remotely, with certain restrictions. Please review whether this mechanism matches corporate policies and if not, deselect this functionality.”

Confirmation screen for Satellite system user wizard

After supplying the passwords for the satellite users and pressing the button Next, a confirmation screen appears and the satellite users have been created as specified.

For short term assessments also limit the validity period of the created user to the period of the assessment. This can be set on the LOGON DATA tab in SU01.