satellite system database user

Database connections are not mandatory, but in order to get the most out of Protect4S we recommend to create a database connection using the System connection wizard. For this connection you will need to create a database user in the database of the satellite system.

  • ✔ If you choose not to create a database connection this implies that some checks will fail with the error message “Unable to process the check by a technical error”.

In the System connection wizard, you must a database user that has read-only access (SELECT privilege) on the following tables (Depending if you have an ABAP or JAVA stack):

All Database Types ABAP Schema

All Database Types JAVA Schema

Additional tables for MSSQL

Additional tables for HANA

AGR_USERS, SRT_CFG_CLI_ASGN,

USR40, UST04, PRGN_CUST, SXPGCOSTAB, RFCDES, RFCCBWHITELIST, SXROUTE, TCCSEC, SSF_PSE_H, SSF_PSE_L, ADIRACCESS, TMSPVERS, /SSF/DHEAD, DEVACCESS, ICF_SESSION_CNTL, VSCAN_SERVER, TMSPCONF

J2EE_CONFIGENTRY

sys.server_principals, sys.server_role_members, sys.sql_logins, sys.configurations

M_INIFILE_CONTENTS, GRANTED_PRIVILEGES, M_PASSWORD_POLICY, SYS.GRANTED_ROLES, _SYS_PASSWORD_BLACKLIST, in schema _SYS_SECURITY

To create the database user you can use the standard database tooling or a SQL scripts. See some examples specifically for creating users for the ABAP stack below).

In the examples below:

  • the placeholders %user% and %password% should be replaced by a username

  • the placeholder %SAPSID% need to be replaced by the SAP Database schema. This depends on the Database used, for Oracle this is typically SAPR3 or SAPSR3 and for MaxDB this is typically SAP%SID% or SAP%SID%DB where %SID% is the system-id of the SAP system.

MAXDB:

CREATE USER %user% PASSWORD %password% STANDARD ENABLE CONNECT //
GRANT SELECT ON %SAPSID%.USR40 TO %user% //
GRANT SELECT ON %SAPSID%.PRGN_CUST TO %user% //
GRANT SELECT ON %SAPSID%.UST04 TO %user% //
GRANT SELECT ON %SAPSID%.SXPGCOSTAB TO %user% //
GRANT SELECT ON %SAPSID%.RFCDES TO %user% //
GRANT SELECT ON %SAPSID%.RFCCBWHITELIST TO %user% //
GRANT SELECT ON %SAPSID%.SXROUTE TO %user% //
GRANT SELECT ON %SAPSID%.TCCSEC TO %user% //
GRANT SELECT ON %SAPSID%.SSF_PSE_H TO %user% //
GRANT SELECT ON %SAPSID%.SSF_PSE_L TO %user% //
GRANT SELECT ON %SAPSID%.ADIRACCESS TO %user% //
GRANT SELECT ON %SAPSID%.TMSPVERS TO %user% //
GRANT SELECT ON %SAPSID%./SSF/DHEAD TO %user% //
GRANT SELECT ON %SAPSID%.ICF_SESSION_CNTL TO %user% //
GRANT SELECT ON %SAPSID%.DEVACCESS TO %user% //
GRANT SELECT ON %SAPSID%.VSCAN_SERVER TO %user% //
GRANT SELECT ON %SAPSID%.TMSPCONF TO %user% //
GRANT SELECT ON %SAPSID%.AGR_USERS TO %user% //
GRANT SELECT ON %SAPSID%.SRT_CFG_CLI_ASGN TO %user% //

ORACLE / DB2/SYBASE:

CREATE USER %user% IDENTIFIED BY %password%;
GRANT CONNECT TO %user%;
GRANT SELECT ON %SAPSID%.USR40 TO %user%;
GRANT SELECT ON %SAPSID%.PRGN_CUST TO %user%;
GRANT SELECT ON %SAPSID%.UST04 TO %user%;
GRANT SELECT ON %SAPSID%.SXPGCOSTAB TO %user%;
GRANT SELECT ON %SAPSID%.ICFSERVLOC TO %user%;
GRANT SELECT ON %SAPSID%.RFCDES TO %user%;
GRANT SELECT ON %SAPSID%.RFCCBWHITELIST TO %user%;
GRANT SELECT ON %SAPSID%.SXROUTE TO %user%;
GRANT SELECT ON %SAPSID%.TCCSEC TO %user%;
GRANT SELECT ON %SAPSID%.SSF_PSE_H TO %user%;
GRANT SELECT ON %SAPSID%.SSF_PSE_L TO %user%;
GRANT SELECT ON %SAPSID%.ADIRACCESS TO %user%;
GRANT SELECT ON %SAPSID%.TMSPVERS TO %user%;
GRANT SELECT ON %SAPSID%./SSF/DHEAD TO %user%;
GRANT SELECT ON %SAPSID%.ICF_SESSION_CNTL TO %user%;
GRANT SELECT ON %SAPSID%.DEVACCESS TO %user%;
GRANT SELECT ON %SAPSID%.VSCAN_SERVER TO %user%;
GRANT SELECT ON %SAPSID%.TMSPCONF TO %user%;
GRANT SELECT ON %SAPSID%.AGR_USERS TO %user%;
GRANT SELECT ON %SAPSID%.SRT_CFG_CLI_ASGN TO %user%;

HANA:

/*** RUN AS SCHEMA OWNER USER:
CREATE USER %user% PASSWORD %PASSWORD%; (Create the user with password)
ALTER USER %user% DISABLE PASSWORD LIFETIME; (Disable PW change on logon)
GRANT RESTRICTED_USER_ODBC_ACCESS TO %user%; (Provide grant for ODBC access)
GRANT SELECT ON USR40 TO %user%; (Provide grants for individual tables, SELECT only)
GRANT SELECT ON PRGN_CUST TO %user%;
GRANT SELECT ON UST04 TO %user%;
GRANT SELECT ON SXPGCOSTAB TO %user%;
GRANT SELECT ON ICFSERVLOC TO %user%;
GRANT SELECT ON RFCDES TO %user%;
GRANT SELECT ON RFCCBWHITELIST TO %user%;
GRANT SELECT ON SXROUTE TO %user%;
GRANT SELECT ON TCCSEC TO %user%;
GRANT SELECT ON SSF_PSE_H TO %user%;
GRANT SELECT ON SSF_PSE_L TO %user%;
GRANT SELECT ON ADIRACCESS TO %user%;
GRANT SELECT ON TMSPVERS TO %user%;
GRANT SELECT ON "/SSF/DHEAD" TO %user%;
GRANT SELECT ON ICF_SESSION_CNTL TO %user%;
GRANT SELECT ON DEVACCESS TO %user%;
GRANT SELECT ON VSCAN_SERVER TO %user%;
GRANT SELECT ON TMSPCONF TO %user%;
GRANT SELECT ON M_INIFILE_CONTENTS TO %user%;
GRANT SELECT ON GRANTED_PRIVILEGES TO %user%;
GRANT SELECT ON M_PASSWORD_POLICY TO %user%;
GRANT SELECT ON SYS.GRANTED_ROLES TO %user%;
GRANT SELECT ON AGR_USERS TO %user%;
GRANT SELECT ON SRT_CFG_CLI_ASGN TO %user%;
/*** RUN AS SYSTEM OWNER:
GRANT SELECT ON _SYS_SECURITY._SYS_PASSWORD_BLACKLIST TO %user%;

MSSQL:

Use the MSSQL Database studio to create a user with read-only (select) privileges on the above mentioned SAP schema tables.

In case of problems with the database user, please check Appendix A: Database connection