satellite system operating system user

Protect4S is capable of checking conditions on the Operating System platform layer using the SOAP interface of SAPControl. In order to authenticate a valid operating system user/password combination for the satellite system must be provided to the System connection wizard.

Basically there are 2 types of operating system users:

Low privilege OS Users

For most checks a standard operating system user suffices as the SAPcontrol framework only needs a valid OS authentication (on both Windows and Linux/Unix systems a user with no specific roles assigned is sufficient).

  • ✔ If you choose not to use the <SID>ADM user but a low-privileged account this implies that some checks will fail with the error message “Unable to process the check by a technical error”.

High privilege OS users

Some Operating system checks rely on the SAPcontrol OSExecute function, which can only be executed by the <sid>adm user (the standard SAP system owner).

If this is allowed by your specific security policy, ERP-SEC recommends to supply the <sid>adm user/password combination for the SAP Control connection when running the System connection wizard. In practice this means that this combination will be stored in the SAP secure store of the SAP Solution Manager (as all other Protect4S users).

In case of any problems with this user, please check Appendix A: SAPControl connections .

Secure Store in Solution manager

Should you decide to use the <sid>adm passwords of the satellite systems, please first check if SAP Secure store of the SAP Solution Manager is properly protected. The Secure store key phrase should not set to the default key. This can be checked using SAP transaction SECSTORE:

Transaction SECSTORE default Key warning

In this case, consider implementation of the following SAP OSS Notes:

1902258 - Secure Storage in the Database Key File Tool

1902611 - Potential information disclosure relating to BC-SEC