Deploy SAP Change Requests and configure authorization

This article shows you how to deploy SAP Change Requests (CRs), which prepare the environment for the installation of the SAP agent, so that it can properly connect to your SAP systems.

Important

  • This article presents a step-by-step guide to deploying the relevant CRs. It's recommended for SOC engineers or implementers who may not necessarily be SAP experts.
  • Experienced SAP administrators that are familiar with the CR deployment process may prefer to get the appropriate CRs directly from the SAP environment validation steps section of the guide and deploy them. Note that the NPLK900271 CR deploys a sample role, and the administrator may prefer to manually define the role according to the information in the Required ABAP authorizations section below.

Required and optional CRs

This article discusses the installation of the following CRs:

CR Required/optional Description
NPLK900271 Required This CR creates and configures a role. Alternatively, you can can load the authorizations directly from a file. Review how to create and configure a role.
NPLK900201 or NPLK900202 Optional Retrieves additional information from SAP. You select one of these CRs according to your SAP version.

Prerequisites

  1. Make sure you've copied the details of the SAP system version, System ID (SID), System number, Client number, IP address, administrative username and password before beginning the deployment process. For the following example, the following details are assumed:

    • SAP system version: SAP ABAP Platform 1909 Developer edition
    • SID: A4H
    • System number: 00
    • Client number: 001
    • IP address: 192.168.136.4
    • Administrator user: a4hadm, however, the SSH connection to the SAP system is established with root user credentials.
  2. Review the SAP environment validation steps to determine which CRs to install.

  3. If you installed the NPLK900202 optional CR used to retrieve additional information, make sure you've installed the relevant SAP note.

Deployment milestones

Track your SAP solution deployment journey through this series of articles:

  1. Deployment overview

  2. Deployment prerequisites

  3. Prepare SAP environment (You are here)

  4. Deploy data connector agent

  5. Deploy SAP security content

  6. Configure Microsoft Sentinel Solution for SAP

  7. Optional deployment steps

To deploy the CRs, follow the steps outlined below. The steps below may differ according to the version of the SAP system and should be considered for demonstration purposes only.

Deploy CRs

Note

It is strongly recommended that the deployment of SAP CRs be carried out by an experienced SAP system administrator.

Set up the files

  1. Sign in to the SAP system using SSH.

  2. Transfer the CR files to the SAP system. Learn more about the CRs in this step.

    Alternatively, you can download the files directly onto the SAP system from the SSH prompt. Use the following commands:

    • Download NPLK900271 (required)

      wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/K900271.NPL
      wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/R900271.NPL
      

      Alternatively, you can load these authorizations directly from a file.

    • Download NPLK900202 (optional)

      wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/K900202.NPL
      wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/R900202.NPL
      
    • Download NPLK900201 (optional)

      wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/K900201.NPL
      wget https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SAP/CR/R900201.NPL
      

    Note that each CR consists of two files, one beginning with K and one with R.

  3. Change the ownership of the files to user <sid>adm and group sapsys. (Substitute your SAP system ID for <sid>.)

    chown <sid>adm:sapsys *.NPL
    

    In our example:

    chown a4hadm:sapsys *.NPL
    
  4. Copy the cofiles (those beginning with K) to the /usr/sap/trans/cofiles folder. Preserve the permissions while copying, using the cp command with the -p switch.

    cp -p K*.NPL /usr/sap/trans/cofiles/
    
  5. Copy the data files (those beginning with R) to the /usr/sap/trans/data folder. Preserve the permissions while copying, using the cp command with the -p switch.

    cp -p R*.NPL /usr/sap/trans/data/
    

Import the CRs

  1. Launch the SAP Logon application and sign in to the SAP GUI console.

  2. Run the STMS_IMPORT transaction:

    In the SAP Easy Access screen, type STMS_IMPORT in the field in the upper left corner of the screen and press the Enter key.

    Screenshot of running the S T M S import transaction.

    Caution

    If an error occurs at this step, then you need to configure the SAP transport management system before proceeding any further. See this article for instructions.

  3. In the Import Queue window that appears, select More > Extras > Other Requests > Add.

    Screenshot of adding an import queue.

  4. In the Add Transport Requests to Import Queue pop-up that appears, select the Transp. Request field.

  5. The Transport requests window will appear and display a list of CRs available to be deployed. Select a CR and select the green checkmark button.

  6. Back in the Add Transport Request to Import Queue window, select Continue (the green checkmark) or press the Enter key.

  7. In the Add Transport Request confirmation dialog, select Yes.

  8. If you plan to deploy more CRs, repeat the procedure in the preceding 5 steps for the remaining CRs.

  9. In the Import Queue window, select the relevant Transport Request once, and then select F9 or Select/Deselect Request icon.

  10. If you have remaining Transport Requests to add to the deployment, repeat step 9.

  11. Select the Import Requests icon:

    Screenshot of importing all requests.

  12. In Start Import window, select the Target Client field.

  13. The Input Help.. dialog will appear. Select the number of the client you want to deploy the CRs to (001 in our example), then select the green checkmark to confirm.

  14. Back in the Start Import window, select the Options tab, mark the Ignore Invalid Component Version checkbox, and select the green checkmark to confirm.

    Screenshot of the start import window.

  15. In the Start import confirmation dialog, select Yes to confirm the import.

  16. Back in the Import Queue window, select Refresh, wait until the import operation completes and the import queue shows as empty.

  17. To review the import status, in the Import Queue window select More > Go To > Import History.

    Screenshot of import history.

  18. If you deployed the NPLK900202 CR, it is expected to display a Warning. Select the entry to verify that the warnings displayed are of type "Table <tablename> was activated."

    The CRs and versions in the screenshots below may change according to your installed CR version.

    Screenshot of import status display.

    Screenshot of import warning message display.

Configure Sentinel role

After the NPLK900271 CR is deployed, a /MSFTSEN/SENTINEL_CONNECTOR role is created in SAP. If the role is created manually, it may bear a different name.

In the examples shown here, we will use the role name /MSFTSEN/SENTINEL_CONNECTOR.

The next step is to generate an active role profile for Microsoft Sentinel to use.

  1. Run the PFCG transaction:

    In the SAP Easy Access screen, type PFCG in the field in the upper left corner of the screen and press the Enter key.

  2. In the Role Maintenance window, type the role name /MSFTSEN/SENTINEL_CONNECTOR in the Role field and select the Change button (the pencil).

    Screenshot of choosing a role to change.

  3. In the Change Roles window that appears, select the Authorizations tab.

  4. In the Authorizations tab, select Change Authorization Data.

    Screenshot of changing authorization data.

  5. In the Information popup, read the message and select the green checkmark to confirm.

  6. In the Change Role: Authorizations window, select Generate.

    Screenshot of generating authorizations.

    See that the Status field has changed from Unchanged to generated.

  7. Select Back (to the left of the SAP logo at the top of the screen).

  8. Back in the Change Roles window, verify that the Authorizations tab displays a green box, then select Save.

    Screenshot of saving changed role.

Create a user

The Microsoft Sentinel Solution for SAP requires a user account to connect to your SAP system. Use the following instructions to create a user account and assign it to the role that you created in the previous step.

In the examples shown here, we will use the role name /MSFTSEN/SENTINEL_CONNECTOR.

  1. Run the SU01 transaction:

    In the SAP Easy Access screen, type SU01 in the field in the upper left corner of the screen and press the Enter key.

  2. In the User Maintenance: Initial Screen screen, type in the name of the new user in the User field and select Create Technical User from the button bar.

  3. In the Maintain Users screen, select System from the User Type drop-down list. Create and enter a complex password in the New Password and Repeat Password fields, then select the Roles tab.

  4. In the Roles tab, in the Role Assignments section, enter the full name of the role - /MSFTSEN/SENTINEL_CONNECTOR in our example - and press Enter.

    After pressing Enter, verify that the right-hand side of the Role Assignments section populates with data, such as Change Start Date.

  5. Select the Profiles tab, verify that a profile for the role appears under Assigned Authorization Profiles, and select Save.

Required ABAP authorizations

The following table lists the ABAP authorizations required to ensure that SAP logs can be correctly retrieved by the account used by Microsoft Sentinel's SAP data connector.

The required authorizations are listed here by log type. Only the authorizations listed for the types of logs you plan to ingest into Microsoft Sentinel are required.

Tip

To create a role with all the required authorizations, deploy the SAP NPLK900271 CR on the SAP system, or load the role authorizations from the MSFTSEN_SENTINEL_CONNECTOR_ROLE_V0.0.27.SAP file. This CR creates the /MSFTSEN/SENTINEL_CONNECTOR role that has all the necessary permissions for the data connector to operate. Alternatively, you can create a role that has minimal permissions by deploying the NPLK900268 CR, or loading the role authorizations from the MSFTSEN_SENTINEL_AGENT_BASIC_ROLE_V0.0.1.SAP file. This CR or authorizations file creates the /MSFTSEN/SENTINEL_AGENT_BASIC role. This role has the minimal required permissions for the data connector to operate. Note that if you choose to deploy this role, you might need to update it frequently.

Authorization Object Field Value
All logs
S_RFC RFC_TYPE Function Module
S_RFC RFC_NAME /OSP/SYSTEM_TIMEZONE
S_RFC RFC_NAME DDIF_FIELDINFO_GET
S_RFC RFC_NAME RFCPING
S_RFC RFC_NAME RFC_GET_FUNCTION_INTERFACE
S_RFC RFC_NAME RFC_READ_TABLE
S_RFC RFC_NAME RFC_SYSTEM_INFO
S_RFC RFC_NAME SUSR_USER_AUTH_FOR_OBJ_GET
S_RFC RFC_NAME TH_SERVER_LIST
S_RFC ACTVT Execute
S_TCODE TCD SM51
S_TABU_NAM ACTVT Display
S_TABU_NAM TABLE T000
Optional - Only if Sentinel solution CR implemented
S_RFC RFC_NAME /MSFTSEN/*
ABAP Application Log
S_RFC RFC_NAME BAPI_XBP_APPL_LOG_CONTENT_GET
S_RFC RFC_NAME BAPI_XMI_LOGOFF
S_RFC RFC_NAME BAPI_XMI_LOGON
S_RFC RFC_NAME BAPI_XMI_SET_AUDITLEVEL
S_TABU_NAM TABLE BALHDR
S_XMI_PROD EXTCOMPANY Microsoft
S_XMI_PROD EXTPRODUCT Azure Sentinel
S_XMI_PROD INTERFACE XBP
S_APPL_LOG ALG_OBJECT *
S_APPL_LOG ALG_SUBOBJ *
S_APPL_LOG ACTVT Display
ABAP Change Documents Log
S_TABU_NAM TABLE CDHDR
S_TABU_NAM TABLE CDPOS
ABAP CR Log
S_RFC RFC_NAME CTS_API_READ_CHANGE_REQUEST
S_TABU_NAM TABLE E070
S_TRANSPRT TTYPE *
S_TRANSPRT ACTVT Display
ABAP DB Table Data Log
S_TABU_NAM TABLE DBTABLOG
S_TABU_NAM TABLE SACF_ALERT
S_TABU_NAM TABLE SOUD
S_TABU_NAM TABLE USR41
S_TABU_NAM TABLE TMSQAFILTER
ABAP Job Log
S_RFC RFC_NAME BAPI_XBP_JOB_JOBLOG_READ
S_RFC RFC_NAME BAPI_XMI_LOGOFF
S_RFC RFC_NAME BAPI_XMI_LOGON
S_RFC RFC_NAME BAPI_XMI_SET_AUDITLEVEL
S_TABU_NAM TABLE TBTCO
S_XMI_PROD EXTCOMPANY Microsoft
S_XMI_PROD EXTPRODUCT Azure Sentinel
S_XMI_PROD INTERFACE XBP
ABAP Spool Logs
S_TABU_NAM TABLE TSP01
S_ADMI_FCD S_ADMI_FCD SPOS (Use of Transaction SP01 (all systems))
ABAP Workflow Log
S_TABU_NAM TABLE SWWLOGHIST
S_TABU_NAM TABLE SWWWIHEAD
ABAP Security Audit Log
S_RFC RFC_NAME BAPI_USER_GET_DETAIL
S_RFC RFC_NAME BAPI_XMI_LOGOFF
S_RFC RFC_NAME BAPI_XMI_LOGON
S_RFC RFC_NAME BAPI_XMI_SET_AUDITLEVEL
S_RFC RFC_NAME BAPI_SYSTEM_MTE_GETMLHIS
S_RFC RFC_NAME BAPI_SYSTEM_MTE_GETTREE
S_RFC RFC_NAME BAPI_SYSTEM_MTE_GETTIDBYNAME
S_RFC RFC_NAME BAPI_SYSTEM_MS_GETLIST
S_RFC RFC_NAME BAPI_SYSTEM_MON_GETLIST
S_RFC RFC_NAME BAPI_SYSTEM_MON_GETTREE
S_RFC RFC_NAME BAPI_SYSTEM_MTE_GETPERFCURVAL
S_RFC RFC_NAME BAPI_SYSTEM_MT_GETALERTDATA
S_RFC RFC_NAME BAPI_SYSTEM_ALERT_ACKNOWLEDGE
S_ADMI_FCD S_ADMI_FCD AUDD (Basis audit display auth.)
S_SAL SAL_ACTVT SHOW_LOG (Evaluate the file-based log)
S_USER_GRP CLASS SUPER
S_USER_GRP ACTVT Display
S_USER_GRP CLASS SUPER
S_USER_GRP ACTVT Lock
S_XMI_PROD EXTCOMPANY Microsoft
S_XMI_PROD EXTPRODUCT Azure Sentinel
S_XMI_PROD INTERFACE XAL
User Data
S_TABU_NAM TABLE ADCP
S_TABU_NAM TABLE ADR6
S_TABU_NAM TABLE AGR_1251
S_TABU_NAM TABLE AGR_AGRS
S_TABU_NAM TABLE AGR_DEFINE
S_TABU_NAM TABLE AGR_FLAGS
S_TABU_NAM TABLE AGR_PROF
S_TABU_NAM TABLE AGR_TCODES
S_TABU_NAM TABLE AGR_USERS
S_TABU_NAM TABLE DEVACCESS
S_TABU_NAM TABLE USER_ADDR
S_TABU_NAM TABLE USGRP_USER
S_TABU_NAM TABLE USR01
S_TABU_NAM TABLE USR02
S_TABU_NAM TABLE USR05
S_TABU_NAM TABLE USR21
S_TABU_NAM TABLE USRSTAMP
S_TABU_NAM TABLE UST04
Configuration History
S_TABU_NAM TABLE PAHI
SNC Data
S_TABU_NAM TABLE SNCSYSACL
S_TABU_NAM TABLE USRACL

Remove the user role and the optional CR installed on your ABAP system

To remove the user role and optional CR imported to your system, import the deletion CR NPLK900259 into your ABAP system.

Next steps

You have now fully prepared your SAP environment. The required CRs have been deployed, a role and profile have been provisioned, and a user account has been created and assigned the proper role profile.

Now you are ready to deploy the data connector agent container.