SAP CriticalPermissions Monitor
Displays the number of users which have the defined roles, profiles or authorization objects or a combination of them assigned.
General
| Executable | SAP CriticalPermissions Monitor.exe |
| Connection method | RFC |
| Ports |
($$ = Instance number) |
Default parameters
| Parameter name | Possible values | Default | Description |
|---|---|---|---|
| Host | <ip> | <hostname> | empty | Hostname or IP of the target system. If you use a virtual hostname on your SAP servers, please use also the virtual host to connect. |
| SAPSID | string (3) | XXX | empty | SID of the SAP system |
| SAPInstance | number (2) | 00 - 99 | empty | Instance number of the SAP system |
| SAPClient | number (3) | 000 - 999 | empty | SAP Client (CLNT/MANDT) |
| SAPUsername | string | empty | SAP user |
| SAPPassword | string | empty | Password of the SAP user |
Sensor-specific parameters
| Parameter name | Possible values | Default | Description |
|---|---|---|---|
| ExcludedUsers | <user1>[,<user2>[,<user3>[,...]]] | NONE | Users to exclude from the check (comma separated) |
| Conditions | FILE:SAP_ALL.preset | Conditions for the permission checks.
Check section Preset syntax to see how to define presets. |
Presets
| File name | Description |
|---|---|
| Developer.preset | A few examples for developer permissions like S_DEVELOP authorization object or table maintenance. |
| SAP_ALL.preset | Check for users with profile SAP_ALL |
Preset Syntax
A preset file can have one or more conditions per line. A PRTG channel will be generated for each line. The conditions in one line can be combined by $ (AND) or | (OR). A mixup of $ and | is not possible but will be supported in future releases.
An expression of multiple conditions has the following form. Anything enclosed in square brackets is optional:
[+]<channel name>#<condition1>[<operator><condition2>[<operator><condition3>[…]]]
| + | If a line is prefixed by +, the sensor will print the usernames of the affected users to the sensor message. Please note that the PRTG sensor message is limited to 2000 characters. | ||||||
|---|---|---|---|---|---|---|---|
| <channel name> | The channel name can be a word or short sentence which represents the meaning of the conditions. | ||||||
| <condition> | A condition has the following syntax:
Examples:
| ||||||
| <operator> |
The operators cannot be combined in a single line. More complex conditions will be supported in future releases. |
Examples
Check if a user exists which has ROLEA and ROLEB assigned and print the usernames to the sensor message.
+Check ROLEA – ROLEB#ROLE!ROLEA$ROLE!ROLEBCheck if there are users with profile SAP_ALL or authorization object S_DEVELOP with specific values assigned.
SAP_ALL or S_DEVELOP#PROFILE!SAP_ALL|OBJ!S_DEVELOP:ACTVT=02,OBJTYPE=DEBUG
Channels
| Channel name | Description | Lookup file |
|---|---|---|
| <Defined name for the condition in the preset file> | Number of users for which the condition mets. |
Important notes
To make sure the sensor is acting as expected, please do some tests and check if the sensor is showing the correct values by assigning some users the permissions you defined for the check.
The count and complexity of conditions can highly impact sensor and system performance. Therefore a check interval lower than 15 minutes is not recommended.
Changelog
| Version | Changes |
|---|---|
| 2024.04 | Improved performance by not loading unnessessary data |
| 2022.12 | First stable release |