Skip to main content

Version: 2025.10

SAP HANA Security Monitor

Monitors critical privileges, encryption and parameters of a productive SAP HANA database.

General

Executable	`SAP_HANA_Security__Monitor.exe`
Connection method	ODBC
Ports	3$$15 ($$ = instance number)
Lookup files	itesys.saphanasecuritymonitor.encryptionstatus.ovl itesys.saphanasecuritymonitor.parameterstatus.ovl itesys.saphanasecuritymonitor.systemuserstatus.ovl

Default parameters

Parameter name	Possible values	Default	Description
Host	`<ip>` \| `<hostname>`	`empty`	Hostname or IP of the target system. If you use a virtual hostname on your SAP servers, please use also the virtual host to connect.
DBName	`string`	`empty`	Name of the database
DBInstance	`number (2)` \| `00 - 99`	`empty`	Instance number of the database.
DBPort	`number (5)` \| `0 - 65535`	`empty`	Port to establish ODBC connection.
DBUsername	`string`	`empty`	Database user
DBPassword	`string`	`empty`	Password of the database user

Sensor-specific parameters

Parameter name	Possible values	Default	Description
SSLEnabled	`true` \| `false`	`false`	Defines wether the connection should be encrypted or not. If enabled, make sure that the server certificate or it's issuer was imported into the correct Windows trust store.
ExcludedFromSystemPrivilegeCheck	`string` \| `<OBJECT1>,<OBJECT2>,...`	`SYSTEM,_SYS_REPO`	Defines which users or roles should be excluded from the system privileges check. The default value was defined based on the following SAP KB Article
ExcludedFromAnalyticPrivilegeCheck	`string` \| `<OBJECT1>,<OBJECT2>,...`	`SYSTEM,MODLEING,CONTENT_ADMIN`	Defines which users or roles should be excluded from the analytics privileges check. The default value was defined based on the following SAP KB Article
ExcludedFromContentAdminCheck	`string` \| `<OBJECT1>,<OBJECT2>,...`	`SYSTEM`	Defines which users or roles should be excluded from CONTENT_ADMIN role check. The default value was defined based on the following SAP KB Article
ExcludedFromModelingCheck	`string` \| `<OBJECT1>,<OBJECT2>,...`	`SYSTEM`	Defines which users or roles should be excluded from MODELING role check. The default value was defined based on the following SAP KB Article
Parameters	`string` \| `FILE:<filename>.preset`	`FILE:Default.preset`	Defines which preset should be used for the check of parameters. Each line in the preset file represents a parameter check and produces one channel in PRTG. Syntax: `<ini_filename> <section>.<parameter><operator><value>` Possible comparison operators: == (equal to) != (not equal to) << (less than)¹ >> (greater than)¹ <= (less or equal)¹ >= (greater or equal)¹ = (contains) ! (not contains) ¹ only applicable for integer or double values (Please note that preset files will be overwritten during update of Scansor. If you want to customize a file, please copy and rename it)

Presets

File name	Description
`Default.preset`	Set of security dependent critical parameters based on the official SAP Security Baseline.
`Extended.preset`	Set of security dependent critical and extended parameters based on the official SAP Security Baseline.

Channels

Channel name	Description	Lookup file
System User Status	Displays the status of the SYSTEM user: OK: SYSTEM User disabled Error: SYSTEM User enabled Warning: SYSTEM user doesn't exist	`itesys.saphanasecuritymonitor.systemuserstatus.ovl`
Grantees with system privileges assigned	Number of users with system privileges assinged
Grantees with debug privileges assigned	Number of users or roles with debug privileges assinged
Grantees with CONTENT_ADMIN assigned	Number of users with CONTENT_ADMIN role assinged
Grantees with MODELING assigned	Number of users with MODELING role assinged
Grantees with SAP_INTERNAL_HANA_SUPPORT assigned	Number of users or roles with SAP_INTERNAL_HANA_SUPPORT role assinged
Data encryption	Shows wether data encryption is enabled or not: OK: Encryption enabled Error: Encryption disabled	itesys.saphanasecuritymonitor.encryptionstatus
Log encryption	Shows wether log encryption is enabled or not: OK: Encryption enabled Error: Encryption disabled	itesys.saphanasecuritymonitor.encryptionstatus
<ini file> <section>.<parameter>	The sensor produces one channel for each parameter in a preset file showing if the parameter has the expected value or not.: OK: As expected Error: Not as expected	itesys.saphanasecuritymonitor.encryptionstatus

Important notes

warning

Please check the channel limits in PRTG if they fit for your alerting.

Troubleshooting

Error Code	Error Message	Possible Solution
`[SCN-103-051]`	`File <filename> could not be found! Please check your sensor parameters!`	Check if the file which is configured for the parameter `Parameters` is present in folder `SAP HANA Security Monitor`.
`[SCN-103-052]`	`A parameter needs to be in the form of <file>,<section>,<key><operation><expected_value>`	Check the syntax in the defined preset file for errors.
`[SCN-103-103]`	`Could not connect to HANA database: ERROR [IM002] [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified`	Please install 64-bit HDB client incl. ODBC driver on the PRTG server

Changelog

Version	Changes
2025.10	First stable release

General
Default parameters
Sensor-specific parameters
Presets
Channels
Important notes
Troubleshooting
Changelog