FRUN Configuration and Security Analytics Collector Framework (CSA CF) extracts a comprehensive set of configuration data from managed systems into the the FRUN Configuration and Change Database (CCDB). Data is stored in containers, the-so-called Config Stores. Each Config Store stores data of the same semantics.
This document provides a list of Config Stores that are available for the most common Technical System Types. In addition we show simple ways for looking into the detail structure and content of Config Stores and for getting a list of all available Config Stores.
Note: To take advantage of latest CCDB content, the Managed Systems must be prepared and regularly updated with latest versions of standard software components for SAP Service Content:
The following Config Stores are available:
* managed systems starting with SAP_BASIS 740 SP20, 750 SP18, 751 SP10, 752 SP06, 753 SP04, 754 SP02
** managed systems higher than SAP_BASIS 7.54
*** managed system with note 3087718 which needs at least 7.40 SP 19, 7.50 SP 11, 7.51 SP 06, 7.52 SP 01, 7.53/4/5/6 SP 00 and note 3197247 (performance improvement)
Additional Config Stores are available for customized use (see section Custom Config Stores for Application Server ABAP)
Since FRUN 3.00 FP01 and ST-A/PI 01U SP02 (in the managed system) the user stores have additional columns USER_INVALID, USER_TYPE, USER_GROUP and USER_LOCKED
The customizing is defined using Template Configuration – Store Customizing. It is related to the Type e.g. ABAP Profile. A new customizing gets a three-digit Id which is then referenced in the store definition.
Explanation for customizing of type “User Authorization Combination” (AUTH_COMB_USER) and “Role Authorization Combination” (AUTH_COMB_ROLE): The 'Combination ID' represents one check and is used as result key in the content structure of the Config Store. The boolean result of the 'Combination ID' is the logical 'AND' combination of its 'Authorization IDs'.
The boolean result of an 'Authorization ID' is the logical 'AND' combination of its 'Groups'. Each 'Group' is either an 'AND' or an 'OR' group. This is defined by the setting in the column 'AND/OR'. Within an 'AND Group' all equal 'Objects' are treated as one and combined together to the other 'Groups' of the 'Authorization ID'. In contrary to this, each record of an 'OR Group' is combined on its own to the other 'Groups' of the 'Authorization ID'.
In addition to specific field values there is the possibilities to use the following placeholders in the columns 'From' and 'To':
* = Any value
#* = The authorization value *
#** = The authorization value * or all available values
The following example defines to collect users that do have authorization for all rfc destinations and transaction SM59. As different Authorization IDs are used the authorizations might be provided by different profiles.
|Combination ID||Authorization ID||Group||Object||Field Name||From||To||AND/OR|
The technical names of the columns are
The description provided by the document e.g. Configuration_Validation_Template_V2.3_CV-1 is related to Configuration Validation of Solution Manager. The section 2.3 Documentation of the Store Customization, and the customizing examples are also valid for FRUN. In the zip file (Security_Baseline_Template…) there is also a folder “Customizing_(all)” which has got several csv files that can be uploaded to the respective customizing of the FRUN stores.
SAP ASE (Adaptive Server Enterprise)
SAP MAX DB
SAP Host Agent
Host - Installed software packages
Host - Installed software patches (Windows)
SAP Cloud Connector (as of FRUN 2.0 FP 03)
SAP WebDispatcher (standalone)
Figure: Finding a config store in the CSA Store Browser
Figure: Displaying the Items of a Config Store
Figure: Finding Config Stores in the F4-help of CSA SEARCH application
The following Config Store types exist:
All Config Stores are persisted in transparent tables of the ABAP Dictionary. Each table can store data from multiple Config Stores based on a compatible structure of data. The general naming convention of CCDB tables in ABAP Dictionary is CCDB_DATA_*.