Available CCDB Config Stores
The Configuration and Security Analysis Collector Framework (CSA CF) in SAP Focused Run extracts a comprehensive set of configuration data from managed systems into the the Configuration and Change Database (CCDB). Data is stored in containers, the-so-called Config Stores. Each Config Store stores data of the same semantics.
This document provides a list of Config Stores that are available for the most common Technical System Types. In addition we show simple ways for looking into the detail structure and content of Config Stores and for getting a list of all available Config Stores.
Note: To take advantage of latest CCDB content, the Managed Systems must be prepared and regularly updated with latest versions of the Roles to authorize access in managed systems to collect data for FRUN (see SAP note 2450740) and standard software components for SAP Service Content
- ABAP ST-PI
Starting with SAP Focused Run 2.0 FP03, ST-PI 7.40 SP08 or higher must be implemented. - ABAP ST-A/PI
Install highest release and Support Package to get extractor coding for new stores
The following Config Stores are available:
- ABAP Database Interface
- ABAP Generic Whitelist information
- ABAP Notes
- ABAP Scenario-Based Checks Information
- ABAP Secure Storage Encryption Key status
- ABAP UCON RFC Basic Scenario
- ABAP UCON http white list Scenario
- ABAP UCON http white list Scenario
- ABAP clients (T000)
- Audit log (Configuration)
- Audit log - CONFIGURATION_SLOT
New column MSG_LIST
(since FRUN 3.00 FP01) - Audit log -AUDIT_CONFIGURATION_PARA
(since FRUN 3.00 FP01*)
- Audit log (Configuration XML)
- BW administration settings (RSADMIN)
- BW customer control table (RSADMINA)
- BW customizing table (RSADMINC)
- BWfrontend (RSFRONTENDINIT)
- BW source system transfer
- BW system settings (RSADMINS)
- Clients - Change log
- Component change settings
- Crypto library version
- Customizing settings for authorization process
- Default profile
- Environment variables
- Gateway proxy
- Gateway registry
- Gateway security
- Global change setting
- Global change setting - Change log
* managed systems starting with SAP_BASIS 740 SP20, 750 SP18, 751 SP10, 752 SP06, 753 SP04, 754 SP02
** managed systems higher than SAP_BASIS 7.54
*** managed system with note 3087718 which needs at least 7.40 SP 19, 7.50 SP 11, 7.51 SP 06, 7.52 SP 01, 7.53/4/5/6 SP 00 and note 3197247 (performance improvement)
- HTTP Whitelist
- HTTP Whitelist (UCON Client dependent)
- HTTP Whitelist (UCON)
- Host - Installed software packages
- Host configuration
- http services (SICF)
- IGS Manifest
- Installed software packages
- Instance parameter
- Instance profile
- License
- Locked transactions
- Locked client transactions****
- Maintenance areas for tables
- Message server security
- Namespace change settings
- Namespace change settings - Change log
- PSE certificates
- Path for backup and authorization
- Permitted trusted systems
- RFC destinations
- SAINT/SPAM level
- SAP Kernel
- RFC destinations type '3'
- RFC destinations type 'G'
- RFC destinations type 'H'
- RFC destinations type 'L'
- RFC destinations type 'T'
- SAPUI5 library
- SAPUI5 version
- SCS profile
- SMLT Languages
- SNC Access Control List (ACL)
- Security policy
- Session management
- Set Values for the Session Manager / Profile Generator
**** managed system on ST-A/PI >= 01U* SP1 and SAP_BASIS >= 7.50 SP03
- Software component level
Column SP_REL_DATE (SP Release Date; since FRUN 3.0 FP01), Vendor (Since FRUN 4.0), SP_INST_TS (SP Installation timestamp; since FRUN 4.0 FP03 (ST-A/PI release W needed) - Standard users
- System Hosts
- Transports
- Usage of password hashing
- User by authorization check
- User with SAP_ALL profile
- User with cust. profiles
- Virus scan groups
- Virus scan server
- XMS: Integration Engine Conf. Parameters (Client)
- XMS: Integration Engine Configuration Parameters
- ABAP Start Authorization check - USOBAUTHINACTIVE
(since FRUN 3.00 FP01) - ABAP Code Vulnerability Analyzer status
(since FRUN 3.00 FP01) - ABAP ERS - Parameters
(since FRUN 3.0 FP01 and SDA 1.55) - ABAP SCS – Parameters
(since FRUN 3.0 FP01 and SDA 1.55) - Consumer Proxy Logical Port
- Restricted to logical ports defined by single configuration
(since FRUN 3.0 FP01**) - WebServices (SOAMANAGER) - Service Definitions / Consumer Proxy Logical Ports (since FRUN 3.0 FP02***)
- ABAP HTTP URL Location Exception (HTTPURLLOC) (since FRUN 3.0 FP03)
Additional Config Stores are available for customized use (see section Custom Config Stores for Application Server ABAP)
- ABAP Transport Organizer Global Customizing
- ABAP Transport Organizer Request Release Checks
- ABAP System timezone
- ABAP Unified Rendering Version
- Database Connections (DBCON)
(FP01) - Rule-Based Cert. Logon (USRCERTRULE) (FP01)
- Certificate Mapping (USRCERTMAP) (FP01)
- ABAP List of existing trusting systems (RFCTRUST) (FP01)
- RFC destinations type 'W' (FP02)
note 3318783 need
in managed system
- ABAP Reference user (FP02)
- ABAP Number of User with DEV Access Key (FP02)
- ABAP SECM: Filter for Change Document Logs (FP02)
- ABAP SECM: Config (FP02)
- ABAP SECM User change log (FP02)
- ABAP Customizing settings for SFIL (FP02)
- ABAP SECM: Logs (FP02)
- ABAP SECM: Master Data (FP02)
- ABAP Switch Framework (FP02)
- Virus scan server profiles
- Virus scan server profiles mimes
- HTTP Security Header Framework – Header
- HTTP Security Header Framework - Trusted Sites
- For Enterprise Thread detection - Several Stores for the content of tables:
ABAP ETD: SETD_G_CFG, SETD_S_CFG, SETD_G_CFG_LOG, SETD_S_CFG_LOG, SETD_G_CFG_SEN, SETD_S_CFG_ALW, SETD_C_CFG, SETD_C_CFG_LOG, SETD_C_CFG_SEN
- Users with critical authorizations
- Roles with critical authorizations
- Users with critical profiles
- Users with critical transactions
- Users of a user type
- Users with critical role combinations
Since FRUN 3.00 FP01 and ST-A/PI 01U SP02 (in the managed system) the user stores have additional columns USER_INVALID, USER_TYPE, USER_GROUP and USER_LOCKED
The customizing is defined using Template Configuration – Store Customizing. It is related to the Type e.g. ABAP Profile. A new customizing gets a three-digit Id which is then referenced in the store definition.
Explanation for customizing of type “User Authorization Combination” (AUTH_COMB_USER) and “Role Authorization Combination” (AUTH_COMB_ROLE): The 'Combination ID' represents one check and is used as result key in the content structure of the Config Store. The boolean result of the 'Combination ID' is the logical 'AND' combination of its 'Authorization IDs'.
The boolean result of an 'Authorization ID' is the logical 'AND' combination of its 'Groups'. Each 'Group' is either an 'AND' or an 'OR' group. This is defined by the setting in the column 'AND/OR'. Within an 'AND Group' all equal 'Objects' are treated as one and combined together to the other 'Groups' of the 'Authorization ID'. In contrary to this, each record of an 'OR Group' is combined on its own to the other 'Groups' of the 'Authorization ID'.
In addition to specific field values there is the possibilities to use the following placeholders in the columns 'From' and 'To':
* = Any value
#* = The authorization value *
#** = The authorization value * or all available values
The following example defines to collect users that do have authorization for all rfc destinations and transaction SM59. As different Authorization IDs are used the authorizations might be provided by different profiles.
Combination ID | Authorization ID | Group | Object | Field Name | From | To | AND/OR |
ADMIN_RFC | SRFCADM | DEST | S_RFC_ADM | RFCDEST | #* | AND | |
ADMIN_RFC | SRFCADM | TYPE | S_RFC_ADM | RFCTYPE | #* | AND | |
ADMIN_RFC | STCODE | TCD | S_TCODE | TCD | SM59 | AND |
The technical names of the columns are
COMB_ID | AUTH_ID | AUTH_GROUP | OBJECT | FIELD | LOW | HIGH | SEARCHTYPE |
Examples of customizing are available by SAP Security Baseline of SAP Note 2253549 as part of “SAP Security Optimization Services Portfolio”.
The description provided by the document e.g. Configuration_Validation_Template_V2.3_CV-1 is related to Configuration Validation of Solution Manager. The section 2.3 Documentation of the Store Customization, and the customizing examples are also valid for FRUN. In the zip file (Security_Baseline_Template…) there is also a folder “Customizing_(all)” which has got several csv files that can be uploaded to the respective customizing of the FRUN stores.
SAP HANA:
- Granted Privileges
- Granted Roles
- HANA Version
- HANA Parameter
- HANA PSE Certificates (from DB table CERTIFICATES)
Column: PSE_AGG added (since FRUN 3.00 FP00 and SAP Host Agent PL49) - HANA Privileges [by Wizard]
(since FRUN 3.00 FP00 and SAP Host Agent PL49) - HANA Remote Sources
(since FRUN 3.00 FP00 and SAP Host Agent PL49 and SDA 1.48.0)
- HANA User 'SYSTEM' status
- HANA Audit Policies
- HANA Encryption
- Installed Licenses
- XSA Version (installed on HANA)
- Granted Roles [by Wizard]
(since FRUN 3.00 FP01) - LDAP Providers
(since FRUN 3.00 FP01) - Configuration Parameter (since FRUN 3.00 FP02 and SAP Host Agent PL55)
- HANA Build Version (since FRUN 3.0 FP03)
- HANA count enabled Authentication Method (since FRUN4.0 FP02)
- FRUN 4.0 FP02
- HANA Cloud Statistics Service is active in productive HANA Cloud instances
- HCS M_CONFIGURATION_PARAMETER_VALUES
- HCS M_DATABASE_HISTORY
- HCS AUDIT_POLICIES
(FRUN 5.0 redefines this store getting several additional key fields) - HCS SAP_HANA_CLOUD USERGROUP_PARAMETERS
- HCS GRANTED_PRIVILEGES
- HCS GRANTED_ROLES
- HCS M_AFL_FUNCTIONS
- HCS M_HOST_INFORMATION
- HCS M_LICENSE
- HCS M_DATABASES
- HCS M_LANDSCAPE_HOST_CONFIGURATION
- Central service profile
- Default profile
- Instance profile
Static Store name (since FRUN 3.00 FP01) - Kernel
- Services
- J2EE SCS - Parameters
(since FRUN 3.00 FP01 and SDA 1.55) - HTTP destinations
- RFC destinations
- Global RFC destinations
- HTTP Hosts
- SPML Interface
- Clickjacking
- Log Configuration
- J2EE cluster node parameter
- J2EE PSE Certificates
- Software component level
Column SP_REL_DATE (since FRUN 3.00 FP01) - J2EE ERS - Parameters
(since FRUN 3.00 FP01 and SDA 1.55)
SAP ASE (Adaptive Server Enterprise)
- Parameter
- Password Policy
(FRUN 3.00 FP02 and SAP Hostagent PL 48
Oracle
- Parameter
- Level
(since FRUN 3.00 FP01 and SAP HostAgent PL53) - SQL Patch and Fix Control
(since FRUN 3.00 FP02 and SAP HostAgent PL55) - Oracle SQL patches installed (Oracle 18 and higher; since FRUN 4.00 and SAP HostAgent PL59)
SAP MAX DB
- MaxDB Version
- MaxDB General Parameter
- MaxDB Extended Parameter
- MaxDB Support Parameter
IBM DB6
- Level
- Manager Configuration
- Configuration
- Registry
SAP Host Agent
- SAPHostAgent (Version)
- host_profile (Parameters)
Host configuration
- SAP_ITSAMComputerSystem
- SAP_ITSAMHostComputerSystem
- SAP_ITSAMOperatingSystem
- SAP_ITSAMProcessor
- SAP_ITSAMVirtualComputerSystem
- SAP_ITSAMInstance_Properties (for Web Dispatcher only, coming with FRUN 5.0; SDA 1.65 and SAP Host Agent 7.22 PL65 are prerequistes)
Host - Installed software packages
- HOST_SOFTWARE_PACKAGES
Host - Installed software patches (Windows)
- HOST_SOFTWARE_PATCHES (since FRUN 3.00 FP01)
Cloud Connector (as of FRUN 2.0 FP 03)
System type CLOUD_CONN
- Accounts
- Accounts (trusted applications)
- Backends
- Backends (allowed clients in ABAP backends)
- Backends (ABAP Blacklist)
- Backends - Resources
- Configuration
- JVM Parameter
- Trusted Configuration (Trusted Applications)
- Trusted Configuration (Trusted IDP)
- Version
- Certificates
(FRUN 3.0 FP02 - SCC Version >= 2.13.0 and SDA >= 1.56)
(FRUN 5.0 serialNumber added - SDA 1.65 and SCC Version 2.17.0 are prerequisites for providing this information)
SAP WebDispatcher (standalone)
System type WEBDISP
- Default profile
- Instance profile
Table Store INSTANCE_PROFILE (since FRUN 2.0 FP03)
Static Text Store name (since FRUN 3.0 FP01 - Web Dispatcher - Parameters
(since FRUN 3.0 FP01 and SDA 1.55) - Software component level
Column SP_REL_DATE (since FRUN 3.00 FP01) - WDISP - Certificates (since FRUN 4.00 FP01 using SDA 1.62)
(FRUN 5.0 serialNumber added - SDA 1.65 and WebDispatcher version according SAP note 3477358, e.g. 7.89 SP250 are prerequisites for providing this information)
SAP Credential Store
- Credential Configuration
SAP Mobile Services
- Application Configuration
* SAP CALM tenant is prerequisite
** Landscape information is needed for other stores, which can't be scheduled without this information
Identity Authentication
- Landscape information**
- Identity Authentification Configuration
- System Application Configuration
- System Charged Configuration
- System Bundled Configuration
Identity Provisioning
- Landscape information**
- Identity Provisioning Configuration
- Proxy configuration
- Source configuration
- Target configuration