Available CCDB Config Stores

How you can contact us:

Technical Assistance

Request product support from SAP
Non-Technical Assistance

Request non-product support or provide feedback on SAP Support Portal site

Available CCDB Config Stores

FRUN Configuration and Security Analytics Collector Framework (CSA CF) extracts a comprehensive set of configuration data from managed systems into the the FRUN Configuration and Change Database (CCDB). Data is stored in containers, the-so-called Config Stores. Each Config Store stores data of the same semantics.

This document provides a list of Config Stores that are available for the most common Technical System Types. In addition we show simple ways for looking into the detail structure and content of Config Stores and for getting a list of all available Config Stores.

Note: To take advantage of latest CCDB content, the Managed Systems must be prepared and regularly updated with latest versions of standard software components for SAP Service Content:

ABAP ST-PI
Starting with FRUN 2.0 FP03, ST-PI 7.40 SP08 or higher must be implemented.
ABAP ST/A-PI

The following Config Stores are available:

Config Stores for Application Server ABAP

ABAP Database Interface
ABAP Generic Whitelists Information
ABAP Notes
ABAP Scenario-Based Checks Information
ABAP Secure Storage Encryption Key status
ABAP UCON RFC Basic Scenario
ABAP UCON http white list Scenario
ABAP UCON http white list Scenario
ABAP clients (T000)
Audit log (Configuration)
Audit log - CONFIGURATION_SLOT
New column MSG_LIST
(since FRUN 3.00 FP01)
Audit log -AUDIT_CONFIGURATION_PARA
(since FRUN 3.00 FP01*)
Audit log (Configuration XML)
BW administration settings (RSADMIN)
BW customer control table (RSADMINA)
BW customizing table (RSADMINC)
BWfrontend (RSFRONTENDINIT)
BW source system transfer
BW system settings (RSADMINS)
Clients - Change log
Component change settings
Crypto library version
Customizing settings for authorization process
Default profile
Environment variables
Gateway proxy
Gateway registry
Gateway security
Global change setting
Global change setting - Change log

* managed systems starting with SAP_BASIS 740 SP20, 750 SP18, 751 SP10, 752 SP06, 753 SP04, 754 SP02

** managed systems higher than SAP_BASIS 7.54

*** managed system with note 3087718 which needs at least 7.40 SP 19, 7.50 SP 11, 7.51 SP 06, 7.52 SP 01, 7.53/4/5/6 SP 00 and note 3197247 (performance improvement)

HTTP Whitelist
HTTP Whitelist (UCON Client dependent)
HTTP Whitelist (UCON)
Host - Installed software packages
Host configuration
http services (SICF)
IGS Manifest
Installed software packages
Instance parameter
Instance profile
License
Maintenance areas for tables
Message server security
Namespace change settings
Namespace change settings - Change log
PSE certificates
Path for backup and authorization
Permitted trusted systems
RFC destinations
SAINT/SPAM level
SAP Kernel
RFC destinations type '3'
RFC destinations type 'G'
RFC destinations type 'H'
RFC destinations type 'L'
RFC destinations type 'T'
SAPUI5 library
SAPUI5 version
SCS profile
SMLT Languages
SNC Access Control List (ACL)
Security policy
Session management
Set Values for the Session Manager / Profile Generator
Software component level
Column SP_REL_DATE (since FRUN 3.00 FP01), Vendor (Since FRUN 4.0)

Standard users
System Hosts
Transports
Usage of password hashing
User by authorization check
User with SAP_ALL profile
User with cust. profiles
Virus scan groups
Virus scan server
XMS: Integration Engine Conf. Parameters (Client)
XMS: Integration Engine Configuration Parameters
ABAP Start Authorization check - USOBAUTHINACTIVE
(since FRUN 3.00 FP01)
ABAP Code Vulnerability Analyzer status
(since FRUN 3.00 FP01)
ABAP ERS - Parameters
(since FRUN 3.0 FP01 and SDA 1.55)
ABAP SCS – Parameters
(since FRUN 3.0 FP01 and SDA 1.55)
Consumer Proxy Logical Port
- Restricted to logical ports defined by single configuration
(since FRUN 3.0 FP01**)
WebServices (SOAMANAGER) - Service Definitions / Consumer Proxy Logical Ports (since FRUN 3.0 FP02***)
ABAP HTTP URL Location Exception (HTTPURLLOC) (since FRUN 3.0 FP03)
ABAP Transport Organizer Global Customizing (since FRUN 4.0)
ABAP Transport Organizer Request Release Checks (since FRUN 4.0)
ABAP System timezone (since FRUN 4.0)
ABAP Unified Rendering Version (since FRUN 4.0)

Additional Config Stores are available for customized use (see section Custom Config Stores for Application Server ABAP)

Custom Config Stores for Application Server ABAP

Users with critical authorizations
Roles with critical authorizations

Users with critical profiles
Users with critical transactions

Users of a user type
Users with critical role combinations

Since FRUN 3.00 FP01 and ST-A/PI 01U SP02 (in the managed system) the user stores have additional columns USER_INVALID, USER_TYPE, USER_GROUP and USER_LOCKED

The customizing is defined using Template Configuration – Store Customizing. It is related to the Type e.g. ABAP Profile. A new customizing gets a three-digit Id which is then referenced in the store definition.

Explanation for customizing of type “User Authorization Combination” (AUTH_COMB_USER) and “Role Authorization Combination” (AUTH_COMB_ROLE): The 'Combination ID' represents one check and is used as result key in the content structure of the Config Store. The boolean result of the 'Combination ID' is the logical 'AND' combination of its 'Authorization IDs'.

The boolean result of an 'Authorization ID' is the logical 'AND' combination of its 'Groups'. Each 'Group' is either an 'AND' or an 'OR' group. This is defined by the setting in the column 'AND/OR'. Within an 'AND Group' all equal 'Objects' are treated as one and combined together to the other 'Groups' of the 'Authorization ID'. In contrary to this, each record of an 'OR Group' is combined on its own to the other 'Groups' of the 'Authorization ID'.

In addition to specific field values there is the possibilities to use the following placeholders in the columns 'From' and 'To':
* = Any value
#* = The authorization value *
#** = The authorization value * or all available values

The following example defines to collect users that do have authorization for all rfc destinations and transaction SM59. As different Authorization IDs are used the authorizations might be provided by different profiles.

Combination ID	Authorization ID	Group	Object	Field Name	From	To	AND/OR
ADMIN_RFC	SRFCADM	DEST	S_RFC_ADM	RFCDEST	#*		AND
ADMIN_RFC	SRFCADM	TYPE	S_RFC_ADM	RFCTYPE	#*		AND
ADMIN_RFC	STCODE	TCD	S_TCODE	TCD	SM59		AND

The technical names of the columns are

COMB_ID

AUTH_ID

AUTH_GROUP

OBJECT

FIELD

LOW

HIGH

SEARCHTYPE

Examples of customizing are available by SAP Security Baseline of SAP Note 2253549 as part of “SAP Security Optimization Services Portfolio”.

The description provided by the document e.g. Configuration_Validation_Template_V2.3_CV-1 is related to Configuration Validation of Solution Manager. The section 2.3 Documentation of the Store Customization, and the customizing examples are also valid for FRUN. In the zip file (Security_Baseline_Template…) there is also a folder “Customizing_(all)” which has got several csv files that can be uploaded to the respective customizing of the FRUN stores.

Config Stores for J2EE Engine

Central service profile
Default profile
Instance profile
Static Store name (since FRUN 3.00 FP01)
Kernel
Services
J2EE SCS - Parameters
(since FRUN 3.00 FP01 and SDA 1.55)
HTTP destinations
RFC destinations
Global RFC destinations
HTTP Hosts
SPML Interface

Clickjacking
Log Configuration
J2EE cluster node parameter
J2EE PSE Certificates
Software component level
Column SP_REL_DATE (since FRUN 3.00 FP01)
J2EE ERS - Parameters
(since FRUN 3.00 FP01 and SDA 1.55)

Config Stores for SAP HANA

HANA Version
HANA Parameter
HANA PSE Certificates (from DB table CERTIFICATES)
Column: PSE_AGG added (since FRUN 3.00 FP00 and SAP Host Agent PL49)
HANA Privileges [by Wizard]
(since FRUN 3.00 FP00 and SAP Host Agent PL49)
HANA Remote Sources
(since FRUN 3.00 FP00 and SAP Host Agent PL49 and SDA 1.48.0)

HANA User 'SYSTEM' status
HANA Audit Policies
HANA Encryption

Installed Licenses
XSA Version (installed on HANA)
Granted Roles [by Wizard]
(since FRUN 3.00 FP01)
LDAP Providers
(since FRUN 3.00 FP01)
Configuration Parameter (since FRUN 3.00 FP02 and SAP Host Agent PL55)
HANA Build Version(since FRUN 3.0 FP03)

Config Store for other Databases

SAP ASE (Adaptive Server Enterprise)

Parameter
Password Policy
(FRUN 3.00 FP02 and SAP Hostagent PL 48

Oracle

Parameter
Level
(since FRUN 3.00 FP01 and SAP HostAgent PL53)
SQL Patch and Fix Control
(since FRUN 3.00 FP02 and SAP HostAgent PL55)
Oracle SQL patches installed (Oracle 18 and higher; since FRUN 4.00 and SAP HostAgent PL59)

SAP MAX DB

MaxDB Version
MaxDB General Parameter
MaxDB Extended Parameter
MaxDB Support Parameter

IBM DB6

Level
Manager Configuration
Configuration
Registry

Config Stores for Operating System level

SAP Host Agent

SAPHostAgent (Version)
host_profile (Parameters)

Host configuration

SAP_ITSAMComputerSystem
SAP_ITSAMHostComputerSystem
SAP_ITSAMOperatingSystem
SAP_ITSAMProcessor
SAP_ITSAMVirtualComputerSystem

Host - Installed software packages

HOST_SOFTWARE_PACKAGES

Host - Installed software patches (Windows)

HOST_SOFTWARE_PATCHES (since FRUN 3.00 FP01)

Config Stores for SAP Cloud Connector

SAP Cloud Connector (as of FRUN 2.0 FP 03)
System type CLOUD_CONN

Accounts
Accounts (trusted applications)
Backends
Backends (allowed clients in ABAP backends)
Backends (ABAP Blacklist)
Backends - Resources
Configuration
JVM Parameter
Trusted Configuration (Trusted Applications)
Trusted Configuration (Trusted IDP)
Version
Certificates
(FRUN 3.0 FP02 - SCC Version >= 2.13.0 and SDA >= 1.56)

Config Stores for SAP WebDispatcher (standalone)

SAP WebDispatcher (standalone)
System type WEBDISP

Default profile
Instance profile
Table Store INSTANCE_PROFILE (since FRUN 2.0 FP03)
Static Text Store name (since FRUN 3.0 FP01
Web Dispatcher - Parameters
(since FRUN 3.0 FP01 and SDA 1.55)
Software component level
Column SP_REL_DATE (since FRUN 3.00 FP01)

FAQ

How to find detail information about a Config Store?

Start CSA Application from FRUN Launchpad
Start the Store Browser
Select a system to display the Config Stores available for this system
At Click on a Config Store, a new section Items opens at the bottom of the page:
Check out the general structure of the config store with key and value fields as well as all the items stored
(e.g. the HANA Version in HDB_VERSION or all the parameters with their values in HDB_PARAMETER)

CSA Store Browser. How to select a system and a config store

Figure: Finding a config store in the CSA Store Browser

Figure: Displaying the Items of a Config Store

How to get an online overview about available Config Stores?

Start the Configuration & Security Analytics from FRUN Launchpad.
Start the Search application.
Use the drop-down box for Config Stores to check for relevant stores:
Use the SCI Id on the left for checking details of the SCI Template in CSA Template Management.
Use the Information on the right for checking config store content in detail.

Figure: Finding Config Stores in the value help of CSA Search application

What different Config Store types exist?

The following Config Store types and corresponding database tables exist:

All Config Stores are persisted in transparent tables of the ABAP Dictionary. You find the mapping between Config Stores and tables in table CCDB_SCI_STORE. Each table can store data from multiple Config Stores based on a compatible structure of data. The general naming convention of CCDB tables in ABAP Dictionary is CCDB_DATA_*.