- 12 Mar 2024
- 1 Minute to read
- Contributors
- Print
- DarkLight
Scanning Authorizations for Technical Users
- Updated on 12 Mar 2024
- 1 Minute to read
- Contributors
- Print
- DarkLight
Specific authorizations per database type are required for technical users being used in the scanner connection.
SAP Application Server & SAP Message Server
The following table outlines the authorizations required for SAP Application Server and SAP Message Server:
Authorization Object | Field | Value |
---|---|---|
S_RFC | RFC_TYPE | FUNC (Function Module) |
RFC_NAME | RFCPING, /SDF/SYSTEM_INFO, DDIF_FIELDINFO_GET, RFC_GET_FUNCTION_INTERFACE, RFC_READ_TABLE | |
ACTVT | 16 (Execute) | |
/SDF/E2E | ACTVT | 03 (Display) |
S_TABU_NAM | ACTVT | 03 (Display) |
TABLE | DD01T, DD02L, DD02T, DD03L, DD04L, DD04T, DD07L, DD07T, DD05S and DD08L |
SAP HANA
SAP HANA requires a database user authenticated by the HANA internal authentication mechanism using a password (the default mechanism). The scanner does not create any objects or data in the database being scanned.
Grant SELECT authorization of the following tables and views:
SCHEMAS
TABLES
TABLE_COLUMNS
CONSTRAINTS
VIEWS
VIEW_COLUMNS
PROCEDURES
PROCEDURE_PARAMETERS
INDEX_COLUMNS
REFERENTIAL_CONSTRAINTS
The following tables are required for SAP DDIC scanning:
DD01T
DD02L
DD02T
DD03L
DD04L
DD04T
DD07L
DD07T
DD05S
DD08L
SQL Server
SQL Server requires a login using SQL Server Authentication. The scanner does not create any objects or data in the database being scanned.
This includes connections to Azure SQL Server Managed Instances for Migrate and Construct.
Note
When connecting to an Azure SQL Server Managed Instance, the username must include the domain components that match the hosted database environment.
Grant SELECT authorization of the following tables and views:
sys.databases
sys.schemas
sys.tables
sys.columns
sys.types
INFORMATION_SCHEMA.COLUMNS
sys.indexes
sys.index_columns
sys.views
sys.types
sys.foreign_key_columns
sys.objects
sys.foreign_keys
The following function requires membership in the public role: HAS_DBACCESS
The following tables are required for SAP DDIC scanning:
DD01T
DD02L
DD02T
DD03L
DD04L
DD04T
DD07L
DD07T
DD05S
DD08L
Oracle
Oracle requires a local user identified by a password. The scanner does not create any objects or data in the database being scanned.
Grant SELECT authorization of the following tables and views:
ALL_ALL_TABLES
ALL_TAB_COLUMNS
ALL_CONSTRAINTS
ALL_CONS_COLUMNS
ALL_VIEWS
ALL_INDEXES
ALL_IND_COLUMNS
The following tables are required for SAP DDIC scanning:
DD01T
DD02L
DD02T
DD03L
DD04L
DD04T
DD07L
DD07T
DD05S
DD08L
PostgreSQL
PostgreSQL requires a local user identified by a password. The scanner does not create any objects or data in the database being scanned.
Grant SELECT authorization of the following tables and views:
pg_catalog.pg_database
pg_namespace
pg_class
pg_description
pg_attribute
pg_attrdef
pg_type
pg_constraint
IBM Db2 LUW
IBM Db2 LUW requires a local user identified by a password. The scanner does not create any objects or data in the database being scanned.
Grant SELECT authorization of the following tables and views:
SYSCAT.SCHEMATA
SYSCAT.TABLES
SYSCAT.COLUMNS
SYSCAT.TABCONST
SYSCAT.KEYCOLUSE
IBM Db2 OS/390
IBM Db2 OS/390 requires a local user identified by a password. The scanner does not create any objects or data in the database being scanned.
Grant SELECT authorization of the following tables and views:
SYSIBM.SYSTABLES
SYSIBM.SYSCOLUMNS
SYSIBM.SYSINDEXES
SYSIBM.SYSKEYS