You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/sap/preparing-sap.md
+53-40Lines changed: 53 additions & 40 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,15 +1,41 @@
1
1
---
2
-
title: Deploy SAP Change Requests (CRs) and configure authorization | Microsoft Docs
2
+
title: Deploy SAP Change Requests (CRs) and configure authorization
3
3
titleSuffix: Microsoft Sentinel
4
4
description: This article shows you how to deploy the SAP Change Requests (CRs) necessary to prepare the environment for the installation of the SAP agent, so that it can properly connect to your SAP systems.
5
5
author: MSFTandrelom
6
6
ms.author: andrelom
7
7
ms.topic: how-to
8
8
ms.date: 04/07/2022
9
9
---
10
-
# Deploy SAP Change Requests (CRs) and configure authorization
10
+
# Deploy SAP Change Requests and configure authorization
11
11
12
-
This article shows you how to deploy the SAP Change Requests (CRs) necessary to prepare the environment for the installation of the SAP agent, so that it can properly connect to your SAP systems.
12
+
This article shows you how to deploy SAP Change Requests (CRs), which prepare the environment for the installation of the SAP agent, so that it can properly connect to your SAP systems.
13
+
14
+
> [!IMPORTANT]
15
+
> - This article presents a [**step-by-step guide**](#deploy-crs) to deploying the relevant CRs. It's recommended for SOC engineers or implementers who may not necessarily be SAP experts.
16
+
> - Experienced SAP administrators that are familiar with the CR deployment process may prefer to get the appropriate CRs directly from the [**SAP environment validation steps**](prerequisites-for-deploying-sap-continuous-threat-monitoring.md#sap-environment-validation-steps) section of the guide and deploy them. Note that the *NPLK900271* CR deploys a sample role, and the administrator may prefer to manually define the role according to the information in the [**Required ABAP authorizations**](#required-abap-authorizations) section below.
17
+
18
+
## Required and optional CRs
19
+
20
+
This article discusses the installation of the following CRs:
21
+
22
+
|CR |Required/optional |Description |
23
+
|---------|---------|---------|
24
+
|NPLK900271 |Required |This CR creates and configures a role. Alternatively, you can can load the authorizations directly from a file. [Review how to create and configure a role](prerequisites-for-deploying-sap-continuous-threat-monitoring.md#create-and-configure-a-role-required). |
25
+
|NPLK900201 or NPLK900202 |Optional |[Retrieves additional information from SAP](prerequisites-for-deploying-sap-continuous-threat-monitoring.md#retrieve-additional-information-from-sap-optional). You select one of these CRs according to your SAP version. |
26
+
27
+
## Prerequisites
28
+
29
+
1. Make sure you've copied the details of the **SAP system version**, **System ID (SID)**, **System number**, **Client number**, **IP address**, **administrative username** and **password** before beginning the deployment process. For the following example, the following details are assumed:
30
+
31
+
-**SAP system version:**`SAP ABAP Platform 1909 Developer edition`
32
+
-**SID:**`A4H`
33
+
-**System number:**`00`
34
+
-**Client number:**`001`
35
+
-**IP address:**`192.168.136.4`
36
+
-**Administrator user:**`a4hadm`, however, the SSH connection to the SAP system is established with `root` user credentials.
37
+
1. Review the [SAP environment validation steps](prerequisites-for-deploying-sap-continuous-threat-monitoring.md#sap-environment-validation-steps) to determine which CRs to install.
38
+
1. If you installed the NPLK900202 [optional CR](#required-and-optional-crs) used to retrieve additional information, make sure you've installed the [relevant SAP note](prerequisites-for-deploying-sap-continuous-threat-monitoring.md#deploy-sap-note-optional).
13
39
14
40
## Deployment milestones
15
41
@@ -31,56 +57,41 @@ Track your SAP solution deployment journey through this series of articles:
31
57
-[Configure auditing](configure-audit.md)
32
58
-[Configure data connector to use SNC](configure-snc.md)
33
59
60
+
To deploy the CRs, follow the steps outlined below. The steps below may differ according to the version of the SAP system and should be considered for demonstration purposes only.
34
61
35
-
> [!IMPORTANT]
36
-
> - This article presents a [**step-by-step guide**](#deploy-change-requests) to deploying the required CRs. It's recommended for SOC engineers or implementers who may not necessarily be SAP experts.
37
-
> - Experienced SAP administrators that are familiar with CR deployment process may prefer to get the appropriate CRs directly from the [**SAP environment validation steps**](prerequisites-for-deploying-sap-continuous-threat-monitoring.md#sap-environment-validation-steps) section of the guide and deploy them. Note that the *NPLK900271* CR deploys a sample role, and the administrator may prefer to manually define the role according to the information in the [**Required ABAP authorizations**](#required-abap-authorizations) section below.
62
+
## Deploy CRs
38
63
39
64
> [!NOTE]
40
65
>
41
66
> It is *strongly recommended* that the deployment of SAP CRs be carried out by an experienced SAP system administrator.
42
-
>
43
-
> The steps below may differ according to the version of the SAP system and should be considered for demonstration purposes only.
44
-
>
45
-
> Make sure you've copied the details of the **SAP system version**, **System ID (SID)**, **System number**, **Client number**, **IP address**, **administrative username** and **password** before beginning the deployment process.
46
-
>
47
-
> For the following example, the following details are assumed:
48
-
> -**SAP system version:**`SAP ABAP Platform 1909 Developer edition`
49
-
> -**SID:**`A4H`
50
-
> -**System number:**`00`
51
-
> -**Client number:**`001`
52
-
> -**IP address:**`192.168.136.4`
53
-
> -**Administrator user:**`a4hadm`, however, the SSH connection to the SAP system is established with `root` user credentials.
54
67
55
-
The deployment of the Microsoft Sentinel Solution for SAP requires the installation of several CRs. More details about the required CRs can be found in the [SAP environment validation steps](prerequisites-for-deploying-sap-continuous-threat-monitoring.md#sap-environment-validation-steps) section of this guide.
68
+
### Set up the files
56
69
57
-
To deploy the CRs, follow the steps outlined below:
70
+
1. Sign in to the SAP system using SSH.
58
71
59
-
## Deploy change requests
72
+
1. Transfer the CR files to the SAP system. Learn more about [the CRs in this step](#required-and-optional-crs).
60
73
61
-
### Set up the files
74
+
Alternatively, you can download the files directly onto the SAP system from the SSH prompt. Use the following commands:
Alternatively, you can download the files directly onto the SAP system from the SSH prompt. Use the following commands:
67
-
- Download NPLK900202
82
+
Alternatively, you can [load these authorizations directly from a file](prerequisites-for-deploying-sap-continuous-threat-monitoring.md#create-and-configure-a-role-required).
Note that each CR consists of two files, one beginning with K and one with R.
86
97
@@ -132,11 +143,11 @@ To deploy the CRs, follow the steps outlined below:
132
143
133
144
1. In the **Add Transport Request** confirmation dialog, select**Yes**.
134
145
135
-
1. Repeat the procedure in the preceding 5 steps to add the remaining Change Requests to be deployed.
146
+
1. If you plan to deploy more CRs, repeat the procedure in the preceding 5 steps forthe remaining CRs.
136
147
137
148
1. In the **Import Queue** window, selectthe relevant Transport Request once, and thenselect**F9** or **Select/Deselect Request** icon.
138
149
139
-
1. To add the remaining Transport Requests to the deployment, repeat step 9.
150
+
1. If you have remaining Transport Requests to add to the deployment, repeat step 9.
140
151
141
152
1. Select the Import Requests icon:
142
153
@@ -158,15 +169,17 @@ To deploy the CRs, follow the steps outlined below:
158
169
159
170
:::image type="content" source="media/preparing-sap/import-history.png" alt-text="Screenshot of import history.":::
160
171
161
-
1. The *NPLK900202* change request is expected to display a **Warning**. Select the entry to verify that the warnings displayed are of type"Table \<tablename\> was activated."
172
+
1. If you deployed the *NPLK900202* CR, it is expected to display a **Warning**. Select the entry to verify that the warnings displayed are of type"Table \<tablename\> was activated."
173
+
174
+
The CRs and versions in the screenshots below may change according to your installed CR version.
162
175
163
176
:::image type="content" source="media/preparing-sap/import-status.png" alt-text="Screenshot of import status display." lightbox="media/preparing-sap/import-status-lightbox.png":::
164
177
165
178
:::image type="content" source="media/preparing-sap/import-warning.png" alt-text="Screenshot of import warning message display.":::
166
179
167
180
## Configure Sentinel role
168
181
169
-
After the *NPLK900271*change request is deployed, a **/MSFTSEN/SENTINEL_CONNECTOR** role is created in SAP. If the role is created manually, it may bear a different name.
182
+
After the *NPLK900271*CR is deployed, a **/MSFTSEN/SENTINEL_CONNECTOR** role is created in SAP. If the role is created manually, it may bear a different name.
170
183
171
184
In the examples shown here, we will use the role name **/MSFTSEN/SENTINEL_CONNECTOR**.
172
185
@@ -227,8 +240,8 @@ The following table lists the ABAP authorizations required to ensure that SAP lo
227
240
The required authorizations are listed here by log type. Only the authorizations listed for the types of logs you plan to ingest into Microsoft Sentinel are required.
228
241
229
242
> [!TIP]
230
-
> To create a role with all the required authorizations, deploy the SAP change request *NPLK900271* on the SAP system, or load the role authorizations from the [MSFTSEN_SENTINEL_CONNECTOR_ROLE_V0.0.27.SAP](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP/Sample%20Authorizations%20Role%20File) file. This change request creates the **/MSFTSEN/SENTINEL_CONNECTOR** role that has all the necessary permissions for the data connector to operate.
231
-
> Alternatively, you can create a role that has minimal permissions by deploying change request *NPLK900268*, or loading the role authorizations from the [MSFTSEN_SENTINEL_AGENT_BASIC_ROLE_V0.0.1.SAP](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP/Sample%20Authorizations%20Role%20File) file. This change request or authorizations file creates the **/MSFTSEN/SENTINEL_AGENT_BASIC** role. This role has the minimal required permissions for the data connector to operate. Note that if you choose to deploy this role, you might need to update it frequently.
243
+
> To create a role with all the required authorizations, deploy the SAP *NPLK900271* CR on the SAP system, or load the role authorizations from the [MSFTSEN_SENTINEL_CONNECTOR_ROLE_V0.0.27.SAP](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP/Sample%20Authorizations%20Role%20File) file. This CR creates the **/MSFTSEN/SENTINEL_CONNECTOR** role that has all the necessary permissions for the data connector to operate.
244
+
> Alternatively, you can create a role that has minimal permissions by deploying the *NPLK900268* CR, or loading the role authorizations from the [MSFTSEN_SENTINEL_AGENT_BASIC_ROLE_V0.0.1.SAP](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/SAP/Sample%20Authorizations%20Role%20File) file. This CR or authorizations file creates the **/MSFTSEN/SENTINEL_AGENT_BASIC** role. This role has the minimal required permissions for the data connector to operate. Note that if you choose to deploy this role, you might need to update it frequently.
0 commit comments