What Changed
The SAP Reader role (MSFTSEN_SENTINEL_READER) was enhanced by significantly reducing required permissions for the agentless connector, streamlining from 137 authorization entries to 52 entries.
Security Impact (Visibility & Fidelity)
This is a positive security improvement implementing least-privilege access principles. The agentless connector now requires fewer SAP authorizations while maintaining the same monitoring and threat detection capabilities.
Key improvements:
- Reduced attack surface: Fewer RFC function calls and authorization objects required
- Simplified deployment: Easier approval process for SAP administrators due to minimal permission requirements
- Maintained coverage: Full audit log ingestion and security monitoring capabilities preserved
SOC teams continue to receive the same SAP audit data for threat hunting and incident response. The change only affects the connector’s authentication footprint within the SAP environment, not the data visibility in Sentinel.
Affected Files
Solutions/SAP/Sample Authorizations Role File/MSFTSEN_SENTINEL_READER.SAP
Tools/Solutions Analyzer/solutions_connectors_tables_issues_and_exceptions_report.csv