SAP ASE

This section describes the steps for configuring a datasource connector for SAP ASE (SAP Adaptive Server Enterprise) database in Forcepoint DSPM.

The SAP ASE connector enables Forcepoint DSPM to discover, classify, and monitor sensitive data stored in SAP ASE databases. The configuration follows the same workflow as other structured database connectors — creating credentials and setting up a scan configuration.

Prerequisites

  • Before configuring the connector, ensure the SAP ASE JDBC driver is installed on the connector host. Refer to Installing the SAP ASE JDBC Driver.
  • The datasource must be reachable from the network where the product is deployed (for example, via a private IP address or a routable hostname).
  • If a firewall is in place, ensure the required port is open. The default SAP ASE port is 5000.
  • Create a user account with the required grants or access to the datasource metadata for the product to run the scanning process, refer to Minimum Permissions Required for DSPM Scanning.

SAP ASE — Minimum Permissions Required for DSPM Scanning

Before configuring the SAP ASE connector in DSPM, a dedicated scanning account must be created on the SAP ASE server with the appropriate permissions. The level of access required depends on which scan types you intend to run.

Step 1: Create the scanning account

On the SAP ASE server, run the following as sa or a user with sso_role:

USE master
GO
EXEC sp_addlogin 'dspm_scan_user', 'YourPassword', 'your_database'
GO
EXEC sp_adduser 'dspm_scan_user', 'dspm_scan_user'
GO

Replace your_database with the name of the database you want to scan.

Step 2: Grant permissions for Data Scan

The scanning account needs SELECT permission on the target database:

USE your_database
GO
EXEC sp_adduser 'dspm_scan_user', 'dspm_scan_user'
GO
GRANT SELECT TO dspm_scan_user
GO

This is sufficient to run a data scan and classify sensitive content in tables and views.

Step 3: Grant additional permissions for Trustee Scan

The trustee scan retrieves user accounts, group memberships, and role assignments from the SAP ASE server. This requires the scanning account to read from system tables in the master database. Without these grants, the scanning account will not have sufficient access to read the required data and the trustee scan will not return the expected results.

Run the following in addition to the grants above:

USE master
GO
-- Allow the scanning account to access master
EXEC sp_adduser 'dspm_scan_user', 'dspm_scan_user'
GO
-- Required to read login status (enabled/active state)
GRANT SELECT ON syslogins TO dspm_scan_user
GO
-- Required to resolve server-level role assignments
GRANT SELECT ON sysloginroles(suid, srid) TO dspm_scan_user
GO
GRANT SELECT ON syssrvroles(srid, name) TO dspm_scan_user
GO

Installing the SAP ASE JDBC Driver

The SAP ASE connector requires the jconn42.jar JDBC driver to be available on the connector host before any connection or scan can be performed. This driver is published under SAP's commercial license and is not included in the DSPM container image. You must obtain and place the driver manually.

If this step is skipped, attempting to test or scan an SAP ASE connection will result in an error.

Prerequisites

  • The jconn42.jar file, obtained through your SAP licensing channel.
  • Filesystem write access to /opt/dspm/drivers/ on the connector host.
  • kubectl access to the namespace where the connector-structured-data deployment runs.
  • Permission to restart pods in that namespace.

Installation Steps

  1. Copy jconn42.jar to /opt/dspm/drivers/ on the connector host. The exact filename is required — the connector looks for jconn42.jar by name.
  2. Restart the connector pod to load the driver. The JVM scans its classpath only at startup, so a restart is required after placing the file. Run the following command to trigger a rolling restart:
    kubectl rollout restart deployment/connector-structured-data
    Wait for the rollout to complete (typically 60–120 seconds):
    kubectl rollout status deployment/connector-structured-data --timeout=300s
  3. Verify the driver is loaded by confirming the new pods are running and the driver file is present inside the pod.
  4. Validate the installation via the DSPM UI by navigating to Administration > Data Sources, selecting SAP ASE, and testing a connection. A successful connection confirms the driver is correctly installed.

Upgrading the Driver

To replace an existing driver with a newer version, overwrite the file in place and restart the connector deployment. A restart is required even for an in-place file replacement.

Multi-node Clusters

In a multi-node Kubernetes cluster, jconn42.jar must be placed on every node that could host the connector pod, not just one. On a single-node deployment, a single copy of the file is sufficient.

Note: Only SAP ASE scans are paused during the connector pod restart. Other connector types are not affected.