Creating a New User Role for Monitoring and Assigning it to a SAP User

Typically, to connect to a SAP ABAP instance and run tests, the eG agent requires the permissions of a SAP user who has been assigned the following authorization objects: S_RFC, S_RFC_ADM, S_BGRFC, S_RFCACL, S_TCODE, S_ADMI_FCD, S_TABU_DIS, S_XMI_PROD, S_TOOLS_EX, S_RZL_ADM, S_USER_GRP, S_APPL_LOG. Ideally, you can create a new user role on the SAP ABAP instance for this purpose, associate the above-mentioned authorization objects with that role, and assign the new role to an existing SAP user.

To achieve this, follow the steps below:

  1. Login to the SAP ABAP instance as a SAP administrator.
  2. Launch the SAP Easy Access console and type the transaction code, pfcg, in the area indicated by Figure 1 below:

    Figure 1 : Executing the PFCG transaction

  3. Figure 2 will then appear. Create a new role by specifying a unique role name against Role in Figure 2. To create a single role with the given name, click on Single Role.

    Figure 2 : Creating a role

  4. When Figure 3 appears, click on the Authorizations tab page. To propose a profile name, click on the button indicated by Figure 3, in the Information About Authorization Profile section.

    Figure 3 : Proposing profile name

  5. Figure 4 will then appear, wherein the proposed profile name will be displayed.

    Figure 4 : Viewing the proposed profile name

  6. Accept the proposed name and then click on the button indicated by Figure 5 below to change the authorization data.

    Figure 5 : Choosing to change the authorization data

  7. To change the authorization data manually, click on Manually in Figure 6 that appears.

    Figure 6 : Clicking on the ‘Manually’ button

  8. When Figure 7 appears, manually specify every authorization object – i.e., privilege – that you want to add to the new role.

    Figure 7 : Manually specifying the authorization objects for the role

    For the purpose of monitoring, the following authorization objects should be added to the new role:

    Auth. Object

    Description

    When do you need it?

    S_RFC

    Authorization check for RFC access

    Authorization check when using RFC to access program modules.

    S_RFC_ADM

    Administration for RFC destination

    Responsible for monitoring the availability of RFC destinations.

    S_TABU_DIS

    Table maintenance

    Used to check the authorization for displaying and maintaining table contents

    S_XMI_PROD

    Auth. For external management interfaces(XMI)

    This authorization object is used to define which SAP ABAP user, acting on behalf of which external tool, may use which XMI interface.

    S_TOOLS_EX

    Tools Performance Monitor

    Tools Performance Monitor gives Access to special functions.(Authorization to display external statistics records in monitoring tools)

    S_RZL_ADM

    System Administration

    Is responsible for SAP ABAP System administration using the CCMS.

    S_BGRFC

    Authorization Object for NW bgRFC

    Required for BGRFC monitoring

    S_RFCACL

    Authorization Check for RFC User (e.g. Trusted System)

    Used to execute various authorization check for RFC users. This additional authorization is mainly needed in certain S/4 HANA installations.

    S_TCODE

    Transaction Code Check at Transaction Start

    Required for accessing Transaction code

    S_ADMI_FCD

    System Authorizations

    This authorization object is responsible to display system trace settings

    S_TABU_NAM

    Table Access by Generic Standard Tools

    Used to check the authorization for displaying and maintaining table contents. This additional authorization is mainly needed in certain S/4 HANA installations.

    S_USER_GRP

    User Master Maintenance: User Groups

    Required to display user monitoring data

    S_APPL_LOG

    Applications Log

    Responsible for Gateway Error Log monitoring

  9. Once the authorization objects are specified, click the button indicated by Figure 7 to save the specification. Figure 8 will then appear.

    Figure 8 : Generating the objects

  10. Now, click the ‘+’ button that precedes the Cross-application Authorization Objects node in Figure 8. This will reveal all the authorization objects that need to be configured for monitoring. Expand each sub-node to configure the corresponding fields and values as mentioned in the table below:

    Sub-node Field Value

    Authorization Object for NW bgRFC

     

     

     

    ACTVT

    Display

    Name of Destination in Inbound Case

    *

    Name of Destination in Outbound Case

    *

    Entity Type for Authorization Chec

    Select All Activities

    Authorization check for RFC access

     

     

    Activity

    Execute

    Name of RFC to be protected

    *

    Type of RFC to be protected

    Function Module

    Administration for RFC destination

     

     

     

    Activity

    Display, Extended Maintenance

    Internet Communication Framework Values

    *

    Logical destination (specified in function call)

    *

    Type of Entry in RFCDES

    Select All Values

    Authorization Check for RFC User (e.g. Trusted System)

     

     

     

     

     

     

    Activity

    Execute

    RFC client or domain

    Client number or *

    RFC same user ID

    All values

    RFC information

    *

    System ID (for SAP and External System)

    SID of the system or *

    RFC transaction code

    *

    RFC User (SAP or External)

    SAP User name or *

    Transaction Code Check at Transaction Start

    Transaction Code

    /IWBEP/ERROR_LOG, /IWBEP/TRACES, /IWFND/ERROR_LOG, /IWFND/TRACES,SM04, SM50, SM51

  11. Next, expand the Basis Administration node by clicking the ‘+’ button that precedes it. Expanding each of these sub-nodes will reveal the fields that you will have to configure for each sub-node. Refer to the table below to understand what value to configure for which field under which sub-node.

    Sub-node Field Value

    System Authorizations

    System administration function

    Select ST0M

    CCMS: System Administration

    Activity

    Display

    Table Maintenance

    Activity

    Display

    Table Authorization Group

    *

    Tools Performance Monitor

    Authorization name in user master maintenance

    *

    Authorization for External Management Interfaces

    XMI logging: company name

    eGInnovations

    XMI logging: Program name

    eG

    Interface ID

    XAL, XBP

    Table Access by Generic Standard Tools

     

    Activity

    Display

    Table Name

    *

    User Master Maintenance: User Groups

     

    Activity

    Display

    User group in user master main

    *

  12. Next, expand the Basis - Central Functions node by clicking the ‘+’ button that precedes it. Expanding the sub-node will reveal the fields that you will have to configure for it. Refer to the table below to understand what value to configure for which field under the sub-node.

    Sub-node Field Value

    Applications Log

     

     

    Activity

    Display

    Application log: Object name (Application code)

    *

    Application Log: Subobject

    *

    Figure 9 : The list of authorization objects

  13. Then, click on the button indicated by Figure 8 to generate the objects. With that, the new role is generated.
  14. Now, proceed to assign the new role to an existing SAP user. For this, type su01 as the transaction code in the area indicated by Figure 10.

    Figure 10 : Executing the SU01 transaction

  15. This will invoke Figure 11. Click on the button indicated by Figure 11 to select the SAP user to whom you want to assign the new role.

    Figure 11 : Selecting the user whose profile is to be edited

  16. Once that user’s profile opens, click on the Logon Data tab page and set the User Type as Communication Data (see Figure 12).

    Note:

    For monitoring purposes, the recommended user type is Communication Data. However, you can also set the user type to System or Dialog, if required.

    Figure 12 : Setting the user type as Communication Data

  17. Next, click the Roles tab page in Figure 12.

    Figure 13 : Clicking the Roles tab page

  18. When Figure 14 appears, first, click on the Role column in the first row of the Role Assignments table therein. The button indicated by Figure 14 will then appear. Click on this button to select the new role. This will automatically populate the first row of the Role Assignments table with the details of the new role, thus indicating that the new role has been assigned to the SAP user. 

    Figure 14 : Assigning the role to a user

  19. Finally, save the user specification.
  20. Once the pre-requisites are fulfilled and the tests are duly configured, the eG agent will be able to pull a wealth of information from the SAP ABAP instance. The metrics so collected enable SAP administrators to find answers to queries that have for long hounded SAP ABAP administrators:

SAP Service Monitoring

  • Is the SAP service working well? What are the response times? Is any step slowing down the entire service interaction?
  • Are the critical application processes running? What is their resource usage?

Network & System Monitoring

  • How is the network performance impacting the overall service performance?
  • Are the servers properly sized in terms of CPU, memory, disk activity, etc.?
  • Are there any critical alerts in the system event logs?

Web Application Server Monitoring

  • How many sessions are currently being handled by the SAP web/application server, and are there sufficient processes configured to handle the load?
  • Is the workload properly balanced across SAP web application server instances?
  • What is the processing time of critical transactions on the server?
  • Were there any errors while connecting to the SAP ABAP server?
  • Is the application server’s memory adequately sized? Is the free memory too low?

SAP ABAP Instance Monitoring

  • Are the buffers of the SAP ABAP instance sized appropriately? Are there unusually high swap ins/outs?
  • How many requests are queued waiting for free worker processes or data locks?
  • What jobs are executing on the server ? Is the server adequately configured to handle the load?
  • What time of day/day of week is the server activity at its peak and what jobs are executing then?
  • Are there sufficient dialog processes configured to handle incoming user requests?
  • Are there any ABAP dumps happening, indicating errors in the SAP ABAP system?

SAP ABAP Instance Database Monitoring

  • Is the SAP ABAP database accessible? How are the critical cache hit ratios of the database server?
  • Are any of the database tablespaces reaching capacity?

Monitoring SAP ABAP Instance Alerts

  • How many alerts have been raised on the SAP ABAP instance? Are too many alerts active?
  • Have too many red and yellow alerts been raised on the SAP ABAP instance?
  • Have any alerts auto-completed?

Monitoring Performance Attributes of the SAP ABAP Instance

  • How many performance attributes are available for each of the configured monitors?
  • Does any monitor have too many red and yellow performance attributes? If so, which monitor is this?
  • Which monitor has inactive performance attributes?

This document will discuss the top 7 layers of the layer model, as all the other layers have been discussed in the Monitoring Unix and Windows Servers document.