Creating a New User Role for Monitoring and Assigning it to a SAP User

Typically, to connect to a SAP ABAP instance and run tests, the eG agent requires the permissions of a SAP user who has been assigned the following authorization objects: S_BGRFC, S_RFC, S_RFC_ADM, S_RFCACL, S_TCODE, S_ADMI_FCD, S_RZL_ADM, S_TABU_DIS, S_TABU_NAM, S_USER_GRP, S_XMI_PROD, S_APPL_LOG, S_TOOLS_EX. Ideally, you can create a new user role on the SAP ABAP instance for this purpose, associate the above-mentioned authorization objects with that role, and assign the new role to an existing SAP user.

To achieve this, follow the steps below:

1. Login to the SAP ABAP instance as a SAP administrator.

2. Launch the SAP Easy Access console and type the transaction code, pfcg, in the area indicated by Figure 217 below:

   

   Figure 217 : Executing the PFCG transaction

3. Figure 218 will then appear. Create a new role by specifying a unique role name against Role in Figure 218. To create a single role with the given name, click on Single Role.

   

   Figure 218 : Creating a role

4. When Figure 219 appears, click on the Authorizations tab page. To propose a profile name, click on the button indicated by Figure 219, in the Information About Authorization Profile section.

   

   Figure 219 : Proposing profile name

5. Figure 220 will then appear, wherein the proposed profile name will be displayed.

   

   Figure 220 : Viewing the proposed profile name

6. Accept the proposed name and then click on the button indicated by Figure 221 below to change the authorization data.

   

   Figure 221 : Choosing to change the authorization data

7. To change the authorization data manually, click on Manually in Figure 222 that appears.

   

   Figure 222 : Clicking on the ‘Manually’ button

8. When Figure 223 appears, manually specify every authorization object – i.e., privilege – that you want to add to the new role.

   

   Figure 223 : Manually specifying the authorization objects for the role

   For the purpose of monitoring, the following authorization objects will have to be added to the new role:

   Auth. Object	Description	When do you need it?
   S_BGRFC	Authorization Object for NW bgRFC	Authorization check for bgRFC, in particular for Customizing transactions and monitors
   S_RFC	Authorization check for RFC access	Authorization check when using RFC to access program modules.
   S_RFC_ADM	Administration for RFC destination	Includes authorization checks for accessing individual administration functions
   S_RFCACL	Authorization Check for RFC User (e.g. Trusted System)	Used to execute various authorization check for RFC users. This is used for extra authorizations needed in certain S/4 HANA installations.
   S_TCODE	Transaction Code Check at Transaction Start	Transaction code permissions needed
   S_ADMI_FCD	System Authorizations	Used to display system trace settings
   S_TABU_DIS	Table maintenance	Used to check the authorization for displaying and maintaining table contents
   S_TABU_NAM	Table Access by Generic Standard Tools	It provides authorization for tables. This is used for extra authorizations needed in certain S/4 HANA installations.
   S_USER_GRP	User Master Maintenance: User Groups	Used to display user monitoring data
   S_XMI_PROD	Auth. For external management interfaces(XMI)	This authorization object is used to define which SAP ABAP user, acting on behalf of which external tool, may use which XMI interface.
   S_TOOLS_EX	Tools Performance Monitor	Tools Performance Monitor gives Access to special functions.(Authorization to display external statistics records in monitoring tools)
   S_RZL_ADM	System Administration	Is responsible for SAP ABAP System administration using the CCMS.
   S_APPL_LOG	Applications Log	Used for Gateway error log monitoring

9. Once the authorization objects are specified, click the button indicated by Figure 223 to save the specification. Figure 224 will then appear.

   

   Figure 224 : Generating the objects

10. Now, click the ‘+’ button that precedes the Cross-application Authorization Objects node in Figure 2.21 to reveal the Authorization Check for RFC Access sub-node. Expand that sub-node to view the Activity, Name of RFC to be protected, and the Type of RFC object to be protected fields. Configure these three fields with the values depicted by Figure 225. The table below indicates these values:

    Field	Value
    Activity	Execute
    Name of RFC to be protected	*
    Type of RFC object to be protected	Function Module

    

    Figure 225 : Configuring Cross-application authorization objects

11. Next, expand the Basis Administration node by clicking the ‘+’ button that precedes it. This will reveal the following sub-nodes:

    • CCMS: System Administration
    • Table Maintenance
    • Tools Performance Monitor
    • Authorization for External Interfaces

12. Expanding each of these sub-nodes will reveal the fields that you will have to configure for each sub-node. These fields and the values that you need to provide have been clearly indicated in Figure 226.

    

    Figure 226 : Configuring the Basis administration objects

    You can also refer to the table below to understand what value to configure for which field under which sub-node.

    Sub-node	Field	Value
    CCMS: System Administration	Activity	Display
    Table Maintenance	Activity	Display
    	Table Authorization Group	*
    Tools Performance Monitor	Authorization name in user mas	*
    Authorization for External Management Interfaces	XMI logging: company name	eGInnovations
    	XMI logging: Program name	eG
    	Interface ID	XAL, XBP

13. Then, click on the button indicated by Figure 224 to generate the objects. With that, the new role is generated.
14. Now, proceed to assign the new role to an existing SAP user. For this, type su01 as the transaction code in the area indicated by Figure 227.

    

    Figure 227 : Executing the SU01 transaction

15. This will invoke Figure 228. Click on the button indicated by Figure 228 to select the SAP user to whom you want to assign the new role.

    

    Figure 228 : Selecting the user whose profile is to be edited

16. Once that user’s profile opens, click on the Logon Data tab page and set the User Type as Communication Data (see Figure 229).

    Note:

    For monitoring purposes, the recommended user type is Communication Data. However, you can also set the user type to System or Dialog, if required.

    

    Figure 229 : Setting the user type as Communication Data

17. Next, click the Roles tab page in Figure 229.

    

    Figure 230 : Clicking the Roles tab page

18. When Figure 231 appears, first, click on the Role column in the first row of the Role Assignments table therein. The button indicated by Figure 231 will then appear. Click on this button to select the new role. This will automatically populate the first row of the Role Assignments table with the details of the new role, thus indicating that the new role has been assigned to the SAP user. 

    

    Figure 231 : Assigning the role to a user

19. Finally, save the user specification.
20. Once the pre-requisites are fulfilled and the tests are duly configured, the eG agent will be able to pull a wealth of information from the SAP ABAP instance. The metrics so collected enable SAP administrators to find answers to queries that have for long hounded SAP ABAP administrators:

SAP Service Monitoring	Is the SAP service working well? What are the response times? Is any step slowing down the entire service interaction? Are the critical application processes running? What is their resource usage?
Network & System Monitoring	How is the network performance impacting the overall service performance? Are the servers properly sized in terms of CPU, memory, disk activity, etc.? Are there any critical alerts in the system event logs?
Web Application Server Monitoring	How many sessions are currently being handled by the SAP web/application server, and are there sufficient processes configured to handle the load? Is the workload properly balanced across SAP web application server instances? What is the processing time of critical transactions on the server? Were there any errors while connecting to the SAP ABAP server? Is the application server’s memory adequately sized? Is the free memory too low?
SAP ABAP Instance Monitoring	Are the buffers of the SAP ABAP instance sized appropriately? Are there unusually high swap ins/outs? How many requests are queued waiting for free worker processes or data locks? What jobs are executing on the server ? Is the server adequately configured to handle the load? What time of day/day of week is the server activity at its peak and what jobs are executing then? Are there sufficient dialog processes configured to handle incoming user requests? Are there any ABAP dumps happening, indicating errors in the SAP ABAP system?
SAP ABAP Instance Database Monitoring	Is the SAP ABAP database accessible? How are the critical cache hit ratios of the database server? Are any of the database tablespaces reaching capacity?
Monitoring SAP ABAP Instance Alerts	How many alerts have been raised on the SAP ABAP instance? Are too many alerts active? Have too many red and yellow alerts been raised on the SAP ABAP instance? Have any alerts auto-completed?
Monitoring Performance Attributes of the SAP ABAP Instance	How many performance attributes are available for each of the configured monitors? Does any monitor have too many red and yellow performance attributes? If so, which monitor is this? Which monitor has inactive performance attributes?