Creating a New User Role for Monitoring and Assigning it to a SAP User
Typically, to connect to a SAP ABAP instance and run tests, the eG agent requires the permissions of a SAP user who has been assigned the following authorization objects: S_BGRFC, S_RFC, S_RFC_ADM, S_RFCACL, S_TCODE, S_ADMI_FCD, S_RZL_ADM, S_TABU_DIS, S_TABU_NAM, S_USER_GRP, S_XMI_PROD, S_APPL_LOG, S_TOOLS_EX. Ideally, you can create a new user role on the SAP ABAP instance for this purpose, associate the above-mentioned authorization objects with that role, and assign the new role to an existing SAP user.
To achieve this, follow the steps below:
- Login to the SAP ABAP instance as a SAP administrator.
-
Launch the SAP Easy Access console and type the transaction code, pfcg, in the area indicated by Figure 217 below:
-
Figure 218 will then appear. Create a new role by specifying a unique role name against Role in Figure 218. To create a single role with the given name, click on Single Role.
-
When Figure 219 appears, click on the Authorizations tab page. To propose a profile name, click on the button indicated by Figure 219, in the Information About Authorization Profile section.
-
Figure 220 will then appear, wherein the proposed profile name will be displayed.
-
Accept the proposed name and then click on the button indicated by Figure 221 below to change the authorization data.
-
To change the authorization data manually, click on Manually in Figure 222 that appears.
-
When Figure 223 appears, manually specify every authorization object – i.e., privilege – that you want to add to the new role.
Figure 223 : Manually specifying the authorization objects for the role
For the purpose of monitoring, the following authorization objects will have to be added to the new role:
Auth. Object Description When do you need it? S_BGRFC
Authorization Object for NW bgRFC
Authorization check for bgRFC, in particular for Customizing transactions and monitors
S_RFC
Authorization check for RFC access
Authorization check when using RFC to access program modules.
S_RFC_ADM
Administration for RFC destination
Includes authorization checks for accessing individual administration functions
S_RFCACL
Authorization Check for RFC User (e.g. Trusted System)
Used to execute various authorization check for RFC users. This is used for extra authorizations needed in certain S/4 HANA installations.
S_TCODE
Transaction Code Check at Transaction Start
Transaction code permissions needed
S_ADMI_FCD
System Authorizations
Used to display system trace settings
S_TABU_DIS
Table maintenance
Used to check the authorization for displaying and maintaining table contents
S_TABU_NAM
Table Access by Generic Standard Tools
It provides authorization for tables. This is used for extra authorizations needed in certain S/4 HANA installations.
S_USER_GRP
User Master Maintenance: User Groups
Used to display user monitoring data
S_XMI_PROD
Auth. For external management interfaces(XMI)
This authorization object is used to define which SAP ABAP user, acting on behalf of which external tool, may use which XMI interface.
S_TOOLS_EX
Tools Performance Monitor
Tools Performance Monitor gives Access to special functions.(Authorization to display external statistics records in monitoring tools)
S_RZL_ADM
System Administration
Is responsible for SAP ABAP System administration using the CCMS.
S_APPL_LOG
Applications Log
Used for Gateway error log monitoring
-
Once the authorization objects are specified, click the button indicated by Figure 223 to save the specification. Figure 224 will then appear.
-
Now, click the ‘+’ button that precedes the Cross-application Authorization Objects node in Figure 2.21 to reveal the Authorization Check for RFC Access sub-node. Expand that sub-node to view the Activity, Name of RFC to be protected, and the Type of RFC object to be protected fields. Configure these three fields with the values depicted by Figure 225. The table below indicates these values:
Field Value Activity
Execute
Name of RFC to be protected
*
Type of RFC object to be protected
Function Module
Figure 225 : Configuring Cross-application authorization objects
-
Next, expand the Basis Administration node by clicking the ‘+’ button that precedes it. This will reveal the following sub-nodes:
- CCMS: System Administration
- Table Maintenance
- Tools Performance Monitor
- Authorization for External Interfaces
-
Expanding each of these sub-nodes will reveal the fields that you will have to configure for each sub-node. These fields and the values that you need to provide have been clearly indicated in Figure 226.
Figure 226 : Configuring the Basis administration objects
You can also refer to the table below to understand what value to configure for which field under which sub-node.
Sub-node Field Value CCMS: System Administration
Activity
Display
Table Maintenance
Activity
Display
Table Authorization Group
*
Tools Performance Monitor
Authorization name in user mas
*
Authorization for External Management Interfaces
XMI logging: company name
eGInnovations
XMI logging: Program name
eG
Interface ID
XAL, XBP
- Then, click on the button indicated by Figure 224 to generate the objects. With that, the new role is generated.
- Now, proceed to assign the new role to an existing SAP user. For this, type su01 as the transaction code in the area indicated by Figure 227.
-
This will invoke Figure 228. Click on the button indicated by Figure 228 to select the SAP user to whom you want to assign the new role.
Figure 228 : Selecting the user whose profile is to be edited
-
Once that user’s profile opens, click on the Logon Data tab page and set the User Type as Communication Data (see Figure 229).
Note:
For monitoring purposes, the recommended user type is Communication Data. However, you can also set the user type to System or Dialog, if required.
-
Next, click the Roles tab page in Figure 229.
Figure 230 : Clicking the Roles tab page
-
When Figure 231 appears, first, click on the Role column in the first row of the Role Assignments table therein. The button indicated by Figure 231 will then appear. Click on this button to select the new role. This will automatically populate the first row of the Role Assignments table with the details of the new role, thus indicating that the new role has been assigned to the SAP user.
- Finally, save the user specification.
- Once the pre-requisites are fulfilled and the tests are duly configured, the eG agent will be able to pull a wealth of information from the SAP ABAP instance. The metrics so collected enable SAP administrators to find answers to queries that have for long hounded SAP ABAP administrators:
SAP Service Monitoring |
|
Network & System Monitoring |
|
Web Application Server Monitoring |
|
SAP ABAP Instance Monitoring |
|
SAP ABAP Instance Database Monitoring |
|
Monitoring SAP ABAP Instance Alerts |
|
Monitoring Performance Attributes of the SAP ABAP Instance |
|