Creating a New User Role for Monitoring and Assigning it to a SAP User

Typically, to connect to a SAP ABAP instance and run tests, the eG agent requires the permissions of a SAP user who has been assigned the following authorization objects: S_BGRFC, S_RFC, S_RFC_ADM, S_RFCACL, S_TCODE, S_ADMI_FCD, S_RZL_ADM, S_TABU_DIS, S_TABU_NAM, S_USER_GRP, S_XMI_PROD, S_APPL_LOG, S_TOOLS_EX. Ideally, you can create a new user role on the SAP ABAP instance for this purpose, associate the above-mentioned authorization objects with that role, and assign the new role to an existing SAP user.

To achieve this, follow the steps below:

  1. Login to the SAP ABAP instance as a SAP administrator.

  2. Launch the SAP Easy Access console and type the transaction code, pfcg, in the area indicated by Figure 179 below:

    Figure 179 : Executing the PFCG transaction

  3. Figure 180 will then appear. Create a new role by specifying a unique role name against Role in Figure 180. To create a single role with the given name, click on Single Role.

    Figure 180 : Creating a role

  4. When Figure 181 appears, click on the Authorizations tab page. To propose a profile name, click on the button indicated by Figure 181, in the Information About Authorization Profile section.

    Figure 181 : Proposing profile name

  5. Figure 182 will then appear, wherein the proposed profile name will be displayed.

    Figure 182 : Viewing the proposed profile name

  6. Accept the proposed name and then click on the button indicated by Figure 183 below to change the authorization data.

    Figure 183 : Choosing to change the authorization data

  7. To change the authorization data manually, click on Manually in Figure 184 that appears.

    Figure 184 : Clicking on the ‘Manually’ button

  8. When Figure 185 appears, manually specify every authorization object – i.e., privilege – that you want to add to the new role.

    Figure 185 : Manually specifying the authorization objects for the role

    For the purpose of monitoring, the following authorization objects will have to be added to the new role:

    Auth. Object Description When do you need it?

    S_BGRFC

    Authorization Object for NW bgRFC

    Authorization check for bgRFC, in particular for Customizing transactions and monitors

    S_RFC

    Authorization check for RFC access

    Authorization check when using RFC to access program modules.

    S_RFC_ADM

    Administration for RFC destination

    Includes authorization checks for accessing individual administration functions

    S_RFCACL

    Authorization Check for RFC User (e.g. Trusted System)

    Used to execute various authorization check for RFC users. This is used for extra authorizations needed in certain S/4 HANA installations.

    S_TCODE

    Transaction Code Check at Transaction Start

    Transaction code permissions needed

    S_ADMI_FCD

    System Authorizations

    Used to display system trace settings

    S_TABU_DIS

    Table maintenance

    Used to check the authorization for displaying and maintaining table contents

    S_TABU_NAM

    Table Access by Generic Standard Tools

    It provides authorization for tables. This is used for extra authorizations needed in certain S/4 HANA installations.

    S_USER_GRP

    User Master Maintenance: User Groups

    Used to display user monitoring data

    S_XMI_PROD

    Auth. For external management interfaces(XMI)

    This authorization object is used to define which SAP ABAP user, acting on behalf of which external tool, may use which XMI interface.

    S_TOOLS_EX

    Tools Performance Monitor

    Tools Performance Monitor gives Access to special functions.(Authorization to display external statistics records in monitoring tools)

    S_RZL_ADM

    System Administration

    Is responsible for SAP ABAP System administration using the CCMS.

    S_APPL_LOG

    Applications Log

    Used for Gateway error log monitoring

  9. Once the authorization objects are specified, click the button indicated by Figure 185 to save the specification. Figure 186 will then appear.

    Figure 186 : Generating the objects

  10. Now, click the ‘+’ button that precedes the Cross-application Authorization Objects node in Figure 2.21 to reveal the Authorization Check for RFC Access sub-node. Expand that sub-node to view the Activity, Name of RFC to be protected, and the Type of RFC object to be protected fields. Configure these three fields with the values depicted by Figure 187. The table below indicates these values:

    Field Value

    Activity

    Execute

    Name of RFC to be protected

    *

    Type of RFC object to be protected

    Function Module

    Figure 187 : Configuring Cross-application authorization objects

  11. Next, expand the Basis Administration node by clicking the ‘+’ button that precedes it. This will reveal the following sub-nodes:

    • CCMS: System Administration
    • Table Maintenance
    • Tools Performance Monitor
    • Authorization for External Interfaces

  12. Expanding each of these sub-nodes will reveal the fields that you will have to configure for each sub-node. These fields and the values that you need to provide have been clearly indicated in Figure 188.

    Figure 188 : Configuring the Basis administration objects

    You can also refer to the table below to understand what value to configure for which field under which sub-node.

    Sub-node Field Value

    CCMS: System Administration

    Activity

    Display

    Table Maintenance

    Activity

    Display

    Table Authorization Group

    *

    Tools Performance Monitor

    Authorization name in user mas

    *

    Authorization for External Management Interfaces

    XMI logging: company name

    eGInnovations

    XMI logging: Program name

    eG

    Interface ID

    XAL, XBP
  13. Then, click on the button indicated by Figure 186 to generate the objects. With that, the new role is generated.
  14. Now, proceed to assign the new role to an existing SAP user. For this, type su01 as the transaction code in the area indicated by Figure 189.

    Figure 189 : Executing the SU01 transaction

  15. This will invoke Figure 190. Click on the button indicated by Figure 190 to select the SAP user to whom you want to assign the new role.

    Figure 190 : Selecting the user whose profile is to be edited

  16. Once that user’s profile opens, click on the Logon Data tab page and set the User Type as Communication Data (see Figure 191).

    Note:

    For monitoring purposes, the recommended user type is Communication Data. However, you can also set the user type to System or Dialog, if required.

    Figure 191 : Setting the user type as Communication Data

  17. Next, click the Roles tab page in Figure 191.

    Figure 192 : Clicking the Roles tab page

  18. When Figure 193 appears, first, click on the Role column in the first row of the Role Assignments table therein. The button indicated by Figure 193 will then appear. Click on this button to select the new role. This will automatically populate the first row of the Role Assignments table with the details of the new role, thus indicating that the new role has been assigned to the SAP user. 

    Figure 193 : Assigning the role to a user

  19. Finally, save the user specification.
  20. Once the pre-requisites are fulfilled and the tests are duly configured, the eG agent will be able to pull a wealth of information from the SAP ABAP instance. The metrics so collected enable SAP administrators to find answers to queries that have for long hounded SAP ABAP administrators:

SAP Service Monitoring
  • Is the SAP service working well? What are the response times? Is any step slowing down the entire service interaction?
  • Are the critical application processes running? What is their resource usage?

Network & System Monitoring
  • How is the network performance impacting the overall service performance?
  • Are the servers properly sized in terms of CPU, memory, disk activity, etc.?
  • Are there any critical alerts in the system event logs?

Web Application Server Monitoring
  • How many sessions are currently being handled by the SAP web/application server, and are there sufficient processes configured to handle the load?
  • Is the workload properly balanced across SAP web application server instances?
  • What is the processing time of critical transactions on the server?
  • Were there any errors while connecting to the SAP ABAP server?
  • Is the application server’s memory adequately sized? Is the free memory too low?

SAP ABAP Instance Monitoring
  • Are the buffers of the SAP ABAP instance sized appropriately? Are there unusually high swap ins/outs?
  • How many requests are queued waiting for free worker processes or data locks?
  • What jobs are executing on the server ? Is the server adequately configured to handle the load?
  • What time of day/day of week is the server activity at its peak and what jobs are executing then?
  • Are there sufficient dialog processes configured to handle incoming user requests?
  • Are there any ABAP dumps happening, indicating errors in the SAP ABAP system?

SAP ABAP Instance Database Monitoring
  • Is the SAP ABAP database accessible? How are the critical cache hit ratios of the database server?
  • Are any of the database tablespaces reaching capacity?

Monitoring SAP ABAP Instance Alerts
  • How many alerts have been raised on the SAP ABAP instance? Are too many alerts active?
  • Have too many red and yellow alerts been raised on the SAP ABAP instance?
  • Have any alerts auto-completed?

Monitoring Performance Attributes of the SAP ABAP Instance
  • How many performance attributes are available for each of the configured monitors?
  • Does any monitor have too many red and yellow performance attributes? If so, which monitor is this?
  • Which monitor has inactive performance attributes?