Creating a New User Role for Monitoring and Assigning it to a SAP User

Typically, to connect to a SAP ABAP instance and run tests, the eG agent requires the permissions of a SAP user who has been assigned the following authorization objects: S_BGRFC, S_RFC, S_RFC_ADM, S_RFCACL, S_TCODE, S_ADMI_FCD, S_RZL_ADM, S_TABU_DIS, S_TABU_NAM, S_USER_GRP, S_XMI_PROD, S_APPL_LOG, S_TOOLS_EX. Ideally, you can create a new user role on the SAP ABAP instance for this purpose, associate the above-mentioned authorization objects with that role, and assign the new role to an existing SAP user.

To achieve this, follow the steps below:

  1. Login to the SAP ABAP instance as a SAP administrator.
  2. Launch the SAP Easy Access console and type the transaction code, pfcg, in the area indicated by Figure 217 below:

    Figure 217 : Executing the PFCG transaction

  3. Figure 218 will then appear. Create a new role by specifying a unique role name against Role in Figure 218. To create a single role with the given name, click on Single Role.

    Figure 218 : Creating a role

  4. When Figure 219 appears, click on the Authorizations tab page. To propose a profile name, click on the button indicated by Figure 219, in the Information About Authorization Profile section.

    Figure 219 : Proposing profile name

  5. Figure 220 will then appear, wherein the proposed profile name will be displayed.

    Figure 220 : Viewing the proposed profile name

  6. Accept the proposed name and then click on the button indicated by Figure 221 below to change the authorization data.

    Figure 221 : Choosing to change the authorization data

  7. To change the authorization data manually, click on Manually in Figure 222 that appears.

    Figure 222 : Clicking on the ‘Manually’ button

  8. When Figure 223 appears, manually specify every authorization object – i.e., privilege – that you want to add to the new role.

    Figure 223 : Manually specifying the authorization objects for the role

    For the purpose of monitoring, the following authorization objects will have to be added to the new role:

    Auth. Object Description When do you need it?


    Authorization Object for NW bgRFC

    Authorization check for bgRFC, in particular for Customizing transactions and monitors


    Authorization check for RFC access

    Authorization check when using RFC to access program modules.


    Administration for RFC destination

    Includes authorization checks for accessing individual administration functions


    Authorization Check for RFC User (e.g. Trusted System)

    Used to execute various authorization check for RFC users. This is used for extra authorizations needed in certain S/4 HANA installations.


    Transaction Code Check at Transaction Start

    Transaction code permissions needed


    System Authorizations

    Used to display system trace settings


    Table maintenance

    Used to check the authorization for displaying and maintaining table contents


    Table Access by Generic Standard Tools

    It provides authorization for tables. This is used for extra authorizations needed in certain S/4 HANA installations.


    User Master Maintenance: User Groups

    Used to display user monitoring data


    Auth. For external management interfaces(XMI)

    This authorization object is used to define which SAP ABAP user, acting on behalf of which external tool, may use which XMI interface.


    Tools Performance Monitor

    Tools Performance Monitor gives Access to special functions.(Authorization to display external statistics records in monitoring tools)


    System Administration

    Is responsible for SAP ABAP System administration using the CCMS.


    Applications Log

    Used for Gateway error log monitoring

  9. Once the authorization objects are specified, click the button indicated by Figure 223 to save the specification. Figure 224 will then appear.

    Figure 224 : Generating the objects

  10. Now, click the ‘+’ button that precedes the Cross-application Authorization Objects node in Figure 2.21 to reveal the Authorization Check for RFC Access sub-node. Expand that sub-node to view the Activity, Name of RFC to be protected, and the Type of RFC object to be protected fields. Configure these three fields with the values depicted by Figure 225. The table below indicates these values:

    Field Value



    Name of RFC to be protected


    Type of RFC object to be protected

    Function Module

    Figure 225 : Configuring Cross-application authorization objects

  11. Next, expand the Basis Administration node by clicking the ‘+’ button that precedes it. This will reveal the following sub-nodes:

    • CCMS: System Administration
    • Table Maintenance
    • Tools Performance Monitor
    • Authorization for External Interfaces
  12. Expanding each of these sub-nodes will reveal the fields that you will have to configure for each sub-node. These fields and the values that you need to provide have been clearly indicated in Figure 226.

    Figure 226 : Configuring the Basis administration objects

    You can also refer to the table below to understand what value to configure for which field under which sub-node.

    Sub-node Field Value

    CCMS: System Administration



    Table Maintenance



    Table Authorization Group


    Tools Performance Monitor

    Authorization name in user mas


    Authorization for External Management Interfaces

    XMI logging: company name


    XMI logging: Program name


    Interface ID

    XAL, XBP

  13. Then, click on the button indicated by Figure 224 to generate the objects. With that, the new role is generated.
  14. Now, proceed to assign the new role to an existing SAP user. For this, type su01 as the transaction code in the area indicated by Figure 227.

    Figure 227 : Executing the SU01 transaction

  15. This will invoke Figure 228. Click on the button indicated by Figure 228 to select the SAP user to whom you want to assign the new role.

    Figure 228 : Selecting the user whose profile is to be edited

  16. Once that user’s profile opens, click on the Logon Data tab page and set the User Type as Communication Data (see Figure 229).


    For monitoring purposes, the recommended user type is Communication Data. However, you can also set the user type to System or Dialog, if required.

    Figure 229 : Setting the user type as Communication Data

  17. Next, click the Roles tab page in Figure 229.

    Figure 230 : Clicking the Roles tab page

  18. When Figure 231 appears, first, click on the Role column in the first row of the Role Assignments table therein. The button indicated by Figure 231 will then appear. Click on this button to select the new role. This will automatically populate the first row of the Role Assignments table with the details of the new role, thus indicating that the new role has been assigned to the SAP user. 

    Figure 231 : Assigning the role to a user

  19. Finally, save the user specification.
  20. Once the pre-requisites are fulfilled and the tests are duly configured, the eG agent will be able to pull a wealth of information from the SAP ABAP instance. The metrics so collected enable SAP administrators to find answers to queries that have for long hounded SAP ABAP administrators:

SAP Service Monitoring

  • Is the SAP service working well? What are the response times? Is any step slowing down the entire service interaction?
  • Are the critical application processes running? What is their resource usage?

Network & System Monitoring

  • How is the network performance impacting the overall service performance?
  • Are the servers properly sized in terms of CPU, memory, disk activity, etc.?
  • Are there any critical alerts in the system event logs?

Web Application Server Monitoring

  • How many sessions are currently being handled by the SAP web/application server, and are there sufficient processes configured to handle the load?
  • Is the workload properly balanced across SAP web application server instances?
  • What is the processing time of critical transactions on the server?
  • Were there any errors while connecting to the SAP ABAP server?
  • Is the application server’s memory adequately sized? Is the free memory too low?

SAP ABAP Instance Monitoring

  • Are the buffers of the SAP ABAP instance sized appropriately? Are there unusually high swap ins/outs?
  • How many requests are queued waiting for free worker processes or data locks?
  • What jobs are executing on the server ? Is the server adequately configured to handle the load?
  • What time of day/day of week is the server activity at its peak and what jobs are executing then?
  • Are there sufficient dialog processes configured to handle incoming user requests?
  • Are there any ABAP dumps happening, indicating errors in the SAP ABAP system?

SAP ABAP Instance Database Monitoring

  • Is the SAP ABAP database accessible? How are the critical cache hit ratios of the database server?
  • Are any of the database tablespaces reaching capacity?

Monitoring SAP ABAP Instance Alerts

  • How many alerts have been raised on the SAP ABAP instance? Are too many alerts active?
  • Have too many red and yellow alerts been raised on the SAP ABAP instance?
  • Have any alerts auto-completed?

Monitoring Performance Attributes of the SAP ABAP Instance

  • How many performance attributes are available for each of the configured monitors?
  • Does any monitor have too many red and yellow performance attributes? If so, which monitor is this?
  • Which monitor has inactive performance attributes?