Creating a New User Role for Monitoring and Assigning it to a SAP User

To create a new user role for monitoring purpose and assign the user role to a SAP user, follow the steps below:

Login to the SAP ABAP instance as a SAP administrator.
Launch the SAP Easy Access console and type the transaction code, pfcg, in the area indicated by Figure 1 below:

Figure 1 : Executing the PFCG transaction
Figure 2 will then appear. Create a new role by specifying a unique role name against Role in Figure 2. To create a single role with the given name, click on Single Role.

Figure 2 : Creating a role
When Figure 3 appears, click on the Authorizations tab page. To propose a profile name, click on the button indicated by Figure 3, in the Information About Authorization Profile section.

Figure 3 : Proposing profile name
Figure 4 will then appear, wherein the proposed profile name will be displayed.

Figure 4 : Viewing the proposed profile name
Accept the proposed name and then click on the button indicated by Figure 5 below to change the authorization data.

Figure 5 : Choosing to change the authorization data
To change the authorization data manually, click on Manually in Figure 6 that appears.

Figure 6 : Clicking on the ‘Manually’ button

When Figure 7 appears, manually specify every authorization object – i.e., privilege – that you want to add to the new role.

Figure 7 : Manually specifying the authorization objects for the role

For the purpose of monitoring, the following authorization objects should be added to the new role:

Auth. Object	Description	When do you need it?
S_RFC	Authorization check for RFC access	Authorization check when using RFC to access program modules.
S_RFC_ADM	Administration for RFC destination	Responsible for monitoring the availability of RFC destinations.
S_TABU_DIS	Table maintenance	Used to check the authorization for displaying and maintaining table contents
S_XMI_PROD	Auth. For external management interfaces(XMI)	This authorization object is used to define which SAP ABAP user, acting on behalf of which external tool, may use which XMI interface.
S_TOOLS_EX	Tools Performance Monitor	Tools Performance Monitor gives Access to special functions.(Authorization to display external statistics records in monitoring tools)
S_RZL_ADM	System Administration	Is responsible for SAP ABAP System administration using the CCMS.
S_BGRFC	Authorization Object for NW bgRFC	Required for BGRFC monitoring
S_RFCACL	Authorization Check for RFC User (e.g. Trusted System)	Used to execute various authorization check for RFC users. This additional authorization is mainly needed in certain S/4 HANA installations.
S_TCODE	Transaction Code Check at Transaction Start	Required for accessing Transaction code
S_ADMI_FCD	System Authorizations	This authorization object is responsible to display system trace settings
S_TABU_NAM	Table Access by Generic Standard Tools	Used to check the authorization for displaying and maintaining table contents. This additional authorization is mainly needed in certain S/4 HANA installations.
S_USER_GRP	User Master Maintenance: User Groups	Required to display user monitoring data
S_APPL_LOG	Applications Log	Responsible for Gateway Error Log monitoring

Once the authorization objects are specified, click the button indicated by Figure 7 to save the specification. Figure 8 will then appear.

Figure 8 : Generating the objects

Now, click the ‘+’ button that precedes the Cross-application Authorization Objects node in Figure 8. This will reveal all the authorization objects that need to be configured for monitoring. Expand each sub-node to configure the corresponding fields and values as mentioned in the table below:

Sub-node	Field	Value
Authorization Object for NW bgRFC	ACTVT	Display
	Name of Destination in Inbound Case	*
	Name of Destination in Outbound Case	*
	Entity Type for Authorization Chec	Select All Activities
Authorization check for RFC access	Activity	Execute
	Name of RFC to be protected	*
	Type of RFC to be protected	Function Module
Administration for RFC destination	Activity	Display, Extended Maintenance
	Internet Communication Framework Values	*
	Logical destination (specified in function call)	*
	Type of Entry in RFCDES	Select All Values
Authorization Check for RFC User (e.g. Trusted System)	Activity	Execute
	RFC client or domain	Client number or *
	RFC same user ID	All values
	RFC information	*
	System ID (for SAP and External System)	SID of the system or *
	RFC transaction code	*
	RFC User (SAP or External)	SAP User name or *
Transaction Code Check at Transaction Start	Transaction Code	/IWBEP/ERROR_LOG, /IWBEP/TRACES, /IWFND/ERROR_LOG, /IWFND/TRACES,SM04, SM50, SM51

Next, expand the Basis Administration node by clicking the ‘+’ button that precedes it. Expanding each of these sub-nodes will reveal the fields that you will have to configure for each sub-node. Refer to the table below to understand what value to configure for which field under which sub-node.

Sub-node	Field	Value
System Authorizations	System administration function	Select ST0M
CCMS: System Administration	Activity	Display
Table Maintenance	Activity	Display
Table Maintenance	Table Authorization Group	*
Tools Performance Monitor	Authorization name in user master maintenance	*
Authorization for External Management Interfaces	XMI logging: company name	eGInnovations
	XMI logging: Program name	eG
	Interface ID	XAL, XBP
Table Access by Generic Standard Tools	Activity	Display
Table Access by Generic Standard Tools	Table Name	*
User Master Maintenance: User Groups	Activity	Display
User Master Maintenance: User Groups	User group in user master main	*

Next, expand the Basis - Central Functions node by clicking the ‘+’ button that precedes it. Expanding the sub-node will reveal the fields that you will have to configure for it. Refer to the table below to understand what value to configure for which field under the sub-node.

Sub-node	Field	Value
Applications Log	Activity	Display
Application log: Object name (Application code)	*
Application Log: Subobject	*

Sub-node

Field

Value

Applications Log

Activity

Display

Application log: Object name (Application code)

Application Log: Subobject

Figure 9 : The list of authorization objects

Then, click on the button indicated by Figure 8 to generate the objects. With that, the new role is generated.
Now, proceed to assign the new role to an existing SAP user. For this, type su01 as the transaction code in the area indicated by Figure 10.

Figure 10 : Executing the SU01 transaction
This will invoke Figure 11. Click on the button indicated by Figure 11 to select the SAP user to whom you want to assign the new role.

Figure 11 : Selecting the user whose profile is to be edited
Once that user’s profile opens, click on the Logon Data tab page and set the User Type as Communication Data (see Figure 12).

Note:

For monitoring purposes, the recommended user type is Communication Data. However, you can also set the user type to System or Dialog, if required.

Figure 12 : Setting the user type as Communication Data
Next, click the Roles tab page in Figure 12.

Figure 13 : Clicking the Roles tab page
When Figure 14 appears, first, click on the Role column in the first row of the Role Assignments table therein. The button indicated by Figure 14 will then appear. Click on this button to select the new role. This will automatically populate the first row of the Role Assignments table with the details of the new role, thus indicating that the new role has been assigned to the SAP user.

Figure 14 : Assigning the role to a user
Finally, save the user specification.
Once the pre-requisites are fulfilled and the tests are duly configured, the eG agent will be able to pull a wealth of information from the SAP ABAP instance. The metrics so collected enable SAP administrators to find answers to queries that have for long hounded SAP ABAP administrators:

SAP Service Monitoring	Is the SAP service working well? What are the response times? Is any step slowing down the entire service interaction? Are the critical application processes running? What is their resource usage?
Network & System Monitoring	How is the network performance impacting the overall service performance? Are the servers properly sized in terms of CPU, memory, disk activity, etc.? Are there any critical alerts in the system event logs?
Web Application Server Monitoring	How many sessions are currently being handled by the SAP web/application server, and are there sufficient processes configured to handle the load? Is the workload properly balanced across SAP web application server instances? What is the processing time of critical transactions on the server? Were there any errors while connecting to the SAP ABAP server? Is the application server’s memory adequately sized? Is the free memory too low?
SAP ABAP Instance Monitoring	Are the buffers of the SAP ABAP instance sized appropriately? Are there unusually high swap ins/outs? How many requests are queued waiting for free worker processes or data locks? What jobs are executing on the server ? Is the server adequately configured to handle the load? What time of day/day of week is the server activity at its peak and what jobs are executing then? Are there sufficient dialog processes configured to handle incoming user requests? Are there any ABAP dumps happening, indicating errors in the SAP ABAP system?
SAP ABAP Instance Database Monitoring	Is the SAP ABAP database accessible? How are the critical cache hit ratios of the database server? Are any of the database tablespaces reaching capacity?
Monitoring SAP ABAP Instance Alerts	How many alerts have been raised on the SAP ABAP instance? Are too many alerts active? Have too many red and yellow alerts been raised on the SAP ABAP instance? Have any alerts auto-completed?
Monitoring Performance Attributes of the SAP ABAP Instance	How many performance attributes are available for each of the configured monitors? Does any monitor have too many red and yellow performance attributes? If so, which monitor is this? Which monitor has inactive performance attributes?