Login to the SAP ABAP instance as a SAP administrator.
Launch the SAP Easy Access console and execute the transaction code i.e. PFCG.
The Role Maintenance page will then appear. Create a new role by specifying a unique role name against Role in the page that appears. To create a single role with the given name, click on Single Role.
In the Authorizations tab page, propose a profile name and click on the icon near the Profile Name text box in the Information About Authorization Profile section.
The page that appears next will display the proposed profile name. Accept the proposed name and then click on the Change Authorization Data icon to change the authorization data.
To change the authorization data manually, click on Manually button in the Change Role: Authorizations page.
In the next page that appears, manually specify every authorization object - i.e., privilege - that you want to add to the new role.
For the purpose of monitoring, the following authorization objects will have to be added to the new role:
| Auth. Object |
Description |
When do you need it? |
| S_RFC |
Authorization check for RFC access |
Authorization check when using RFC to access program modules. |
| S_RFC_ADM |
Administration for RFC destination |
Responsible for monitoring the availability of RFC destinations. |
| S_TABU_DIS |
Table maintenance |
Used to check the authorization for displaying and maintaining table contents |
| S_XMI_PROD |
Auth. For external management interfaces(XMI) |
This authorization object is used to define which SAP ABAP user, acting on behalf of which external tool, may use which XMI interface. |
| S_TOOLS_EX |
Tools Performance Monitor |
Tools Performance Monitor gives Access to special functions.(Authorization to display external statistics records in monitoring tools) |
| S_RZL_ADM |
System Administration |
Is responsible for SAP ABAP System administration using the CCMS. |
| S_BGRFC |
Authorization Object for NW bgRFC |
Required for BGRFC monitoring |
| S_RFCACL |
Authorization Check for RFC User (e.g. Trusted System) |
Used to execute various authorization check for RFC users. This additional authorization is mainly needed in certain S/4 HANA installations. |
| S_TCODE |
Transaction Code Check at Transaction Start |
Required for accessing Transaction code |
| S_ADMI_FCD |
System Authorizations |
This authorization object is responsible to display system trace settings |
| S_TABU_NAM |
Table Access by Generic Standard Tools |
Used to check the authorization for displaying and maintaining table contents. This additional authorization is mainly needed in certain S/4 HANA installations. |
| S_USER_GRP |
User Master Maintenance: User Groups |
Required to display user monitoring data |
| S_APPL_LOG |
Applications Log |
Responsible for Gateway Error Log monitoring |
Once the authorization objects are specified, click the first icon in the right corner of the window to save the specification.
Now, click the ‘+’ button that precedes the Cross-application Authorization Objects node in Change Role: Authorizations page. This will reveal all the authorization objects that need to be configured for monitoring. Expand each sub-node to configure the corresponding fields and values as mentioned in the table below:
| Sub-node |
Field |
Value |
| Authorization Object for NW bgRFC |
ACTVT |
Display |
| Name of Destination in Inbound Case |
* |
| Name of Destination in Outbound Case |
* |
| Entity Type for Authorization Chec |
Select All Activities |
| Authorization check for RFC access |
Activity |
Execute |
| Name of RFC to be protected |
* |
| Type of RFC to be protected |
Function Module |
| Authorization Check for RFC User (e.g. Trusted System) |
Activity |
Execute |
| RFC client or domain |
Client number or * |
| RFC same user ID |
All values |
| RFC information |
* |
| System ID (for SAP and External System) |
SID of the system or * |
| RFC transaction code |
* |
| RFC User (SAP or External) |
SAP User name or * |
| Transaction Code Check at Transaction Start |
Transaction Code |
/IWBEP/ERROR_LOG,
/IWBEP/TRACES,
/IWFND/ERROR_LOG,
/IWFND/TRACES,SM04,
SM50, SM51 |
Next, expand the Basis Administration node by clicking the ‘+’ button that precedes it. Expanding each of these sub-nodes will reveal the fields that you will have to configure for each sub-node. Refer to the table below to understand what value to configure for which field under which sub-node.
| Sub-node |
Field |
Value |
| System Authorizations |
System administration function |
Select ST0M |
| CCMS: System Administration |
Activity |
Display |
| Table Maintenance |
Activity |
Display |
| Table Authorization Group |
* |
| Tools Performance Monitor |
Authorization name in user master maintenance |
* |
| Authorization for External Management Interfaces |
XMI logging: company name |
eGInnovations |
| XMI logging: Program name |
eG |
| Interface ID |
XAL, XBP |
| Table Access by Generic Standard Tools |
Activity |
Display |
| Table Name |
* |
| User Master Maintenance: User Groups |
Activity |
Display |
| User group in user master main |
* |
Next, expand the Basis - Central Functions node by clicking the ‘+’ button that precedes it. Expanding the sub-node will reveal the fields that you will have to configure for it. Refer to the table below to understand what value to configure for which field under the sub-node.
| Sub-node |
Field |
Value |
| Applications Log |
Activity |
Display |
| Application log: Object name (Application code) |
* |
| Application Log: Subobject |
* |
Then, click on the red button adjecent to delete button indicated by to generate the objects. With that, the new role is generated.
Now, proceed to assign the new role to an existing SAP user. For this, type su01 as the transaction code in the area in Role Maintenance page
This will invoke User Maintenance: Initial Screen. Click on the button indicated by Figure 11 to select the SAP user to whom you want to assign the new role.
Once that user’s profile opens, click on the Logon Data tab page and set the User Type as Communication Data
Note:
For monitoring purposes, the recommended user type is Communication Data. However, you can also set the user type to System or Dialog, if required.
Next, click the Roles tab page in Maintain Users
When Role Assignments page appears, first, click on the Role column in the first row of the Role Assignments table therein. The button in Role Assignments will then appear. Click on this button to select the new role. This will automatically populate the first row of the Role Assignments table with the details of the new role, thus indicating that the new role has been assigned to the SAP user.
Finally, save the user specification.