Security Guide
Document Version: 1.23– 2018-02-26
PUBLIC
Focused Run for SAP Solution Manager Feature Pack 2
2
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Acronyms and Terms
Typographic Conventions
Type Style Description
Example Words or characters quoted from the screen. These include field names, screen titles,
pushbuttons labels, menu names, menu paths, and menu options.
Textual cross-references to other documents.
Example Emphasized words or expressions.
EXAMPLE Technical names of system objects. These include report names, program names,
transaction codes, table names, and key concepts of a programming language when they
are surrounded by body text, for example, SELECT and INCLUDE.
Example Output on the screen. This includes file and directory names and their paths, messages,
names of variables and parameters, source text, and names of installation, upgrade and
database tools.
Example Exact user entry. These are words or characters that you enter in the system exactly as
they appear in the documentation.
<Example> Variable user entry. Angle brackets indicate that you replace these words and characters
with appropriate entries to make entries in the system.
EXAMPLE Keys on the keyboard, for example, F2 or ENTER .
Focused Run for SAP Solution Manager
Acronyms and Terms
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 3
Document History
Caution
Before you start the implementation, make sure that you have the latest version of this document that is
available at https://help.sap.com/viewer/p/FOCUSED RUN.
Version Date Change
1.0 2016-10-21 Initial version
1.01 2016-10-31 Minor changes
1.10 2017-04-11 Feature Pack 1
1.20 2017-11-20 Feature Pack 2
1.21 2017-12-27 Adding FP2 roles lists, adding authorization objects descriptions, minor
improvements
1.22 2018-01-02 Adoption of FRN_BTC_AIM & FRN_BTC_SRA
1.23 2018-02-26 Correction of proxy descriptions (p.12) and minor improvements
4
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Acronyms and Terms
Table of Contents
1 Acronyms and Terms ...................................................................................................................... 7
2 Introduction ................................................................................................................................... 10
3 Overview of Security-Relevant Components in the Focused Run Infrastructure ......................... 11
4 Introduction Communication Channel Simplification .................................................................. 13
5 Introduction to Data Separation ................................................................................................... 15
6 Inbound HTTP SICF Services for Focused Run ............................................................................. 16 6.1 Enable Strong Data Separation at Data Collection Time .................................................................. 17
6.1.1 SAP Web Dispatcher ............................................................................................................ 17 6.1.2 Apache ..................................................................................................................................19
7 Role Generation and User Comparison ......................................................................................... 21
8 Technical Users ............................................................................................................................. 22 8.1 Technical Users to Authenticate Data Send Requests to the Focused Run System (ABAP) ...... 23
8.1.2 *SAP_FRN_LDB_DS ........................................................................................................... 25 8.2 Technical Users for Batch Processing in ABAP ................................................................................ 25
8.2.2 *SAP_FRN_BTC_EWA ........................................................................................................ 27 8.2.3 *SAP_FRN_BTC_LDB ......................................................................................................... 28 8.2.4 *SAP_FRN_BTC_MAI .......................................................................................................... 28 8.2.5 *SAP_FRN_SND_SNMP_TRAP ......................................................................................... 29 8.2.6 *SAP_FRN_BTC_SRA ......................................................................................................... 29 8.2.7 *SAP_FRN_AAD_SYA_ALL ................................................................................................ 30 8.2.8 *SAP_FRN_BTC_GPA ......................................................................................................... 30
8.3 Technical Users for Internal RFC Communication in Central ABAP Stack ..................................... 31 8.3.2 *SAP_FRN_IADM_SSI_USER ............................................................................................. 32
9 Data Protection and Privacy .......................................................................................................... 33 9.1 FOCUSED RUN Dialog Users and Business Partners ...................................................................... 33 9.2 Landscape Objects and Business Partners ...................................................................................... 33 9.3 Real User Monitoring ........................................................................................................................... 34 9.4 Synthetic User Monitoring .................................................................................................................. 34 9.5 Trace Analysis ...................................................................................................................................... 34 9.6 System Analytics ................................................................................................................................. 36 9.7 Advanced Event Management ........................................................................................................... 36 9.8 Central Notification Management ...................................................................................................... 37 9.9 Change and Security Analysis ............................................................................................................ 37
9.9.1 How to Display Data Stored in the Configuration and Change Database ...................... 37 9.9.2 How to Delete User-Dependent Data from Configuration and Change Database ........ 38
Focused Run for SAP Solution Manager
Acronyms and Terms
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 5
10 Dialog Users .................................................................................................................................. 42 10.1 Dialog User Roles with SAP Fiori Tiles ............................................................................................... 42 10.2 Proposed Work Flow to Assign Authorizations in FOCUSED RUN .................................................. 42 10.3 Role types ............................................................................................................................................. 43
10.3.1 SAP NetWeaver Basic Roles and Customer Roles Designed Prior to FOCUSED RUN . 43 10.3.2 Cross-Application FOCUSED RUN Roles .......................................................................... 43 10.3.3 FOCUSED RUN Tools Roles ............................................................................................... 46 10.3.4 FOCUSED RUN SAP Fiori roles .......................................................................................... 46 10.3.5 FOCUSED RUN Application Roles ..................................................................................... 49
10.4 Dialog User Roles for Incident processing by SAP ........................................................................... 49 10.5 Special Protected Tables ................................................................................................................... 50 10.6 Proposal for Setup User during FOCUSED RUN Initial Preparation before Going Live ................. 51
11 Technical Users for Managed Systems ......................................................................................... 52 11.1 Technical Users for SAP NetWeaver ABAP ....................................................................................... 52
11.1.2 * SAP_FRN_SDAGENT_CSA_MS ...................................................................................... 53 11.2 Technical Users for SAP NetWeaver Java ......................................................................................... 55 11.3 Technical Users for Apache Tomcat .................................................................................................. 56 11.4 Technical Users for BOBJ ................................................................................................................... 56 11.5 Technical Users for SMP ..................................................................................................................... 56 11.6 Technical Users for Managed DB ....................................................................................................... 57 11.7 Technical Users for Managed OS ....................................................................................................... 58
12 CA APM EM Users ........................................................................................................................ 59
13 System Landscape Data Router Configuration ........................................................................... 60
14 Enable Network Communication Encryption ................................................................................ 61 14.1 Configure Encryption Usage for Customer Network Configuration in SSI UI ................................ 62 14.2 Configure Encryption Usage for SDA Configuration in Agent Administration ............................... 62
15 Users and Authorizations in SAP Support Portal ......................................................................... 63
16 Addendum .................................................................................................................................... 64 16.1 Role Changes for FOCUSED RUN FP02............................................................................................. 64
16.1.1 Roles Created for FP02....................................................................................................... 64 16.1.2 Roles Changed with FP02 ................................................................................................... 65
16.2 Cross FOCUSED RUN Application Roles ........................................................................................... 67 16.3 FOCUSED RUN Tool Roles .................................................................................................................. 67 16.4 All SAP Fiori Roles sorted by SAP Fiori Group Names ..................................................................... 67
16.4.1 General SAP Fiori roles ....................................................................................................... 67 16.4.2 Focus Run Home ................................................................................................................. 68 16.4.3 Advanced System Management ........................................................................................ 68 16.4.4 Advanced User Monitoring .................................................................................................69 16.4.5 Advanced Integration Monitoring ...................................................................................... 70 16.4.6 Advanced Event & Alert Management .............................................................................. 70 16.4.7 Configuration and Security Analytics ................................................................................ 71 16.4.8 Infrastructure Administration ............................................................................................ 72
16.5 All Application Roles Sorted by FOCUSED RUN Applications ......................................................... 73 16.5.1 Advanced System Management (ASM) ............................................................................ 74
6
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Acronyms and Terms
16.5.2 Advanced User Monitoring (AUM) .................................................................................... 77 16.5.3 Advanced Integration Monitoring (AIM) ........................................................................... 80 16.5.4 Advanced Event & Alert Management (AEM) ...................................................................81 16.5.5 Configuration & Security Analytics (CSA) ........................................................................ 82 16.5.6 Infrastructure Administration ............................................................................................ 82 16.5.7 MAI Tools (transaction "mai_tools") ................................................................................. 85 16.5.8 Customer Network access ................................................................................................. 85 16.5.9 Partner Reporting ............................................................................................................... 86
16.6 Role changes for FOCUSED RUN FP 02 ............................................................................................ 87 16.6.1 Roles created for FP02 ....................................................................................................... 87 16.6.2 Roles changed for FP02 ..................................................................................................... 88
16.7 Roles with authorizations objects to be maintained: ....................................................................... 93
Focused Run for SAP Solution Manager
Acronyms and Terms
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 7
1 Acronyms and Terms
Acronym or Short
Long Form Comment
AEM Advanced Event and
Alert Management
Inbound of unmolded alerts and outbound to
external ticketing
AIM Advanced Interface
Monitoring
An application in Focused Run
ASM Advanced System
Monitoring
An application in Focused Run
BCIA /BCI agent Byte Code Injection
Agent
SAP or a third-party byte code injection agent
CA APM EM Computer Associates
Application
Performance
Management Enterprise
Manager
Third-party product utilized by Focused Run for
collection of non-ABAP metrics. Before being
renamed, earlier versions of this product are
known as CA Introscope EM and Wily Introscope
EM, before CA acquired it.
CF Configuration Analysis
Framework
An application in Focused Run, often used in
coding, user, and URL utilized by configuration
analysis.
CID Customer Identification A three-character string
CNW Central Notification
Management
An application in Focused Run
DPC Data Provider Connector Very often used in coding, user,
and URL utilized by the monitoring infrastructure
EA Exception Analysis Part of system analysis, which is an application in
Focused Run
8
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Acronyms and Terms
Acronym or Short
Long Form Comment
Focused Run Focused Run for SAP
Solution Manager
The central managing SAP ABAP system. May
also refer to the whole Focused Run infrastructure
GP FWK Guided Procedure
Framework
Guided Procedure are delivered as FOCUSED RUN
Content and the framework provide the possibility
to create customer GP
ISA Infrastructure
Administration
Administration and self-monitoring of Focused
Run infrastructure
LMDB Landscape Management
Database
Focused Run landscape model is provided by
LMDB
MAI Monitoring Alerting
Infrastructure
Often used by the monitoring infrastructure for
coding, user, and URL
OP On Premise
PA Performance Analysis Part of system analysis, which is an application in
Focused Run
RUM Real User Monitoring An application in Focused Run
SAM Service Availability
Management
An application in Focused Run
SDA Simple Diagnostics
Agent
SAP java application running on all hosts of the
managed systems
SHA SAP Host Agent SAP native OS application running on all hosts of
the managed systems.
SLD SAP Landscape Data SLD DS is part of nearly all SAP products (known
exception: ASE Database)
SLDR System Landscape Data
Router
SAP java application running in the SDA
SSI Simple System
Integration
An application in Focused Run
ST/A-PI Support Tool for
Application Plug In
ABAP add-on
ST-PI Support Tool Plug In ABAP add-on
TA Transaction Analysis Transaction analysis is an application in Focused
Run
Technical User Technical User Authenticates data collection and send requests.
Cannot be used to log on to a user interface.
Focused Run for SAP Solution Manager
Acronyms and Terms
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 9
Acronym or Short
Long Form Comment
TLS Transport Layer
Security
Is the predecessor of SSL (secure socket layer)
UI User Interface
WMM Work Mode
Management
An application in Focused Run
10
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Introduction
2 Introduction
The security concept of Focused Run for SAP Solution Manager (also referenced in this guide as Focused Run and
FOCUSED RUN) is designed to provide a secure infrastructure within IT environments, which have a central
administration network and managed systems in multiple, separate networks with different network security
policies.
Because the system, network, and IT infrastructure security is customer-specific, this guide can only describe the
features of Focused Run, based on past experiences and best practices.
Focused Run for SAP Solution Manager
Overview of Security-Relevant Components in the Focused Run Infrastructure
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 11
3 Overview of Security-Relevant Components in the Focused Run Infrastructure
Name Description Comment
Focused Run
ABAP on
HANA DB
Central NW 750 ABAP application server
that receives and processes all incoming
managed system metrics and other
collected data. This central ABAP
application service also provides all Focused
Run application user interfaces.
The HANA DB saves all managed-system
metrics and other collected data, as well as
Focused Run administrative data.
Focused Run incorporates in general the
NW 750 security features, see:
https://help.sap.com/saphelp_nw73ehp
1/helpdata/en/f3/780118b9cd48c7a66
8c60c3f8c4030/frameset.htm
For the HANA DB security feature, see:
http://help.sap.com/hana/SAP_HANA_
Security_Guide_en.pdf
SAP Host
Agent
The SHA is installed on every host of a
managed system. It installs and upgrades
the Simple Diagnostics Agent on these
hosts, as well as providing runtime control
(start/stop). It acts as proxy for all requests
sent to the simple diagnostics agent. The
SHA provides the OD in Focused Run.
While not delivered as part of Focused
Run, SHA is used by Focused Run and is
mandatory for Focused Run operation.
For further details about SHA, see:
https://help.sap.com/saphelp_nw73ehp
1/helpdata/en/48/c6f9627a004da5e10
000000a421937/content.htm
Simple
Diagnostics
Agent
The SDA is installed on every host of a
managed system. The Simple Agent offers
different data collection applications.
Part of the Focused Run delivery.
SLDR The System Landscape Data Router
distributes SLD DS payloads.
Part of the Focused Run delivery.
Managed
System
Listed as associated with Focused Run
infrastructure because some of the different
management systems need dedicated users
and security-relevant features enabled for
Focused Run.
In general, see the relevant product
documentation of the management
system.
ST-PI
ST/A-PI
ABAP add-on delivers Focused Run
functions.
No special Focused Run security features
need to be enabled for this add-on.
Authorizations to execute the delivered
functions are documented with the
technical user.
CA APM EM CA APM EM is temporary saved data that is
collected by the different BCI Adapters and
sent to Focused Run (optional, but needed
CA APM EM is part of SAP Solution
Manager delivery. For further details, see:
12
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Overview of Security-Relevant Components in the Focused Run Infrastructure
Name Description Comment
to get full scope of metrics of non-ABAP
managed systems).
https://wiki.scn.sap.com/wiki/display/T
echOps/RCA_Introscope_Home
Reverse
Proxy
In the Focused Run infrastructure, a reverse
proxy is a type of proxy that retrieves
resources on behalf of the SHA and
managed systems from Focused Run
(optional, but needed if strong data
separation is to be achieved). See also:
https://en.wikipedia.org/wiki/Proxy_server
There are different third-party reverse
proxies (see the relevant
documentation). SAP Web Dispatcher
can provide reverse proxy functionality.
Reference:
https://help.sap.com/saphelp_nw73ehp
1/helpdata/en/48/8fe37933114e6fe100
00000a421937/frameset.htm?original_f
qdn=help.sap.de
Proxy In the Focused Run infrastructure, a proxy
server acts as an intermediary for requests
from the Focused Run central system
(SHA). Focused Run supports calls to the
SHA using a proxy (optional, depending on
customer network security
implementation). See also:
https://en.wikipedia.org/wiki/Intermediary
There are different third-party proxies.
SAP Web Dispatcher does not use the
http request command "CONNECT" and
therefore does not act as a proxy in the
common meaning.
Focused Run is commonly installed with
multiple-application servers for high-
availability and load-distribution purposes.
Focused Run supports third-party
hardware and software load balancers
(see vendor documentation). SAP Web
Dispatcher can provide software-load
balancing functionality. Reference:
https://help.sap.com/saphelp_nw73ehp
1/helpdata/en/48/8fe37933114e6fe100
00000a421937/frameset.htm?original_f
qdn=help.sap.de
Firewall A firewall is a network security system that
monitors and controls the incoming and
outgoing network traffic based on
predetermined security rules.
Focused Run supports third-party
hardware and software for firewall
security (see vendor documentation).
Focused Run for SAP Solution Manager
Introduction Communication Channel Simplification
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 13
4 Introduction Communication Channel Simplification
Communication between the central Focused Run ABAP application server and the agent, the managed ABAP
system and the CA APM EM is simplified to the HTTP protocol only.
This communication can be protected by enabling TLS encryption so that the HTTP becomes HTTPS.
The TLS pass-through or TLS termination needs to be carefully considered. Of issue is for which components
certificates need to be requested, and how these certificates must be stored, impacting overall effort and costs.
Managed Host
Focused Run
HANA DB Instances
Rev
ers
e
Pro
xy
Managed Systems
(AS ABAP, J2EE,
SBOP, …)
AnyDBManaged DB
CA APM
Focused Run
ABAP Instances
Host Agent
Simple DA
SLDR
IS BCIAOutbound
Inbound
Applications
Applications
Customer Network
Pro
xy
Admin Network
ST-PI ST/A-PI
Lo
ad
Bala
nce
r
R
http(s)
R
http(s)
R
http(s)
R
http(s)
RRMI
R
http(s)
R
R
Mandatory Component
Optional Component
Managed Object
Component integrated
but not part of SRSM
delivery
14
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Introduction Communication Channel Simplification
Depending on the technology, there are different protocols for local communication between the agents, the
managed system and databases, and the CA AP EM.
This communication is local on the hosts or within the same network. Insofar as requested, it is to be enabled for
TLS communication. With very high effort, all components acting as client/server in this local communication can
enable encrypted communication. The effort involved is not cost-effective in relation to the added security. So far,
Focused Run has not made a request for this. If you have such a request, you can contact the Focused Run team
for project support.
Managed Host
Focused Run
HANA DB Instances
Rev
ers
e
Pro
xy
Managed Systems
(AS ABAP, J2EE,
SBOP, …)
AnyDBManaged DB
CA APM
Focused Run
ABAP Instances
Host Agent
Simple DA
SLDR
IS BCIAOutbound
Inbound
Applications
Applications
Customer Network
Pro
xy
Admin Network
ST-PI ST/A-PI
Lo
ad
Bala
nce
r
R
http(s)
R
http(s)
R
http(s)
R
http(s)
RLocal
DB
Connection
RRRFC R
http
RRMI
R
http(s)
R
R
R
p4
Focused Run for SAP Solution Manager
Introduction to Data Separation
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 15
5 Introduction to Data Separation
In a segmented network environment, it is common that different networks have different security policies. For
example, a host provider might entrust for the hosted systems the security policy of the hosted customer.
Because of this, Focused Run has strong data separation capabilities. If one customer network is compromised, it
is ensured that no other connected network/system can be compromised by means of the central Focused Run
infrastructure. The data separation is also a main pillar to protect customer data against threats such as
information disclosure and data tampering.
Focused Run Customer Network A
Outbound
Inbound
HANA
A B
Applications
AB
Applications
Managed Systems
Agents
Customer Network B
Managed Systems
AgentsR
http(s) rev
ers
e
pro
xy
rev
ers
e
pro
xy
http(s)
R
http(s)
R
Customer Network A
http(s)R
http(s)
http(s)
R
R
Focused Run
ABAP Instances
Op
tiona
l
Pro
xy
Op
tiona
l
Pro
xy
B
A
The above figure illustrates the idea behind data separation in Focused Run. All managed object configurations
are network/customer specific. All reported metrics and data are sent specifically to a network/customer. The
reverse proxy plays an important role in this concept. The reverse proxy must not be accessible from the
customer network. All ports except HTTP(S) are assumed to be closed by firewall. On the reverse proxy, an
"inbound fencing" string is added to all requests from that network. This inbound fencing string is mapped to
the customer-network identification. Focused Run checks whether a configuration exists for this metric and
network for each incoming request. If not, the request is rejected.
Without the reverse proxy, no inbound fencing is possible, and no data separation is applied.
16
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Inbound HTTP SICF Services for Focused Run
6 Inbound HTTP SICF Services for Focused Run
Only the mentioned SICF services, being relevant for data separation, must be configured on the reverse proxies
to enable strong data separation. Find the complete list of SICF services for Focused Run in the master guide.
URI Function Description
/lmdb/ds Entry point for SLD DS SLD DS payload can send
directly to Focused Run using
this service.
/sld/ds Entry point for SLD DS SLD DS payload can send
directly to Focused Run using
this service. Same service as
/lmdb/ds with a different
alias.
/sap/srsm_mai/push_metrics Entry point for all monitoring
metrics
Metrics collected by the
simple DA monitoring aglet
and the CA APM EM are sent
to this service.
/sap/bc/rest/cof/COF_SEND_TO_SRSM/ Entry point for all
configuration analysis data
Configuration data from the
different configurations stores
are collected as snapshot
every 24 hours and sent to
this service.
/sap/bc/sdf/sdcc/ Entry point for all ABAP EWA
data
The ABAP SDCC data
collector sends data collected
for ABAP EWA to this service
(among all non-ABAP EWA
data, it is calculated from the
monitoring data)
/sap/bc/rest/e2e_ta_col Entry point of data that is
collected for E2E trace
analysis
E2E trace data collected by
the simple diagnostics agent
is sent to this service.
/sap/srsm/E2E_trace_upl Entry point for E2E TA
recordings by SAP UI5
diagnostics
Recorded UI5 sessions are
uploaded to FRUM by this
service.
/sap/bc/rest/rumdataservice Entry point for real user
monitoring data
Header data resp. statistical
recode data of recorded user
requests are uploaded to
Focused Run by this service.
Focused Run for SAP Solution Manager
Inbound HTTP SICF Services for Focused Run
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 17
URI Function Description
/sap/bc/rest/aimdataservice Entry point for advanced
interface monitoring data
Header data resp. statistical
recode data of recorded
electronic requests are
uploaded to Focused Run by
this service.
/sap/bc/rest/statraggdatasrv Entry point for collection of
aggregated statistical data
Collected for long-term
analysis and predictions.
/sap/bc/rest/sumdataservice Entry point for synthetic user
monitoring data
Script executions are reported
to Focused Run by this
service.
Reference the master guide for more information about requisite web service activation.
6.1 Enable Strong Data Separation at Data Collection Time
To enable the strong data separation on the reverse proxy, the inbound fencing parameter must be set as part of
the reverse path configuration.
The syntax of the reverse paths are usually specific to the vendor of the proxy:
SAP Web Dispatcher
https://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/9266f7aa6b17cee10000000a421937/content.htm
Apache
http://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
Tiny Proxy
https://tinyproxy.github.io/
See sections below for examples of vender-dependent reverse paths. Note: Paths should not contain carriage
return characters.
6.1.1 SAP Web Dispatcher
To make FOCUSED RUN known to the SAP Web Dispatcher, add FOCUSED RUN in the SAP Web Dispatcher
profile:
wdisp/system_0 = SID=<SID>, SRCURL=/, SSL_ENCRYPT=0, CLIENT=<default client>,
EXTSRV=<FOCUSED RUN Host>:<FOCUSED RUN HTTP Port>
18
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Inbound HTTP SICF Services for Focused Run
Write reverse rules to a rules file and add them in the SAP Web Dispatcher profile:
icm/HTTP/mod_0=PREFIX=/,FILE=/usr/sap/<SID>/W<Inst>/proxy/rules.txt
Reverse rules, in rules text, look like this:
# allow Web Admin UI
if %{PATH} regimatch ^/sap/wdisp/admin
nop [break]
# Rewrite rules
RegIRewriteRawUrl ^/sap/bc/sdf/sdcc/$ /sap/bc/sdf/sdcc/?smgwa=<AdmReqParam>
[qsreplace,break]
RegIRewriteRawUrl ^/sld/ds$ /sap/bc/cim/ds?smgwa=<AdmReqParam> [qsreplace,break]
RegIRewriteRawUrl ^/sap/srsm_mai/push_metrics/$
/sap/srsm_mai/push_metrics?smgwa=<AdmReqParam> [qsreplace,break]
RegIRewriteRawUrl ^/sap/bc/rest/cof/COF_SEND_TO_SRSM/$
/sap/bc/rest/cof/COF_SEND_TO_SRSM?smgwa=<AdmReqParam> [qsreplace,break]
RegIRewriteRawUrl ^/sap/bc/rest/e2e_ta_col/AgentCollector$
/sap/bc/rest/e2e_ta_col/AgentCollector?smgwa=<AdmReqParam> [qsreplace,break]
RegIRewriteRawUrl ^/sap/bc/rest/rumdataservice/records$
/sap/bc/rest/rumdataservice/records?smgwa=<AdmReqParam> [qsreplace,break]
RegIRewriteRawUrl ^/sap/bc/rest/aimdataservice/data$
/sap/bc/rest/aimdataservice/data?smgwa=<AdmReqParam> [qsreplace,break]
RegIRewriteRawUrl ^/sap/bc/rest/ statraggdatasrv/records$
/sap/bc/rest/ statraggdatasrv/records?smgwa=<AdmReqParam> [qsreplace,break]
RegIRewriteRawUrl ^/sap/bc/rest/sumdataservice/records$
/sap/bc/rest/sumdataservice/records?smgwa=<AdmReqParam> [qsreplace,break]
# Reject all other URLs
#RegForbiddenUrl ^(.*) - [break]
You can define multiple customer networks with one SAP Web Dispatcher. To do so, configure different ports. The
port dependent rewrite rules are in the same rules.txt:
# Rewrite rules
if %{SERVER_PORT} = 8080
begin
RegIRewriteRawUrl ^/sap/bc/sdf/sdcc/$ /sap/bc/sdf/sdcc/?smgwa=<AdmReqParam>
[qsreplace,break]
RegIRewriteRawUrl ^/sld/ds$ /sap/bc/cim/ds?smgwa=<AdmReqParam> [qsreplace,break]
RegIRewriteRawUrl ^/sap/srsm_mai/push_metrics/$
/sap/srsm_mai/push_metrics?smgwa=<AdmReqParam> [qsreplace,break]
Focused Run for SAP Solution Manager
Inbound HTTP SICF Services for Focused Run
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 19
RegIRewriteRawUrl ^/sap/bc/rest/cof/COF_SEND_TO_SRSM/$
/sap/bc/rest/cof/COF_SEND_TO_SRSM?smgwa=<AdmReqParam> [qsreplace,break]
RegIRewriteRawUrl ^/sap/bc/rest/e2e_ta_col/AgentCollector$
/sap/bc/rest/e2e_ta_col/AgentCollector?smgwa=<AdmReqParam> [qsreplace,break]
RegIRewriteRawUrl ^/sap/bc/rest/rumdataservice/records$
/sap/bc/rest/rumdataservice/records?smgwa=<AdmReqParam> [qsreplace,break]
RegIRewriteRawUrl ^/sap/bc/rest/aimdataservice/data$
/sap/bc/rest/aimdataservice/data?smgwa=<AdmReqParam> [qsreplace,break]
RegIRewriteRawUrl ^/sap/bc/rest/ statraggdatasrv/records$
/sap/bc/rest/ statraggdatasrv/records?smgwa=<AdmReqParam> [qsreplace,break]
RegIRewriteRawUrl ^/sap/bc/rest/sumdataservice/records$
/sap/bc/rest/sumdataservice/records?smgwa=<AdmReqParam> [qsreplace,break]
if %{SERVER_PORT} = 8081
begin
…
end
RegForbiddenUrl ^(.*) - [break]
6.1.2 Apache
Reverse path syntax:
ReWriteRule ^/sld/ds$ http://<host>:<port>/sld/ds?smgwa=<AdmReqParam> [P,NC,L]
ReWriteRule ^/lmdb/ds$ http://<host>:<port>//lmdb/ds?smgwa=<AdmReqParam>
[P,NC,L]
ReWriteRule ^/sap/srsm_mai/push_metrics/$
http://<host>:<port>//sap/srsm_mai/push_metrics?smgwa=<AdmReqParam> [P,NC,L]
ReWriteRule ^/sap/bc/rest/cof/COF_SEND_TO_SRSM/$
http://<host>:<port>//sap/bc/rest/cof/COF_SEND_TO_SRSM?smgwa=<AdmReqParam> [P,NC,L]
ReWriteRule ^/sap/bc/sdf/sdcc/$ http://
<host>:<port>//sap/bc/sdf/sdcc/?smgwa=<AdmReqParam> [P,NC,L]
ReWriteRule ^/sap/bc/rest/e2e_ta_col/AgentCollector/$ http://
<host>:<port>//sap/bc/rest/e2e_ta_col/AgentCollector?smgwa=<AdmReqParam> [P,NC,L]
ReWriteRule ^/sap/srsm/E2E_trace_upl$ http://
<host>:<port>//sap/srsm/E2E_trace_upl?smgwa=<AdmReqParam> [P,NC,L]
ReWriteRule ^/sap/bc/rest/rumdataservice$ http://
<host>:<port>/sap/bc/rest/rumdataservice?smgwa=<AdmReqParam> [P,NC,L]
ReWriteRule ^/sap/bc/rest/aimdataservice/data$ http://
<host>:<port>/sap/bc/rest/aimdataservice/data?smgwa=<AdmReqParam> [P,NC,L]
ReWriteRule ^/sap/bc/rest/ statraggdatasrv/records$ http:// <host>:<port>/sap/bc/rest/
statraggdatasrv/records?smgwa=<AdmReqParam> [P,NC,L]
20
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Inbound HTTP SICF Services for Focused Run
ReWriteRule ^/sap/bc/rest/sumdataservice$ http://
<host>:<port>/sap/bc/rest/sumdataservice?smgwa=<AdmReqParam> [P,NC,L]
Please note that the service implementation of sdcc requires a slash before the question mark. For example:
/sdcc/?smgwa.
Focused Run for SAP Solution Manager
Role Generation and User Comparison
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 21
7 Role Generation and User Comparison
After upgrade of FOCUSED RUN to new FP or after a new installation, we recommend that you run PFCG Mass
Generation and Mass Comparison for roles SAP_FOCUSED RUN to avoid authorization problems due to missing
profiles.
22
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Technical Users
8 Technical Users
For security, reliability, and traceability reasons, we have created separate users and roles for separate functions
in Focused Run.
Focused Run for SAP Solution Manager
Technical Users
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 23
8.1 Technical Users to Authenticate Data Send Requests to the Focused Run System (ABAP)
To have their own set of users for each customer namespace, some of the technical users have a three-character
customer ID (CID) in their names. These users are used to authenticate requests with incoming data. Even if
there is only one network/namespace and no data separation in Focused Run, there is at least one CID. These
technical users are of type System, and are created automatically by SSI at the customer network creation. To
achieve this automatic creation, the below mentioned template users shall be created manually, as a prerequisite.
Note: Template users type: Reference.
The technical users of applications not yet integrated in SSI like RUM, AIM, and Performance KPI Setup need to be
created manually. Copy the user from the template user and change the user type to system. Remember the
password. You need to enter it accordingly to RUM, AIM, and Performance KPI Setup preparations.
Template user ABAP Role Technical User in
generated by SSI
Description
TPL_FRN_LDDS
TPL_FRN_LDSR
SAP_FRN_LDB_DS*
FRN_LDDS_<CID>
FRN_LDSR_<CID>
FRN_LDDS_<CID> user is for the
authentication of data suppliers sending SLD
payloads directly to Focused Run (LMDB).
FRN_LDSR_<CID> user is for authentication of
data suppliers sending SLD payloads via an
SLDR. The SLDR has its own user to easily
identify the SLD payload sent via SLDR.
Both users are special in Focused Run.
TPL_FRN_CSA SAP_FRN_CSA FRN_CSA_<CID> User to authenticate configuration-analysis
requests sent from the SDA to Focused Run
(collection of configuration data).
TPL_FRN_DPC SAP_FRN_DPC
FRN_DPC_<CID> User to authenticate monitoring requests sent
from the SDA to Focused Run (collection of
host, DB, system monitoring, and analysis
data).
TPL_FRN_DPI SAP_FRN_DPI
FRN_DPI_<CID> User to authenticate monitoring requests sent
from the CA APM EM to Focused Run
(collection of host, DB, system monitoring and
analysis data).
TPL_FRN_EWA SAP_FRN_EWA FRN_EWA_<CID> User to authenticate EWA requests sent from
the ABAP managed system to Focused Run
(collection of ABAP EWA data).
24
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Technical Users
Roles in bold with prefix * contain authorization objects need to be maintained.
8.1.1.1 How to Maintain Authorization Objects
To grant authorization for the authorization object, you need to maintain these objects as follows:
1. In the Role Maintenance of PFCG, choose Authorizations tab.
2. Choose Change.
3. From the utilities menu, select Technical Names On.
4. Maintain all activity values for each authorization object as above in the roles of the template users.
5. Generate the profile.
TPL_FRN_TA SAP_FRN_TA FRN_TA_<CID> User to authenticate TA requests sent from
the SDA managed system to Focused Run
(collection of TA data).
TPL_FRN_RUM SAP_FRN_RUM FRN_RUM_<CID>
User to authenticate RUM requests sent from
the SDA managed system to Focused Run
(collection of RUM data).
TPL_FRN_AIM SAP_FRN_AIM FRN_AIM_<CID> User to authenticate AIM requests sent from
the SDA managed system to Focused Run
(collection of AIM data).
TPL_FRN_ASM SAP_FRN_ASM FRN_ASM_<CID>
User to authenticate STATRAG requests sent
from the SDA managed system to Focused
Run (collection of STATRAG data).
TPL_FRN_EXM SAP_FRN_EXM FRN_EXM_<CID>
User to authenticate EXM requests sent from
the SDA managed system to Focused Run
(collection of EXM data).
TPL_FRN_SUM SAP_FRN_SUM FRN_SUM_<CID> User to authenticate SUM requests sent from
the SDA managed system to Focused Run
(collection of SUM data).
TPL_FRN_SLDS no role FRN_SLDS_<CID> This user is special. It's only generated at
network generation as a preparation of an
external user-management effort. This user is
intended for authentication of send requests to
the SLDR (java application of the SDA) from
the SLD DS. This user has no role and no
password in ABAP. Do not enter user and
password at:
RSSI_CHANGE_NETWORK_PASSWORD.
If you have no integration with external user
management for the SLD DS, enter this user
password when you configure the SLDR itself.
Focused Run for SAP Solution Manager
Technical Users
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 25
6. To assign this profile to a user, choose the User tab, add your user in the table.
Note: If users are already assigned execute also the user comparison.
7. Save.
Result: You have now created a role for your specific needs.
Please ensure the roles for the users listed above have been generated, before the users get copied.
If you assign customer roles to the template users listed above, adjust the authorizations for user
SAP_FRN_IADM_SSI_USER accordingly. For details, see section Technical Users for Internal RFC Communication
in Central ABAP Stack.
8.1.2 *SAP_FRN_LDB_DS
The role SAP_FRN_LDB_DS contains authorization objects delivered by SAP with no authorization. Please
maintain as shown below:
Authorization
Objects of role
SAP_FRN_LDB_DS
to be maintained
Authorization
Field
Recommended
Value
Comment
S_BTCH_JOB JOBGROUP * Job management requirement
AI_LMDB_DS LMDB_DOMA LDB Only the domain LDB (landscape management
database) is currently available.
AI_LMDB_DS LMDB_NAMES * The technical users FRN_LDDS_<CID>
FRN_LDSR_<CID> write into the customer
namespaces identified internally by namespace
hashes.
These users are created from template user. The
namespace hashes are randomly generated.
After the namespaces are operative, consider
creating a dedicated role for each namespace and
add the namespace with the known namespace
hash.
8.2 Technical Users for Batch Processing in ABAP
Note: Batch processing users type: System.
26
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Technical Users
Technical User for
Batch Processing
Role Description
FRN_BTC_CSA SAP_FRN_BTC_CSA User with authorizations to run CSA-specific batch
processing
FRN_BTC_EWA *SAP_FRN_BTC_EWA
User with authorizations to run EWA-specific batch
processing
FRN_BTC_LDB *SAP_FRN_BTC_LDB
SAP_FRN_CNW_ACCESS_ADMIN
SAP_FRN_LDB_NOTIF_SSI
User with authorizations to run LMDB-specific
batch processing
Starting SSI procedures via LMDB notification
FRN_BTC_MAI *SAP_FRN_BTC_MAI
SAP_FRN_BTC_GPA
SAP_FRN_CNW_ACCESS_ADMIN
*SAP_FRN_SND_SNMP_TRAP
User with authorizations to run MAI-specific batch
processing
FRN_BTC_RUM SAP_FRN_BTC_RUM
SAP_FRN_AEM_UMD_ALR
SAP_FRN_CNW_ACCESS_ADMIN
User with authorizations to run RUM-specific batch
processing
FRN_BTC_SAM No role User doesn't need dedicated authorizations to run
SAM-specific batch processing
FRN_BTC_SMP SAP_FRN_BTC_SMP
SAP_FRN_CNW_ACCESS_ADMIN
User with authorizations to run SMP-specific batch
processing see also
FRN_BTC_WMM SAP_FRN_BTC_WMM User with authorizations to run WMM- specific
batch processing
FRN_BTC_TA SAP_FRN_BTC_TA User with authorizations to run TA-specific batch
processing
FRN_BTC_CNM No role User doesn't need dedicated authorizations to run
CNM-specific batch processing
FRN_BTC_AIM SAP_FRN_BTC_AIM: Note
2584160 needs to be applied
SAP_FRN_CNW_ACCESS_ADMIN
SAP_FRN_AEM_UMD_ALR
User with authorizations to run AIM-specific batch
processing
Data separation controlled by customer network
Authorization to create unmodeled alerts
FRN_BTC_SRA *SAP_FRN_BTC_SRA
SAP_FRN_AIM
SAP_FRN_CNW_ACCESS_ADMIN
*SAP_FRN_AAD_SYA_ALL
Running jobs for aggregation for system analytics
and data collection of cloud integration monitoring.
Data separation controlled by customer network
All authorizations for system analytics application
administration
FRN_BTC_AEM SAP_FRN_BTC_AEM User with authorizations to run AEM-specific batch
processing
Focused Run for SAP Solution Manager
Technical Users
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 27
Technical User for
Batch Processing
Role Description
FRN_BTC_ASM SAP_FRN_BTC_ASM User with authorizations to run ASM-specific batch
processing
FRN_BTC_GPA SAP_FRN_BTC_GPA
SAP_FRN_CNW_ACCESS_ADMIN
User with authorizations to run guided procedure-
specific batch processing
Roles in bold with prefix * contain authorization objects that need to be maintained.
8.2.1.1 How to Maintain Authorization Objects
To grant authorization for the authorization object, you need to maintain these objects as follows:
1. In the Role Maintenance of PFCG, choose Authorizations tab.
2. Choose Change.
3. From the utilities menu, select Technical Names On.
4. Maintain all activity values for each authorization object as above in the roles of the template users.
5. Generate the profile.
6. To assign this profile to a user, choose the User tab, add your user in the table.
Note: If users are already assigned, execute user comparison.
7. Save.
Result: You have now created a role for your specific needs.
.
8.2.2 *SAP_FRN_BTC_EWA
The role SAP_FRN_BTC_EWA contains authorization objects delivered by SAP with no authorization. Please
maintain as shown below:
Authorization
Objects of role
SAP_FRN_BTC_EWA
to be maintained
Authorization
Field
Recommended
Value
Comment
S_RFC_ADM ICF_VALUE * See online documentation.
S_RFC_ADM RFCTYPE * Depends on connection type not
known at installation you might enter
the known destination type of
destination created with SDCCN.
S_BTC_JOB JOBGROUP * Job management requirement.
28
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Technical Users
8.2.3 *SAP_FRN_BTC_LDB
The role SAP_FRN_BTC_LDB contains authorization objects delivered by SAP with no authorization. Please
maintain as shown below:
Authorization
Objects of role
SAP_FRN_BTC_LDB
to be maintained
Authorization
Field
Recommended
Value
Comment
S_RFC_ADM ICF_VALUE * See online documentation.
S_RFC_ADM RFCDEST * Depends on the name(s) of the destination to
SLD; for content sync not known at installation
you might enter the known destination name.
S_BTCH_JOB JOBGROUP * Job management requirement.
AI_LMDB_AD LMDB_NAMES * The technical users FRN_BTC_LDB must have
access to all LMDB namespaces (filter here is
only advised for dialog user, to restrict access).
AI_LMDB_OB LMDB_MTYPE
LMDB_NAMES
LMDB_OBJID
LMDB_STYPE
*
*
*
*
The technical users FRN_BTC_LDB must have
access to all LMDB objects (a filter here is only
advised for dialog user, to restrict access).
8.2.4 *SAP_FRN_BTC_MAI
The role SAP_FRN_BTC_MAI contains authorization objects delivered by SAP with no authorization. Please
maintain as shown below:
Authorization
Objects of role
SAP_FRN_BTC_MAI
to be maintained
Authorization
Field
Recommended
Value
Comment
S_RFC_ADM ICF_VALUE * See online documentation.
S_RFC_ADM RFCDEST * Destination names to all SAP host agents needed
in case of mass update of configurations. It is
advised to keep this as * due to the high effort to
maintain.
S_USER_GRUP Class * See online documentation.
Focused Run for SAP Solution Manager
Technical Users
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 29
Authorization
Objects of role
SAP_FRN_BTC_MAI
to be maintained
Authorization
Field
Recommended
Value
Comment
AI_LMDB_AD LMDB_NAMES * The technical users FRN_BTC_MAI must have
access to all LMDB namespaces (filter here is
only advised for dialog user, to restrict access).
AI_LMDB_OB LMDB_MTYPE
LMDB_NAMES
LMDB_OBJID
LMDB_STYPE
*
*
*
*
The technical users FRN_BTC_MAI must have
access to all LMDB objects (a filter here is only
advised for dialog user, to restrict access).
8.2.5 *SAP_FRN_SND_SNMP_TRAP
The role SAP_FRN_SND_SNMP_TRAP contains authorization objects delivered by SAP with no authorization.
Please maintain as shown below:
Authorization Objects of role
SAP_FRN_SND_SNMP_TRAP
to be maintained
Authorization
Field
Recommended
Value
Comment
S_LOG_COM HOST <hostname> Hostname of Focused Run application
server, which should create SNMP traps
for alert-forwarding with SNMP.
8.2.6 *SAP_FRN_BTC_SRA
The role SAP_FRN_BTC_SRA contains authorization objects delivered by SAP with no authorization. Please
maintain as shown below:
Authorization Objects of role
SAP_FRN_BTC_SRA to be
maintained
Authorization
Field
Recommended
Value
Comment
AI_LMDB_OB LMDB_MTYPE
LMDB_NAMES
LMDB_OBJID
LMDB_STYPE
*
*
*
*
The technical users FRN_BTC_MAI must
have access to all LMDB objects (a filter
here is only advised for dialog user, to
restrict access).
30
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Technical Users
8.2.7 *SAP_FRN_AAD_SYA_ALL
The role SAP_FRN_AAD_SYA_ALL contains authorization objects delivered by SAP with no authorization. Please
maintain as shown below:
Authorization Objects of role
SAP_FRN_AAD_SYA_ALL to
be maintained
Authorization
Field
Recommended
Value
Comment
S_BTCH_JOB JOBGROUP * Job management requirement.
S_DATASET FILENAME * File name not known at configuration
time.
8.2.8 *SAP_FRN_BTC_GPA
The role SAP_FRN_BTC_GPA contains authorization objects delivered by SAP with no authorization. Please
maintain as shown below:
Authorization Objects of role
SAP_FRN_BTC_GPA to be
maintained
Authorization
Field
Recommended
Value
Comment
S_ICF_ADM ICF_NODE * A randomly generated hash, created at
GP generation. The batch user must
have access to all GPs (for
housekeeping, for example).
S_BTC_JOB JOBGROUP * Job management requirement.
S_DATASET FILENAME * File name not known at creation time of
the GP.
S_DEVELOP DEV_CLASS * Customer package name for logos to be
included in HTML reports generated as
part of the GPs.
S_DEVELOP OBJNAME * Customer object name for logos to be
included in HTML reports generated as
part of the GPs.
S_DEVELOP P_GROUP * Customer programs to be included in the
GPs.
AI_LMDB_OB LMDB_MTYPE
LMDB_NAMES
LMDB_OBJID
*
*
*
The technical users FRN_BTC_GPA
must have access to all LMDB objects (a
Focused Run for SAP Solution Manager
Technical Users
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 31
Authorization Objects of role
SAP_FRN_BTC_GPA to be
maintained
Authorization
Field
Recommended
Value
Comment
LMDB_STYPE * filter here is only advised for dialog user,
to restrict access).
SM_SETUP SCENARIOS * GP scenario name not known before GP
creation.
SM_SETUP STEPS * GP step name not known before GP
creation.
8.3 Technical Users for Internal RFC Communication in Central ABAP Stack
Note: User type: System.
Technical User for
Batch Processing
Role Description
FRN_IADM_SSI SAP_FRN_IADM_SSI_COMP
Composite role including roles:
*SAP_FRN_IADM_SSI_USER
SAP_FRN_IADM_SSI_USER_DELETE
User FRN_IADM_SSI is necessary for
integrated users, management with internal
RFC communication, if no external user
management solution is available at customer
site.
The user having this role is used in the local
SM59 RFC destination:
SSI_USER_ADMIN_CONNECTION
8.3.1.1 How to Maintain Authorization Objects
To grant full authorization for the authorization objects, you need to maintain these objects as follows:
1. In the Role Maintenance, choose Authorizations tab.
2. Choose Change.
3. From the utilities menu, select Technical Names On.
4. Maintain all activity values for each authorization object according to your needs. For instance, if you
want to grant full authorization, always choose all activities.
Note: Name of the roles assigned to the template users - Users called TPL* - need to be authorized
for authorization object: S_USER_AGR and S_USER_SAS
5. Generate the profile.
32
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Technical Users
6. To assign this profile to a user, choose the User tab, add your user in the table.
Note: If users are already assigned execute also the user comparison.
7. Save.
Result: You have now created a role for your specific needs.
8.3.2 *SAP_FRN_IADM_SSI_USER
The role SAP_FRN_IADM_SSI_USER contains authorization objects delivered by SAP with minimal authorization.
Please maintain as shown below:
Authorization Objects of role
SAP_FRN_IADM_SSI_USER
to be maintained
Authorization
Field
Delivered
Value
Comment
S_USER_AGR ACT_GROUP SAP_FRN* The role needed to grant authorization
to assign the roles you have assigned
to the template users - see section
Technical Users to Authenticate Data
Send Requests to the Focused Run
system. After you have created
custom roles you need to maintain
this group with your role names
S_USER_SAS ACT_GROUP I_SAP_FRN*,
SAP_FRN_*
The role needed to grant authorization
to assign the roles you have assigned
to the template users - see section
Technical Users to Authenticate Data
Send Requests to the Focused Run
system. After you have created
custom roles you need to maintain
this group with your role names
Focused Run for SAP Solution Manager
Data Protection and Privacy
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 33
9 Data Protection and Privacy
The purpose of FOCUSED RUN is to support organizations (IT departments, host providers) that run technical
operations on business systems.
As part of technical operations, FOCUSED RUN collects monitoring data such as metrics, configurations, traces,
and exceptions from designated business systems. This monitoring data can contain personal data such as user
IDs when exposed by the business systems.
Taking the consent to store and process personal data in business operations and expose them in monitoring data
is to be done by the managed business system. Part of the monitoring operation personal data is stored together
with the operational data. This personal data in the monitoring data is to be deleted in the FOCUSED RUN on
demand, and as part of regular housekeeping.
FOCUSED RUN requires personal data of its dialog users for administrative purposes. In other cases, FOCUSED
RUN stores personal data for the productive operations of IT departments.
FOCUSED RUN users effectively consent to FOCUSED RUN storing and processing personal data when
conducting FOCUSED RUN transactions that require personal data to complete.
This chapter describes where the personal data is stored and used in FOCUSED RUN
9.1 FOCUSED RUN Dialog Users and Business Partners
All dialog users and business partners in FOCUSED RUN are created and maintained with SAP NetWeaver 7.5
standard functionality. For more information, reference SAP NetWeaver documentation:
https://help.sap.com/viewer/p/SAP_NETWEAVER_750.
9.2 Landscape Objects and Business Partners
Landscape objects include customer networks, technical systems, instances, databases, and hosts. Landscape
Objects are maintained in the LMDB. It is not uncommon in LMDB, as part of productive IT operations, to map
technical objects to business partners responsible for them. If business partners are deleted using SAP
NetWeaver functions (see above 8.1), this mapping is invalidated.
Depending on individual organizational policies, personal data can be maintained and deleted in the LMDB's
technical system editor, via the additional attributes (such as system owner).
Delete landscape objects in the LMDB's technical system editor. Please note, however, that deleting landscape
objects may lead to orphan configurations, which complicate clean-up efforts if the landscape object is already
deleted. A safe option is to decommission landscape objects using the report RSRSM_SSI_CLEANUP_NETWORK.
For more information reference the relevant documentation (https://support.sap.com/en/solution-
manager/focused-solutions/focused-run.html), under Decommissioning => Automatic Decommissioning.
For safe deletion of changelog documents contain user-id's after a defined retention period please execute
RLMDB_CLEAR_CHANGELOG
34
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Data Protection and Privacy
9.3 Real User Monitoring
User IDs collected by real user monitoring are stored in these protected tables:
/RUM/AGGRECIN
/RUM/AGGRECOUT
/RUM/SNGLRECIN
/RUM/SNGLRECOUT
To delete all data older than a given number of days, execute report /rum/housekeeping. The time period is
configurable.
To delete a single user ID outside of executing the housekeeping function, manually delete the ID from the tables
listed above.
9.4 Synthetic User Monitoring
A best practice for synthetic user monitoring is to remove all personal data in the synthetic user monitoring script
editor when parameterizing scripts. As a result, data of technical tests users replaces all personal data. This is the
standard recommendation for creating scripts for automatic execution in SUM.
9.5 Trace Analysis
If a user records a trace for their own activity, this action collects the user ID. The user can delete their trace
manually from the trace application.
To delete all data older than a given number of hours, execute report E2E_TRACE_DELETE. The time period is
configurable.
To delete a single user ID outside of executing the housekeeping function, manually delete the ID from the trace
tables as follows:
Go to SE24 and choose CL_E2E_CPT_SEARCH_AMDP.
Execute class (F8).
Select Search.
Focused Run for SAP Solution Manager
Data Protection and Privacy
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 35
Enter the user name in field IV_VALUE.
Execute the method.
If the result ET_BT is empty, no trace is available or it contains traces of the entered user name only.
The following entries from ET_BT need to deleted in the trace application.
36
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Data Protection and Privacy
9.6 System Analytics
User IDs of ABAP backend systems are collected if the collection of statistic records is configured for a system.
To delete all data older than a given number of days, execute report AI_STATRAGG_HOUSEKEEPING. The time
period is configurable.
To delete a single user ID outside of executing the housekeeping function, manually delete it from the table
STATDBUSERTCODE where ACCOUNT = the user ID and from table STATDBUSERWORKLO where USERNAME =
the user ID
9.7 Advanced Event Management
In advanced event management, you can assign an alert to a user for processing. The assigned user can be a
dialog user in FOCUSED RUN or be an external user. When assigning an alert for processing, enter personal data
of the user such as a name, user ID, or an e-mail address. This personal data remains visible in the alert action log.
The personal data is stored in the table AEM_ACTION_LOG. Due to the technical settings of this table, it is not
possible to remove the personal data with TX SE16.
The following code can be used to create a custom program to remove this personal data:
PARAMETERS: p1 TYPE ac_guid, "context id
p2 TYPE ac_guid, "alert type id
p3 TYPE hash160, "hash metric path
p4 TYPE acc_action, "action id
p5 TYPE sydatum, "action date
p6 TYPE syuzeit. "action time
IF p1 IS NOT INITIAL AND
p2 IS NOT INITIAL AND
p4 IS NOT INITIAL AND
p5 IS NOT INITIAL AND
p6 IS NOT INITIAL.
DELETE FROM aem_action_log WHERE context_id = p1 AND
alert_type_id = p2 AND
hash_metric_path = p3 AND
action_id = p4 AND
action_date_utc = p5 AND
action_time_utc = p6.
IF sy-subrc EQ 0.
WRITE : 'Entry deleted'.
ELSE.
WRITE : 'Failed to delete entry'.
ENDIF.
ELSE.
WRITE: 'Insufficient data input'.
ENDIF.
Focused Run for SAP Solution Manager
Data Protection and Privacy
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 37
9.8 Central Notification Management
In central notification management (CNM), recipient groups are maintained to send alerts and other notifications
to recipients.
Notification groups can be populated by selecting registered users from the FOCUSED RUN NW user
management (see 8.1) or by entering external recipients. Register an external recipient can be entered with their
name, telephone numbers, and email addresses.
You can maintain and delete this entry in CNM.
The tables of the CNM are as follows:
CNM_CID -> stores the email and phone number. Once the external recipient is deleted from the UI, these details
are deleted from the table as well:
CNM_RECIPIENT
CNM_RL
CNM_RL_CN
CNM_RL_MAP
9.9 Change and Security Analysis
Change and security analysis can monitor critical authorizations (such as SAP_ALL, J2EE_Administrator). When
this special monitoring is active, the user ID containing the critical authorization is recorded.
Change and security analysis uses its collector framework to transfer technical data of the connected managed
systems into the configuration and change database (CCDB). CCDB is a set of tables stored in FOCUSED RUN's
database. This transferred technical configuration data does contain user IDs. Other personal and sensitive data
is not extracted or stored.
9.9.1 How to Display Data Stored in the Configuration and Change Database
To display of user-dependent data:
Start application Configuration & Security Analytics.
For your scope, select systems or use an asterisk on the extended system ID for all systems.
Select the panel Search, enter the user ID bracketed by asterisks (for example, *sdagent*), confirm the selection
as shown in the screenshot below:
38
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Data Protection and Privacy
Notes:
• Data deletion takes place in two steps, both logically and physically. As soon as data is deleted logically it is
not displayed anymore by the above search. The physical deletion of data is performed periodically. The
physical data deletion is performed within a few hours of the logical deletion.
• The display of data is protected by authorizations. The CCDB authorization to display all data, including the
protected data, is required here. In addition, you must ensure you have authorization for all customer
networks.
• The search does not display configuration items that are marked as deleted in CCDB. These are elements
which have not been delivered by the last snapshot of the corresponding data transfer. Such deleted
configuration items can be found and displayed by the data deletion utility only.
9.9.2 How to Delete User-Dependent Data from Configuration and Change Database
The CSA checks configuration data of managed systems. Due to its technical configuration, data is transferred
into the CCDB of the FOCUSED RUN system (such as configuration data of RFC connections or authorization data
containing user IDs).
For deletion of CCDB data on FOCUSED RUN SP02, use report CCDB_SEL_DATA_DEL. For an installation
reference, see SAP Note 2562443, Collective Corrections for CSA Collector Framework in FOCUSED RUN FP02.
Data Display
Execute Report CCDB_SEL_DATA_DEL.
Focused Run for SAP Solution Manager
Data Protection and Privacy
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 39
Enter the user between asterisks with DISPLAY enabled, DELETE disabled, and execute.
As a result, a screen displays the technical store IDs that match the search pattern (case insensitive search).
Depending on the number of connected systems with which the user is working, the number of stores displayed
will vary. If the list is empty, there is no user data regarding the search pattern in CCDB.
Choosing the back icon displays a second screen containing additional data.
Scroll to the right to find the searched data if it is not in the initial view.
40
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Data Protection and Privacy
Choose the back icon to end the report.
Data Deletion
Important notes:
• During data deletion, the whole content of stores containing the user ID is deleted. This means all other data in
the store and his history is removed as well. It takes approximately 24 hours until current data is reloaded.
The possibility to reload the current data makes the process not critical, but the history of data that is not
user-dependent is lost.
Until the current data is retransferred to CCDB, applications like configuration validation and SAP EarlyWatch
Alert, which use the CCDB data, may run into an error or report incorrect or missing data.
• Depending on the user ID, stores are selected for deletion that contain text rather than the specific user ID to
match the search. Such deletions cannot be avoided technically.
• The data is deleted logically only. The physical deletion takes place within a few hours automatically. As soon
as the data is deleted logically it cannot be accessed anymore by applications.
• Before performing the deletion process, consider that the user data must be deleted in the managed systems
at first. Otherwise, the periodic data push may transfer the user data again into the CCDB.
To perform the deletion, enter the user between asterisks with DISPLAY disabled and DELETE enabled:
Execute the report and wait until it has finished. The report is designed for user data deletion only, and therefore a
high number of search hits is not expected.
FOCUSED RUN supports different procedures to implement data protection and privacy. This chapter describes
the procedures per use case. The different FOCUSED RUN use cases where data privacy protection is applicable
are:
Focused Run for SAP Solution Manager
Data Protection and Privacy
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 41
• Dialog User Management and Business Partner
• LMDB
• Real User Monitoring (RUM)
• Synthetic User Monitoring (SUM)
• Advanced Alert Management
• Advanced Integration Monitoring (AIM)
• Advanced Notification Management
• Change and Security Analysis
42
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Dialog Users
10 Dialog Users
Focused Run for SAP Solution Manager 1.0 FP02 applications protect access to managed objects on the
customer network level.
SAP Fiori launchpad features redesigned authorization groups for FP2. If you are currently operating with
Focused Run for SAP Solution Manager 1.0 FP00 or FP01, be sure to reassign new authorizations as described in
the following sections.
10.1 Dialog User Roles with SAP Fiori Tiles
This chapter provides an overview of how and why roles are designed the way they are in FOCUSED RUN 1.0
FP02.
All roles are listed in the addendum.
For additional details on the authorization object, please see the role documentation in SU22 or in PFCG.
10.2 Proposed Work Flow to Assign Authorizations in FOCUSED RUN
The workflow for roles follows conventions from other SAP systems:
1. Define operation team responsibilities and team members. For guests and customers, define self-service
responsibilities.
2. Create a named dialog user in FOCUSED RUN for each team member. Similarly, create a dialog user for
guests and customers.
3. Create custom cross-FOCUSED RUN applications roles from the delivered SAP roles. According to defined
responsibilities, maintain the authorization object of the role for granting visibility to systems, custom
networks, customers, and others. Assign these custom roles to dialog users.
Use * to access all objects in the LMDB.
4. Assign custom cross-FOCUSED RUN applications roles to dialog users.
5. Assign the needed SAP Fiori tiles to fulfill team tasks to the dialog user. Similarly, assign tiles for guests and
customers
6. Create custom common FOCUSED RUN application roles from the delivered SAP roles. According to defined
responsibilities, maintain the authorization object of the role for granting operations. Authorization objects of
these roles must be maintained before you can use the roles.
Maintaining roles with * grants all objects and operations.
All roles with authorization objects to be maintained are listed in the addendum.
Focused Run for SAP Solution Manager
Dialog Users
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 43
7. Assign custom common FOCUSED RUN applications roles to the dialog user.
10.3 Role types
Group the roles for dialog users in FOCUSED RUN into different types.
10.3.1 SAP NetWeaver Basic Roles and Customer Roles Designed Prior to FOCUSED RUN
This guide describes FOCUSED RUN roles sufficient to run all FOCUSED RUN applications. Please see SAP
NetWeaver documentation for SAP NetWeaver basic functions such as transport management or user
management. Also, be sure to reference your company's policies with regard to customizing basic roles.
10.3.2 Cross-Application FOCUSED RUN Roles
The cross-application roles help you to separate which managed objects of your IT landscape can be displayed
and operated by the FOCUSED RUN dialog user owning the roles:
Role Name Short Text Assign to
SAP_FRN_CNW_ACCESS
Grants access for the customer
networks level, the customer
level, or the datacenter
All (see below)
SAP_FRN_CNW_ACCESS_ADMIN
Grants access to all customer
networks, customers, or
datacenters
Technical user (see above) or
Super Admin
SAP_FRN_LDB_OB_DSIP Grants access on the technical
system and hosts level
All (see below)
10.3.2.1 SAP_FRN_CNW_ACCESS
The role SAP_FRN_CNW_ACCESS contains authorization object LMDB_SCOPE, delivered by SAP with field value
LMDB_CN. Please maintain in your customer roles the object LMDB_CN to grant access to dedicated LMDB
namespaces.
44
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Dialog Users
Authorization Objects of
role
SAP_FRN_CNW_ACCESS
to be maintained
Authorization
Field
Delivered
Value
To be maintained
LMDB_SCOPE LMDB_SCOPE LMDB_CN no
LMDB_CN LDB_CUSTNET <empty> Name of Customer Network
LMDB_CN LDB_CUSTNET <empty> Customer ID
LMDB_CN LDB_DC <empty> Data Center ID
Since LMDB _SCOPE is set to LMDB_CN with limited access, the fields of object LMDB_CN are evaluated.
In the example below, which grants data access of customer ID ABC only, all fields must be maintained.
10.3.2.2 SAP_FRN_CNW_ACCESS_ADMIN
The role SAP_FRN_CNW_ACCESS_ADMIN contains the authorization object LMDB _SCOPE, delivered by SAP
with authorization field LMDB_SCOPE value ADMIN. Since LMDB _SCOPE is set to ADMIN, the fields of object
LMDB_CN will not be evaluated
This role is typically granted to technical users for batch processing (see chapter 8.2). The role can also be
assigned to Super Admin needing access in FOCUSED RUN to all customer namespaces.
Authorization Objects of
role
SAP_FRN_CNW_ACCESS
to be maintained
Authorization
Group
Delivered
Value
To be maintained
LMDB_SCOPE LMDB_SCOPE ADMIN No
As shown below, this role does not contain the authorization object LMDB_CN
Focused Run for SAP Solution Manager
Dialog Users
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 45
10.3.2.3 SAP_FRN_LDB_OB_DSIP
The role SAP_FRN_LDB_OB_DSIP contains authorization objects delivered by SAP with no authorization
separations. Maintain the listed authorization objects in your customer roles as below to grant access to
dedicated LMDB objects according to your team roles:
Authorization Objects of
role
SAP_FRN_LDB_OB_DSIP
to be maintained
Authorization
Group
Delivered Value Comment
AI_LMDB_OB LDB_NAMES * See documentation (maintain this field as an
exception only; namespace access is granted
with SAP_FRN_CNW_ACCESS).
AI_LMDB_OB LMDB_STYPE ABAP
ATC
BOBJ
CLOUD_CONN
DBSYSTEM
DIAGNAGENT
EXT_SRV
HANADB
IS_EM
IS_MOM
JAVA
LIVE_CACHE
MDM
MSIISINST
MS_.NET
SUP
TREX
UNSP3TIER
UNSPAPP
UNSPECIFIC
Maintain this authorization group for
separate access by different functional
groups (such as "Database administrators
only").
46
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Dialog Users
Authorization Objects of
role
SAP_FRN_LDB_OB_DSIP
to be maintained
Authorization
Group
Delivered Value Comment
WEBDISP
WEBSPHERE
10.3.3 FOCUSED RUN Tools Roles
The tools roles grant access to certain tools that are offered by different applications. For example, the
authorization to create a scope selection is useful in all applications with scope selections.
Role Description
SAP_FRN_SCOPE_SEL Role to authorize scope selection for FOCUSED RUN.
SAP_FRN_CNM_SND_NOTIF Authorizations to send notifications.
SAP_FRN_APP_AEM_ALR_INB_DISP Access to alert inbox display; no confirm.
SAP_FRN_APP_AEM_ALR_TIC Access to alert ticker.
10.3.4 FOCUSED RUN SAP Fiori roles
SAP Fiori roles control access to SAP Fiori launchpad (FLP), implemented by FOCUSED RUN.
SAP Fiori authorizations are effective on SAP Fiori catalogs and SAP Fiori groups.
The catalogs and groups are named according to FOCUSED RUN applications.
Focused Run for SAP Solution Manager
Dialog Users
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 47
SAP Fiori Group Contains tiles for
Focused Run Home Navigation tiles only to open:
• SAP Focused Solutions for SAP Solution
Manager
• SAP Focused Run: SAP Help Portal
• SAP Focused Run: Technical Details
• SAP Focused Run: Whitepaper
Advanced System Management (ASM) • System Monitoring
• System Monitoring: Template Maintenance
• System Monitoring: Individual Maintenance
• System Monitoring: Content Update
• Advanced Monitoring
• Advanced Monitoring: Configuration
• System Analytics
• System Analytics: Configuration
• System Management: Guided Procedure
Catalogue
• System Management: Guided Procedure
Reporting
• IT Calendar & Work Mode Management
• Service Availability Management
• License Management
• EWA Reports: ONE Support Cloud
• Maintenance Planner: ONE Support Cloud
Advanced User Monitoring (AUM) • Real User Monitoring
• Real User Monitoring: Configuration
• Synthetic User Monitoring
• Synthetic User Monitoring: Configuration
• Trace Analysis
Advanced Integration Monitoring (AIM) • Integration Monitoring
• Integration Monitoring: Configuration
• Cloud Service Management: Configuration
Advanced Event & Alert Management (AEM) • Alert Management
• Alert Management: Alert Consumer
Configuration
• Alert Management: Guided Procedure Catalogue
• Alert Management: Guided Procedure Reporting
48
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Dialog Users
SAP Fiori Group Contains tiles for
Configuration & Security Analytics • Configuration & Security Analytics
• Configuration & Security Analytics:
Administration
Infrastructure Administration • LMDB (Administration, Setup and Object
Maintenance)
• Global Settings & Network Configuration
• Simple System Integration
• Agent Administration
• Agent Mass Update
• Self-Monitoring
• Self-Monitoring: Dashboard
• Central Notification Management
• Expert Scheduling Management Cockpit
Please assign SAP Fiori roles to dialog users according to the different tasks of IT teams, guests, and customers.
Here are the naming conventions of SAP Fiori Roles:
Role Name Short Text Assign to
SAP_FRN_FLP_EMBEDDED Authorization to open SAP Fiori
launchpad.
All
SAP_FRN_FLP_CAT_APP_<XXX>
SAP_FRN_FLP_CAT_AAD_<XXX>
Allow access SAP Fiori catalog to
organize (move, add, delete) the
tiles within the catalog.
APP indicates that the catalog
contains tile for applications.
AAD indicates that the catalog
contains tile for applications
administration.
Administrators, key users
SAP_FRN_FLP_<number>_<XXX>
Allows access to the tiles in SAP
Fiori launchpad.
For example, Advanced System
Management (ASM), and
Advanced User Monitoring (AUM).
The <XXX> is a placeholder for
the application acronym.
The <number> is for internal
reference only.
Operators and administrators
according to the assigned tasks;
guests and customers
All SAP Fiori roles are listed in the addendum.
Focused Run for SAP Solution Manager
Dialog Users
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 49
10.3.5 FOCUSED RUN Application Roles
FOCUSED RUN application roles grant authorizations at the applications level, as accessed by SAP Fiori tiles.
That means if you can see a SAP Fiori tile in SAP Fiori launchpad, you can open the application, but without
authorization on the application level, you cannot work with the application.
To use the application, you need to assign application roles to dialog users. The roles for the application are
designed to grant sufficient authorizations depending on the responsibility of the dialog user in the operation
team. Similarly, roles for the application grant guests and customers selected self-service responsibilities.
Some roles indicate by name that they are intended for application administration
SAP_FRN_AAD_<XXX>_<XXX>, or are designed for the application purpose only SAP_FRN_APP_XXX_XXX.
In cases where there is little distinction between AAD or AAP, the role name is shortened, such as
SAP_FRN_LDB_DISP.
Role Short Text Assign to
SAP_FRN_SSI_WSEXEC Dedicated role to execute SSI via
web service calls.
Administrators, Technical Users
SAP_FRN_*_ALL, ADMIN All authorizations on the
applications
Administrators, Key Users
SAP_FRN_RUM_WOD
SAP_FRN_SIA_WOD
SAP_FRN_AIM_ WOD
Access to special protected data
like UID in RUM or Business
payload in AIM (collected only if
dedicated customizing exists)
Administrators (if administrators
should not see business data, do
not assign *_ALL)
SAP_FRN_*_ EXE Execute the applications Key Users, Operations
SAP_FRN_*_ MAINT Maintain content Operators
SAP_FRN_ *_ REVIEW, REV Review certain content Key users, Customers
SAP_FRN_*_DISP Display data Customers, Guests
SAP_FRN_CSA_PROTECTED Access to critical data in CSA (has
user SAP_ALL, etc.)
Key Users
All application roles are listed in the addendum.
10.4 Dialog User Roles for Incident processing by SAP
We recommend creating a dedicated user for incident processing by SAP. Grant this user the following roles:
50
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Dialog Users
Role Description
SAP_FRN_FLP_EMBEDDED
SAP_FRN_SCOPE_SEL
SAP_FRN_FLP_5_ISA
SAP_FRN_APP_MOAL_ALL
SAP_FRN_LDB_ALL
SAP_FRN_SDA_ALL
SAP_FRN_SSI_ALL
SAP_FRN_TECH_MON_TOOL
Customer own Role
SAP Fiori launchpad authorization
Filter bar
ISA SAP Fiori Group
All authorizations for system-
monitoring application
LMDB: Full authorizations
Administration authorizations for
agent administration (SLDR
configuration, upload SDA/JRE
binaries, mass installation. debug)
Administration authorization for
Simple System Integration
Monitoring support: Full
authorizations
Grant access to the following
transactions: SE16, SE80, SM37,
etc. Please see further
authorization in SAP Note
2042794 Prerequisites for Efficient
Incident Processing
10.5 Special Protected Tables
Through RUM and AIM, FOCUSED RUN delivers two applications that collect sensitive data in FOCUSED RUN
tables.
RUM saves user IDs. AIM saves business payload data (if customized on the application side)
The relevant tables for RUM are:
/RUM/AGGRECIN
/RUM/AGGRECOUT
/RUM/SNGLRECIN
/RUM/SNGLRECOUT
The relevant tables for AIM are:
/IMA/EDID4
/IMA/PIMSGABAPUD
EXM_COLL_CTXT
Due to sensitive data potential, we have protected the SE16 access to the tables with the authorization object
S_TABU_NAM, in the roles:
SAP_FRN_AAD_RUM_ALL
SAP_FRN_APP_RUM_ALL
Focused Run for SAP Solution Manager
Dialog Users
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 51
SAP_FRN_AAD_AIM_ALL
SAP_FRN_AAP_AIM_ALL
This way, users without special SE16 access cannot see sensitive data.
The roles should be granted to selected persons only. The roles are used by development support and
administrators for troubleshooting,
Please note that we expect that the SE16 access to tables is granted within customer roles with authorization
object S-TABU_DISP and that the values contain the relevant table fields specified and not be substituted by *, If
S_TABU_DISP value is * for the table group, table content is at risk of unauthorized display access.
10.6 Proposal for Setup User during FOCUSED RUN Initial Preparation before Going Live
The initial preparation of FOCUSED RUN is executed by a small team of experts. Profiles SAP_ALL & SAP_NEW do
not contain needed authorization to access SAP Fiori tiles. Experience shows that it is very helpful during
preparation phase to have all needed authorization for configuration, configuration check, and troubleshooting
assigned to the named users of the small team performing the preparation.
For your convenience, here a list of all FOCUSED RUN-specific roles required in addition to SAP_ALL & SAP_NEW
for initial preparation:
Role Short text
SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP: Group Infrastructure
Administration
SAP_FRN_FLP_4_CSA Access to FOCUSED RUN FLP: Group CSA
SAP_FRN_FLP_3_AEM Access to FOCUSED RUN FLP: Group AEM
SAP_FRN_FLP_3_1_AIM Access to FOCUSED RUN FLP: Group AIM
SAP_FRN_FLP_2_AUM Access to FOCUSED RUN FLP: Group AUM
SAP_FRN_FLP_1_ASM Access to FOCUSED RUN FLP: Group ASM
SAP_FRN_FLP_0_FRNH Access to FOCUSED RUN FLP: Group FRNH
52
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Technical Users for Managed Systems
11 Technical Users for Managed Systems
The technical users in managed systems and databases are required to authenticate data collection requests.
The technical users on OS level are required to authenticate ad-hoc requests to SAP host agent or simple
diagnostics agent.
Focused Run does not create these technical users; they must be created by different tools according to
customer policies as part of the preparation. The user credentials must be provided to SSI at configuration call.
11.1 Technical Users for SAP NetWeaver ABAP
This user must be created in one managed system ABAP client, for which the simple diagnostics agent connects
to via RFC for data collection.
Focused Run for SAP Solution Manager
Technical Users for Managed Systems
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 53
This needs to be created in the managed system as preparation. SDAGENT/PW needs to be provided when
executing Simple System Integration in the Focused Run system.
The roles below are delivered with latest version of ST-PI. In addition, the most recent version of the roles is
attached to SAP Note 2450740 - Roles to authorize access in managed Systems to collect data for FOCUSED RUN.
Technical User ID Role Description
SDAGENT *SAP_FRN_SDAGENT_CSA_MS
SAP_FRN_SDAGENT_CSA_SEC_M
S
SAP_FRN_SDAGENT_EWA_MS
SAP_FRN_SDAGENT_MAI_MS
SAP_FRN_SDAGENT_TA_MS
SAP_FRN_SDAGENT_RUM_MS
SAP_FRN_SDAGENT_AIM_MS
Authorizations to collect CSA
data
Display special users (such as
SAP*) with default passwords
Authorization to collect EWA data
Authorization to collect
monitoring data
Authorization to collect TA data
Authorization to collect RUM data
Authorization to collect AIM data
<customer> SAP_SDCCN_ALL Execute SDCCN Job
11.1.1.1 How to Maintain authorization objects
To grant authorization for the authorization object, you need to maintain these objects as follows:
8. In the Role Maintenance of PFCG, choose Authorizations tab.
9. Choose the Change button.
10. From the utilities menu, select Technical Names On.
11. Maintain all activity values for each authorization object as above in the roles of the template users.
12. Generate the profile.
13. To assign this profile to a user, choose the User tab, add your user in the table.
Note: If users are already assigned, execute the user comparison.
14. Save.
11.1.2 * SAP_FRN_SDAGENT_CSA_MS
The role SAP_FRN_SDAGENT_CSA_MS contains authorization objects delivered by SAP with no authorization. To
use Focused Run scenario Configuration and Security Analysis, maintain as shown below:
54
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Technical Users for Managed Systems
Authorization Objects of role
SAP_FRN_BTC_SRA to be
maintained
Authorization
Field
Recommended
Value
Comment
S_RFC_ADM ICF_VALUE * See online documentation
S_DATASET FILENAME
PROGRAM
*
S_LOG_COM HOST
OPSYSTEM
*
Focused Run for SAP Solution Manager
Technical Users for Managed Systems
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 55
11.2 Technical Users for SAP NetWeaver Java
This user needs to be created in the managed system as preparation.
The SDAGENTJ/password needs to be provided when executing SSI in Focused Run.
The following roles and actions must be assigned if the described functionality or metric is planned to be
consumed:
Technical User ID JAVA Role / Action Description
SDAGENTJ • Java Roles
o NWA_READONLY
o SAP_JAVA_WSNAVIGATO
R
o XI_FOCUSED
RUN_GET_MSG
(Available with
PI 7.31 SP18+
PI 7.40 SP13+
PI 7.50 SP02+)
o Administrator
• Java Action
o Spml_Read_Action
(See SAP Note 1647157 -
How to Set up Access to the
SPML Service on AS Java)
Needed for Java message
monitoring in Focused Run AIM.
Needed for monitoring metrics of
Java job monitoring Focused Run
ASM.
Need to collect message payload
in FOCUSED RUN AIM monitoring
(only possible if relevant
customizing is done in the PI).
Needed to collect data of "Java
PSE Certificates" for validation
check in Focused Run CSA
Needed for security check of
whether default users are
disabled in FOCUSED RUN CSA.
Needed for Monitoring Metric
Java Named Users in Focused
Run ASM
56
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Technical Users for Managed Systems
11.3 Technical Users for Apache Tomcat
This user needs to be created in managed system as preparation. Then JMXUSR/password needs to be provided
when executing SSI in Focused Run.
Technical User ID JAVA Start-up Parameter Description
JMXUSR -Dcom.sun.management.jmxremote
Needed to collect SysMon and
System Analysis data via JMX
calls. See SAP Note 1633036 -
SAP Solution Manager 7.1 E2E
RCA Setup for Apache Tomcat
11.4 Technical Users for BOBJ
This user needs to be created in the managed system as preparation. Then usr/pwd needs to be provided when
executing SSI in Focused Run.
Technical User ID BOBJ Role Description
<customer> CMS Admin
Created at installation. Needed
to enable tracing (TA), monitor
data collection (SYSMON), and
configure store snapshot
Creations (configuration and
security analytics
administration)
11.5 Technical Users for SMP
This user needs to be created in the managed system as preparation. Then user/password need to be provided
when executing SSI in Focused Run.
Technical User ID SMP Role Description
<customer> Help Desk
Needed to enable tracing (TA), monitor data
collection (SYSMON), and configure store
Focused Run for SAP Solution Manager
Technical Users for Managed Systems
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 57
Technical User ID SMP Role Description
snapshot creations (configuration and
security analytics administration). See SMP
3-0 Guide:
http://scn.sap.com/community/developer-
center/mobility-
platform/blog/2015/04/26/granting-role-
based-access-in-sap-mobile-platform-30
11.6 Technical Users for Managed DB
For database monitoring, a dedicated user should exist on each database to authenticate connections from SAP
Host Agent to the database.
Please check your database documentation.
The user needs to be created and user/password needs to be provided to SAP Host Agent as preparation. SAP
host agent offers the web service method SetDatabaseProperty. This preparation is also mandatory for outside
discovery on all DBs except HANA
For providing user credentials to SAP host agent, see the following SAP Notes:
DB SAP Note
SAP HANA 2023587 - Maintaining "hdbuserstore" using
"setProperty" for SAP Host Agent
SAP ASE 2236137 - SYB: saphostctrl/sapdbctrl - enable
discovery for native ASE database installations
1797040 - SYB: SAP Host Agent - Using global or local
secure storage
MS SQL Server 1877727 - sapdbctrl: not member of sysadmin
1564275 - How to Install SAP Systems Using Virtual
Host Names on Windows
Oracle Database No note. OS user is used by SAP host agent.
Reference:
http://scn.sap.com/docs/DOC-34217
IBM DB2 for LUW No note. OS user is used by SAP host agent.
Reference:
http://scn.sap.com/docs/DOC-34217
SAP Max DB 2018919 - SAP MaxDB/SAPHost Agent: Setting
connect information as SetDatabaseProperty
58
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Technical Users for Managed Systems
11.7 Technical Users for Managed OS
All requests from Focused Run to the simple diagnostics agent are sent to SAP host agent. SAP host agent acts as
a proxy for these requests. These requests must be authenticated with the OS user sapadm. This user is to be
created as part of SAP host agent installation. Then user/password need to be provided when executing SSI
customer network creation in Focused Run.
A SM59 HTTP destination to SAP host agent is created automatically with this sapadm/password, the first time
the host is registered at the Focused Run. The automatic generation of HTTP SM59 destinations in Focused Run
support only the same sapadm/password in the created network. If SAPadm/password is different on each host,
the SM59 HTTP destination needs to be adapted manually.
Focused Run for SAP Solution Manager
CA APM EM Users
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 59
12 CA APM EM Users
For more information, see the CA APM Security Guide:
https://support.ca.com/cadocs/0/CA%20Application%20Performance%20Management%209%206-
ENU/Bookshelf_Files/HTML/APM--Security%20Guide/index.htm
60
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
System Landscape Data Router Configuration
13 System Landscape Data Router Configuration
The system landscape data router is a simple diagnostics agent application with a small footprint. It has the
function of forwarding the payload of SLD data supplier to different SLDs of NW JAVA or Focused Run. This is the
same function as the NW Java SLD "Automatic Data Forwarding", except that no full NW Java is required.
The SLD DS are sending data to the SLDR. The SLDR requests an inbound authentication. Then the SLDR
forwards the SLD DS payload to different targets, which also require authentication. These are the outbound
authentications for the SLDR.
SSI sets up Focused Run-relevant inbound and outbound user creation for the SLDR. The configuration of the
authentication to other outbound targets must be provided manually in the user interface of the diagnostics agent
administration.
Refer to the Managed Systems Preparation guide for additional details about the amount of SLDRs to enable in the
relevant customer networks.
Focused Run for SAP Solution Manager
Enable Network Communication Encryption
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 61
14 Enable Network Communication Encryption
For enabling network encryption, refer to the relevant documentation.
If you have questions or special requirements, contact the Focused Run team for project support.
• SAP NetWeaver
http://help.sap.com/saphelp_nw75/helpdata/en/49/2f0050d5ac612fe10000000a44176d/content.ht
m
• Simple Diagnostics Agent
Not enabled with first delivery of Focused Run.
• System Landscape Data Router
Not enabled with first delivery of Focused Run.
• SAP Host Agent
https://help.sap.com/saphelp_nw73ehp1/helpdata/en/6a/ac42c2e742413da050eaecd57f785d/conte
nt.htm
• CA APM EM
https://support.ca.com/cadocs/0/CA%20Application%20Performance%20Management%209%206-
ENU/Bookshelf_Files/HTML/APM--Configuration%20Administration%20Guide/index.htm
• Proxy/Reverse proxy are vendor-dependent
o SAP Web Dispatcher
https://help.sap.com/saphelp_nw73ehp1/helpdata/en/49/3db10a19341067e10000000a42189c/c
ontent.htm?frameset=/en/48/8fe37933114e6fe10000000a421937/frameset.htm¤t_toc=/e
n/ed/2429371ec14c23a7508affa1280d07/plain.htm&node_id=106&show_children=false
o Apache
http://httpd.apache.org/docs/2.4/ssl/
o Tiny Proxy
not TLS/SSL-enabled
• Load balancer
o Software load balancer
SAP Web Dispatcher
https://help.sap.com/saphelp_nw73ehp1/helpdata/en/49/3db10a19341067e10000000a42189c/c
ontent.htm?frameset=/en/48/8fe37933114e6fe10000000a421937/frameset.htm¤t_toc=/e
n/ed/2429371ec14c23a7508affa1280d07/plain.htm&node_id=106&show_children=false
o Other software load balancers are documented by vendor.
o Hardware load balancers are documented by vendor.
62
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Enable Network Communication Encryption
14.1 Configure Encryption Usage for Customer Network Configuration in SSI UI
Communication direction Focused Run ABAP Managed System
At the installation of a simple diagnostics agent, SSI automatically creates an SM59 HTTP destination to SAP Host
Agent of the known managed system (with sapadm as OS user). You can configure the SM59 HTTP destination to
support SSL. The automatic configuration by SSI can be configured either globally or specifically for each network
using the SSI configuration UI SM59 HTTP.
14.2 Configure Encryption Usage for SDA Configuration in Agent Administration
Communication direction Managed System -> Reverse proxy resp. Focused Run ABAP.
At the installation of an SDA, the agent administration sends the basic configuration with the connection
credentials to the SDA and enables the TSl/SSl communication. Not available with first delivery of Focused
Run.
Further Information
The following documents provide more information about <name of scenario>:
Content Location
Scenario Description See the documentation in SAP Solution Manager.
Configuration Documentation See the documentation in SAP Solution Manager.
Scenario Security Guide For more information, reference SAP Help Portal:
https://help.sap.com/viewer/p/FOCUSED RUN.
Focused Run for SAP Solution Manager
Users and Authorizations in SAP Support Portal
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 63
15 Users and Authorizations in SAP Support Portal
To upload (LMDB technical data; for example, SAP service data: EWA) and download (license data; for example,
ST-CONT update), Focused Run requires the same authorizations for S-USER in SAP Service Marketplace as
already known from SAP Solution Manager; no new authorization added.
64
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Addendum
16 Addendum
16.1 Role Changes for FOCUSED RUN FP02
16.1.1 Roles Created for FP02
Role Name Short description
SAP_FRN_AAD_MOAL_MOC Authorize MO individual monitoring and alert configuration
SAP_FRN_AAD_SUM_ALL All authorizations for SUM configuration
SAP_FRN_AAD_SUM_DISP Display authorizations for SUM configuration
SAP_FRN_AAD_SUM_MAINT Maintenance authorizations for SUM configuration
SAP_FRN_APP_AAD_ADM_ALL
All authorizations for application and admin for application advanced
monitoring
SAP_FRN_APP_PAS_DISP Display authorizations for predictive snalytics
SAP_FRN_APP_SUM_ALL All authorizations for app SUM
SAP_FRN_APP_SYA_WOD All authorizations for app system analytics, but no user data
SAP_FRN_BTC_AEM Authorizations for AEM specific background processing
SAP_FRN_BTC_SMP Authorizations for SPM specific background processing
SAP_FRN_EXM Role for technical user FRN_EXM_<CID>
SAP_FRN_FLP_CAT_AAD_AVM Access to FOCUSED RUN FLP: Catalogue AVM Admin
SAP_FRN_FLP_CAT_AAD_SUM
Access to FOCUSED RUN FLP: Catalogue SUM application
configuration
SAP_FRN_FLP_CAT_APP_SUM Access to FOCUSED RUN FLP: Catalogue SUM applications
SAP_FRN_LDB_NOTIF_SSI
Authorizations: Execute for SSI admin application in BTC by
FRN_BTC_LDB
SAP_FRN_LDB_OB_DSIP Authorization to display all LMDB objects
SAP_FRN_SND_SNMP_TRAP Authorizes Sending alerts via SNMP Trap
SAP_FRN_SUM Role for technical user FRN_SUM_<CID>
Focused Run for SAP Solution Manager
Addendum
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 65
16.1.2 Roles Changed with FP02
Role name Short description
SAP_FRN_AAD_AIM_ALL All authorizations for AIM administration
SAP_FRN_AAD_AIM_DISP Display authorizations for AIM administration
SAP_FRN_AAD_AVM_ALL All authorizations to administer application advanced
monitoring
SAP_FRN_AAD_AVM_DISP Display authorizations to administer application
advanced monitoring
SAP_FRN_AAD_CSA_ALL All authorizations for CSA administration
SAP_FRN_AAD_CSA_DISP Authorization for CSA administration: in display
mode
SAP_FRN_AAD_CSA_MAINT Authorization for CSA administration: in
maintenance mode, but not templates
SAP_FRN_AAD_RUM_ALL All authorizations for RUM administration
SAP_FRN_AAD_SYA_ALL All authorizations for system analytics application
administration
SAP_FRN_AEM_UMD_ALR Authorization to create unmodeled alerts
SAP_FRN_APP_AEM_ALR_INB_DISP Access to alert inbox display; no confirm
SAP_FRN_APP_AVM_ALL All authorizations for application advanced
monitoring
SAP_FRN_APP_CSA_DISP Authorization for CSA APP in display mode
SAP_FRN_APP_CSA_MAINT Authorization for CSA APP in maintenance mode
SAP_FRN_APP_CSA_PROTECTED Authorization for CSA APP in display mode, including
protected results
SAP_FRN_APP_GP_ALL Full access to guided procedures application
SAP_FRN_APP_GP_DISP Display access to guided procedures application
SAP_FRN_APP_GP_EXE Execute access to guided procedures application
SAP_FRN_APP_MOAL_ALL All authorizations for system monitoring and alert
management
SAP_FRN_APP_MOAL_DISP Display authorizations for system monitoring and
alert management
SAP_FRN_APP_RUM_ALL All authorizations for App RUM
SAP_FRN_APP_SYA_ALL All authorizations for system analysis application
SAP_FRN_APP_TA_ALL All authorizations for APP trace analysis
66
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Addendum
Role name Short description
SAP_FRN_APP_TA_DISP Display authorizations for APP trace Analysis
SAP_FRN_BTC_CSA Authorizations for CSA specific background
processing
SAP_FRN_BTC_GPA Authorizations for GPA specific background
processing
SAP_FRN_CNM_ALL Notification management - full authorization
SAP_FRN_CNM_DISP Central notification management display
authorizations
SAP_FRN_FLP_CAT_GPB Access to FOCUSED RUN FLP: Catalogue GP ASM
SAP_FRN_FLP_CAT_GPR Access to FOCUSED RUN FLP: Catalogue GP AEM
SAP_FRN_LDB_ALL FOCUSED RUN LMDB full access
SAP_FRN_LDB_DISP FOCUSED RUN LMDB object display
SAP_FRN_LDB_MAINT FOCUSED RUN LMDB object maintain
SAP_FRN_LICM_ALL Full access to license management application
SAP_FRN_SDA_ALL All authorizations for SDA admin application
SAP_FRN_SDA_DISP Display authorizations for SDA admin application
SAP_FRN_SDA_MAINT Maintenance authorizations for SDA Admin
application
SAP_FRN_SDAGENT_AIM_MS AIM authorizations for SDAgent User
SAP_FRN_SDAGENT_GPA_MS GPA authorizations for SDAgent User
SAP_FRN_SRA_ALL All authorizations for scheduling aggregation and
replication FWK
SAP_FRN_SSI_ALL All authorizations - Super Admin - for SSI admin
application
SAP_FRN_SSI_APMAINT Authorizations - application admin (expert) - for SSI
admin application
SAP_FRN_SSI_MAINT Authorizations: Execute for SSI admin application
SAP_FRN_SSI_WSEXEC Access to execute SSI web services
SAP_FRN_UI5_PERS_PUB Authorizations to create public UI5 custom pages
Focused Run for SAP Solution Manager
Addendum
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 67
16.2 Cross FOCUSED RUN Application Roles
Role Name Short Text
SAP_FRN_CNW_ACCESS Grant access on level of customer
networks, customer, or datacenter
SAP_FRN_LDB_OB_DSIP Grant access on level of technical
system and hosts
16.3 FOCUSED RUN Tool Roles
Role Short Text
SAP_FRN_SCOPE_SEL Role to authorize scope selection for FOCUSED RUN
SAP_FRN_CNM_SND_NOTIF Authorizations to send notifications
SAP_FRN_APP_AEM_ALR_INB_DISP Access to alert inbox display; no confirm
SAP_FRN_APP_AEM_ALR_TIC Access to alert ticker
16.4 All SAP Fiori Roles sorted by SAP Fiori Group Names
16.4.1 General SAP Fiori roles
Function Role FOCUSED RUN Sort Text
Launch SAP Fiori
Launchpad
SAP_FRN_FLP_EMBEDDED
Embedded use of SAP Fiori
launchpad in SAP FOCUSED
RUN
Public UI5
Personalization SAP_FRN_UI5_PERS_PUB
Authorizations to create
public UI5 Custom Pages
Public Scope Selection
Filter
SAP_FRN_SCOPE_SEL_PUB_FILTER
Authorizations to create
public filters for scope
selection
68
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Addendum
16.4.2 Focus Run Home
SAP Fiori Tile Title SAP Fiori Tile sub
title
Role FOCUSED RUN Sort Text
SAP Focused
Solutions for SAP
Solution Manager
SAP_FRN_FLP_0_FRNH Access to FOCUSED
RUN FLP: Group &
Catalogue FRNH
SAP Focused Run
SAP Help Portal SAP_FRN_FLP_0_FRNH Access to FOCUSED
RUN FLP: Group &
Catalogue FRNH
SAP Focused Run Technical Details SAP_FRN_FLP_0_FRNH Access to FOCUSED
RUN FLP: Group &
Catalogue FRNH
SAP Focused Run Whitepaper SAP_FRN_FLP_0_FRNH Access to FOCUSED
RUN FLP: Group &
Catalogue FRNH
16.4.3 Advanced System Management
SAP Fiori Tile Title SAP Fiori Tile sub title Role FOCUSED RUN Sort Text
SAP_FRN_FLP_1_ASM
Access to FOCUSED RUN
FLP: Group ASM
System Monitoring
SAP_FRN_FLP_CAT_APP_SYM Access to FOCUSED RUN
FLP: Catalogue system
monitoring applications
System Monitoring Template Maintenance SAP_FRN_FLP_CAT_AAD_SYM Access to FOCUSED RUN
FLP: Catalogue system
monitoring application
administration
System Monitoring
Individual Maintenance SAP_FRN_FLP_CAT_AAD_SYM Access to FOCUSED RUN
FLP: Catalogue system
monitoring application
administration
System Monitoring Content Update SAP_FRN_FLP_CAT_AAD_SYM Access to FOCUSED RUN
FLP: Catalogue system
monitoring application
administration
Focused Run for SAP Solution Manager
Addendum
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 69
SAP Fiori Tile Title SAP Fiori Tile sub title Role FOCUSED RUN Sort Text
Advanced Monitoring SAP_FRN_FLP_CAT_AVM Access to FOCUSED RUN
FLP: Catalogue AVM
Advanced Monitoring Configuration SAP_FRN_FLP_CAT_AAD_AVM Access to FOCUSED RUN
FLP: Catalogue AVM
admin
System Analytics SAP_FRN_FLP_CAT_APP_SYA Access to FOCUSED RUN
FLP: Catalogue system
analytics application
System Analytics Configuration SAP_FRN_FLP_CAT_APP_SYA Access to FOCUSED RUN
FLP: Catalogue system
analytics application
System Management Guided Procedure
Catalogue
SAP_FRN_FLP_CAT_GPB Access to FOCUSED RUN
FLP: Catalogue GP ASM
System Management Guided Procedure
Reporting
SAP_FRN_FLP_CAT_GPB Access to FOCUSED RUN
FLP: Catalogue GP ASM
IT Calendar & Work Mode
Management
SAP_FRN_FLP_CAT_APP_ITC Access to FOCUSED RUN
FLP: Catalogue IT CAL &
WMM application
Service Availability
Management
SAP_FRN_FLP_CAT_APP_SAM Access to FOCUSED RUN
FLP: Catalogue SAM
application
License Management
SAP_FRN_FLP_CAT_LICM Access to FOCUSED RUN
FLP: Catalogue LICM
EWA Reports ONE Support Cloud SAP_FRN_FLP_CAT_EWA Access to FOCUSED RUN
FLP: Catalogue EWA
Maintenance Planner ONE Support Cloud SAP_FRN_FLP_CAT_MPL Access to FOCUSED RUN
FLP: Catalogue MPL
16.4.4 Advanced User Monitoring
SAP Fiori Tile Title SAP Fiori Tile sub title Role FOCUSED RUN Sort Text
SAP_FRN_FLP_2_AUM Access to FOCUSED RUN
FLP: Group AUM
Real User Monitoring
SAP_FRN_FLP_CAT_APP_RUM Access to FOCUSED RUN
FLP: Catalogue RUM
applications
70
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Addendum
SAP Fiori Tile Title SAP Fiori Tile sub title Role FOCUSED RUN Sort Text
Real User Monitoring Configuration SAP_FRN_FLP_CAT_AAD_RUM Access to FOCUSED RUN
FLP: Catalogue RUM
application
administration
Synthetic User Monitoring SAP_FRN_FLP_CAT_APP_SUM Access to FOCUSED RUN
FLP: Catalogue SUM
applications
Synthetic User Monitoring Configuration SAP_FRN_FLP_CAT_AAD_SUM Access to FOCUSED RUN
FLP: Catalogue SUM
application configuration
Trace Analysis SAP_FRN_FLP_CAT_APP_TA Access to FOCUSED RUN
FLP: Catalogue TA
applications
16.4.5 Advanced Integration Monitoring
SAP Fiori Tile Title SAP Fiori Tile sub title Role FOCUSED RUN Sort Text
SAP_FRN_FLP_3_1_AIM
Access to FOCUSED RUN
FLP: Group AIM
Integration
Monitoring
SAP_FRN_FLP_CAT_APP_AIM Access to FOCUSED RUN
FLP: Catalogue AIM
applications
Integration
Monitoring
Configuration SAP_FRN_FLP_CAT_AAD_AIM Access to FOCUSED RUN
FLP: Catalogue AIM
administration
Cloud Service
Management
Configuration SAP_FRN_FLP_CAT_AAD_AIM Access to FOCUSED RUN
FLP: Catalogue AIM
administration
16.4.6 Advanced Event & Alert Management
SAP Fiori Tile Title SAP Fiori Tile sub title Role FOCUSED RUN Sort Text
SAP_FRN_FLP_3_AEM Access to FOCUSED RUN
FLP: Group AEM
Focused Run for SAP Solution Manager
Addendum
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 71
SAP Fiori Tile Title SAP Fiori Tile sub title Role FOCUSED RUN Sort Text
Alert Management SAP_FRN_FLP_CAT_APP_AEM Access to FOCUSED RUN
FLP: Catalogue AEM
applications
Alert Management Alerting Consumer Settings SAP_FRN_FLP_CAT_AAD_AEM Access to FOCUSED RUN
FLP: Catalogue AEM
application administration
Alert Management Guided Procedure Catalogue SAP_FRN_FLP_CAT_GPR Access to FOCUSED RUN
FLP: Catalogue GP AEM
Alert Management Guided Procedure Reporting SAP_FRN_FLP_CAT_GPR Access to FOCUSED RUN
FLP: Catalogue GP AEM
16.4.7 Configuration and Security Analytics
SAP Fiori Tile Title SAP Fiori Tile sub title Role FOCUSED RUN Sort Text
SAP_FRN_FLP_4_CSA Access to FOCUSED RUN FLP:
Group CSA
Configuration &
Security
Analytics
SAP_FRN_FLP_CAT_APP_CSA Access to FOCUSED RUN FLP:
Catalogue CSA applications
Configuration &
Security
Analytics
Administration SAP_FRN_FLP_CAT_AAD_CSA Access to FOCUSED RUN FLP:
Catalogue CSA application
administration
72
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Addendum
16.4.8 Infrastructure Administration
SAP Fiori Tile Title SAP Fiori Tile sub title Role FOCUSED RUN Sort Text
SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP:
Group and catalogue
infrastructure administration
LMDB Object Maintenance SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP:
Group and catalogue
infrastructure administration
Setup SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP:
Group and catalogue
infrastructure administration
Administration SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP:
Group and catalogue
infrastructure administration
Global Settings & Network
Configuration
SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP:
Group and catalogue
infrastructure administration
Simple System Integration SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP:
Group and catalogue
infrastructure administration
Agent Administration SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP:
Group and catalogue
infrastructure administration
Agent Mass Update SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP:
Group and catalogue
infrastructure administration
Self-Monitoring SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP:
Group and catalogue
infrastructure administration
Self-Monitoring Dashboard SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP:
Group and catalogue
infrastructure administration
Central Notification
Management
SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP:
Group and catalogue
infrastructure administration
Expert Scheduling
Management Cockpit
SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP:
Group and catalogue
infrastructure administration
Focused Run for SAP Solution Manager
Addendum
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 73
16.5 All Application Roles Sorted by FOCUSED RUN Applications
Where cross-application roles are used, they are listed redundantly.
74
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Addendum
16.5.1 Advanced System Management (ASM)
Focused Run for SAP Solution Manager
Addendum
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 75
Detail function Role Name Short description
"Cross application"
assign independent of
application
SAP_FRN_CNW_ACCESS Role to grant access to FOCUSED
RUN customer networks
SAP_FRN_LDB_OB_DSIP
Authorization to display all LMDB
objects
"Tools" assign independent
of application SAP_FRN_SCOPE_SEL
Role to authorize scope selection
for FOCUSED RUN
SAP_FRN_CNM_SND_NOTIF Authorizations to send notifications
SAP_FRN_APP_AEM_ALR_INB_DISP Access to alert inbox display; no
confirm
SAP_FRN_APP_AEM_ALR_TIC Access to alert ticker
System Monitoring SAP_FRN_APP_MOAL_DISP Display authorizations for system
monitoring and alert management
SAP_FRN_AAD_MOAL_MOC Authorize MO individual monitoring
and alert configuration
SAP_FRN_APP_MOAL_ALL All authorizations for system
monitoring and alert management
SAP_FRN_AAD_MOAL_ALL
All authorizations for system
monitoring and alert management
administration
SAP_FRN_APP_PAS_DISP Display authorizations for
predictive analytics
Advanced Monitoring SAP_FRN_APP_AVM_ALL All authorizations for application
advanced monitoring
SAP_FRN_AAD_AVM_DISP
Display authorizations to
administer application advanced
monitoring
SAP_FRN_SDA_DISP Display authorizations for SDA
admin application
SAP_FRN_AAD_AVM_ALL All authorizations to administer
application advanced monitoring
SAP_FRN_SDA_MAINT Maintenance authorizations for
SDA admin application
System Analytics SAP_FRN_APP_SYA_ALL All authorizations for system
analysis application
76
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Addendum
Detail function Role Name Short description
SAP_FRN_APP_PAS_DISP Display Authorizations for
Predictive Analytics
SAP_FRN_APP_SYA_WOD All authorizations for System
Analysis Application
SAP_FRN_AAD_SYA_ALL
All authorizations for System
Analytics Application
Administration
Guided Procedure
Catalogue/Reporting SAP_FRN_APP_GP_DISP
Display access to Guided
Procedures Application
SAP_FRN_APP_GP_EXE Execute access to Guided
Procedures Application
SAP_FRN_APP_GP_ALL Full access to Guided Procedures
Application
IT Calendar & Work Mode
Management SAP_FRN_APP_ITC Authorize using IT-Calendar
SAP_FRN_APP_WMM_DISP Work Mode Management Display
Authorizations
SAP_FRN_APP_WMM_ALL Work Mode Management Full
Authorizations
Service Availability
Management SAP_FRN_APP_SAM_DISP
Service Availability Management
Display authorizations
SAP_FRN_APP_SAM_OUTAGE Authorizations for SAM
Application: Manage Outages
SAP_FRN_APP_SAM_OUTAGE_REV Authorizations for SAM
Application: Review Outages
SAP_FRN_APP_SAM_DEF
Authorizations for SAM
Application: Manage Service
Definitions
SAP_FRN_APP_SAM_ALL All Authorizations for SAM
Application
License Management SAP_FRN_LICM_ALL Full access to License Management
Application
Focused Run for SAP Solution Manager
Addendum
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 77
16.5.2 Advanced User Monitoring (AUM)
78
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Addendum
Detail function Role Name Short descibtion
"Cross application"
assign independent of
application
SAP_FRN_CNW_ACCESS Role to grant access to FOCUSED
RUN Customer Networks
SAP_FRN_LDB_OB_DSIP
Authorization to display all LMDB
Objects
"Tools" assign independent
of application SAP_FRN_APP_AEM_ALR_INB_DISP
Access to Alert Inbox Display; no
Confirm
SAP_FRN_CNM_SND_NOTIF Authorizations to send
Notifications
SAP_FRN_APP_AEM_ALR_TIC Access to Alert Ticker
Real User Monitoring SAP_FRN_APP_RUM_WOD All authorizations for App RUM,
but no user data
SAP_FRN_APP_RUM_ALL All authorizations for App RUM
SAP_FRN_SDA_MAINT Maintenance authorizations for
SDA Admin application
(Attention)
SAP_FRN_AAD_RUM_ALL
All Authorizations for RUM
Administration
Synthetic User Monitoring SAP_FRN_APP_TA_DISP Display Authorizations for APP
Trace Analysis
SAP_FRN_APP_SUM_ALL All authorizations for App SUM
SAP_FRN_SDA_DISP Display authorizations for SDA
Admin application
SAP_FRN_AAD_SUM_DISP Display Authorizations for SUM
Configuration
SAP_FRN_SDA_MAINT Maintenance authorizations for
SDA Admin application
SAP_FRN_AAD_SUM_MAINT Maintenance Authorizations for
SUM Configuration
SAP_FRN_AAD_SUM_ALL All Authorizations for SUM
Configuration
Trace Analysis SAP_FRN_APP_TA_DISP Display Authorizations for APP
Trace Analysis
SAP_FRN_APP_TA_ALL All Authorizations for APP Trace
Analysis
Focused Run for SAP Solution Manager
Addendum
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 79
(Attention) This role is special security-relevant. The owner of this role is able to see the user ID of the user
sending a request monitored by RUM. This authorization is mandatory for investigating subjective complaints
(such as "slow response times") by an end user. If the application is monitored by RUM, find the user request
searching by the user ID to see the measured responsive and where the time is spent. This authorization is also
mandatory for SAP dev-support. Grant this authorization to selected users only. For more information, see also
8.3 Special protected tables.
80
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Addendum
16.5.3 Advanced Integration Monitoring (AIM)
Detail function Role Name Short description
"Cross application"
assign independent of
application
SAP_FRN_CNW_ACCESS Role to grant access to FOCUSED
RUN Customer Networks
SAP_FRN_LDB_OB_DSIP
Authorization to display all LMDB
Objects
"Tools" assign independent
of application SAP_FRN_APP_AEM_ALR_INB_DISP
Access to Alert Inbox Display; no
Confirm
SAP_FRN_APP_AEM_ALR_TIC Access to Alert Ticker
SAP_FRN_CNM_SND_NOTIF Authorizations to send
Notifications
Integration Monitoring SAP_FRN_APP_AIM_DISP Display Authorizations for
Integration Monitoring
SAP_FRN_APP_AIM_ALL All Authorizations for Integration
Monitoring
SAP_FRN_SRA_ALL
All Auth. for Appl. Scheduling
Aggregation & Replication FWK
(Attention)
SAP_FRN_AAD_AIM_ALL
All Authorizations for AIM
Administration
SAP_FRN_SRA_DISP
Display Auth. for Appl. Scheduling
Aggregation & Replication FWK
SAP_FRN_AAD_AIM_DISP Display Authorizations for AIM
Administration
Cloud Service
Administration SAP_FRN_SRA_ALL
All Auth. for Appl. Scheduling
Aggregation & Replication FWK
SAP_FRN_AAD_AIM_ALL All Authorizations for AIM
Administration
SAP_FRN_SRA_DISP
Display Auth. for Appl. Scheduling
Aggregation & Replication FWK
SAP_FRN_AAD_AIM_DISP
Display Authorizations for AIM
Administration
(Attention) This role is special security-relevant. The owner of this role is able to see the business payload of the
electronic document monitored by AIM, if payload data monitoring is customized. This authorization is mandatory
for investigating problem with processing of certain payload, if the endpoint and document type is monitored by
Focused Run for SAP Solution Manager
Addendum
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 81
AIM. This authorization is mandatory is mandatory for SAP dev-support. Grant this authorization to selected
users only. For more information, see also section 8.3 Special protected tables.
16.5.4 Advanced Event & Alert Management (AEM)
Detail function Role Name Short description
"Cross application"
assign independent of
application
SAP_FRN_CNW_ACCESS Role to grant access to FOCUSED
RUN Customer Networks
SAP_FRN_LDB_OB_DSIP
Authorization to display all LMDB
Objects
"Tools" assign independent
of application SAP_FRN_SCOPE_SEL
Role to authorize Scope Selection
for FOCUSED RUN
SAP_FRN_CNM_SND_NOTIF Authorizations to send
Notifications
SAP_FRN_APP_AEM_ALR_INB_DISP Access to Alert Inbox Display; no
Confirm
SAP_FRN_APP_AEM_ALR_TIC Access to Alert Ticker
Alert Management SAP_FRN_APP_GP_EXE Execute access to Guided
Procedures Application
SAP_FRN_APP_MOAL_ALL All authorizations for System
Monitoring & Alert Management
SAP_FRN_AAD_MOAL_ALL
All authorizations for System
Monitoring & Alert Management
Administration
Guided Procedure
Catalogue/Reporting SAP_FRN_APP_GP_DISP
Display access to Guided
Procedures Application
SAP_FRN_APP_GP_EXE Execute access to Guided
Procedures Application
SAP_FRN_APP_GP_ALL Full access to Guided Procedures
Application
82
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Addendum
16.5.5 Configuration & Security Analytics (CSA)
Detail function Role Name Short description
"Cross application"
assign independent of
application
SAP_FRN_CNW_ACCESS Role to grant access to FOCUSED
RUN Customer Networks
SAP_FRN_LDB_OB_DSIP
Authorization to display all LMDB
Objects
"Tools" assign independent
of application SAP_FRN_SCOPE_SEL
Role to authorize Scope Selection
for FOCUSED RUN
SAP_FRN_CNM_SND_NOTIF Authorizations to send
Notifications
SAP_FRN_APP_AEM_ALR_INB_DISP Access to Alert Inbox Display; no
Confirm
SAP_FRN_APP_AEM_ALR_TIC Access to Alert Ticker
Configuration & Security
Analytics SAP_FRN_APP_AEM_ALR_INB_DISP
Access to Alert Inbox Display; no
Confirm
SAP_FRN_APP_CSA_DISP Authorization for CSA APP in disply
mode
SAP_FRN_APP_CSA_MAINT Authorization for CSA APP: in
Maintenance Mode
SAP_FRN_APP_CSA_PROTECTED Authorization for CSA APP in disply
mode, but incl. protectd results
SAP_FRN_AAD_CSA_DISP Authorization for CSA
Administration: in Display Mode
SAP_FRN_AAD_CSA_MAINT
Authorization for CSA
Administration: in Maintenance
Mode, but not templates
SAP_FRN_AAD_CSA_ALL All Authorization for CSA
Administration
16.5.6 Infrastructure Administration
Focused Run for SAP Solution Manager
Addendum
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 83
Detail function Role Name Short description
"Cross application"
assign independent of
application
SAP_FRN_CNW_ACCESS
Role to grant access to
FOCUSED RUN Customer
Networks
LMDB SAP_FRN_LDB_DISP FOCUSED RUN LMDB Object
Display
SAP_FRN_LDB_MAINT FOCUSED RUN LMDB Object
Maintain
SAP_FRN_LDB_ALL FOCUSED RUN LMDB Full
Access
Global Settings & Network
Configuration SAP_FRN_LDB_DISP
FOCUSED RUN LMDB Object
Display
SAP_FRN_SDA_DISP Display authorizations for SDA
Admin application
SAP_FRN_SSI_WSEXEC Access to Execute SSI Web
Services
SAP_FRN_SSI_DISP Display authorizations for SSI
Admin application
SAP_FRN_LDB_ALL FOCUSED RUN LMDB Full
Access
SAP_FRN_SDA_MAINT Maintenance authorizations for
SDA Admin application
SAP_FRN_SSI_MAINT Authorizations: Execute for SSI
Admin application
SAP_FRN_SSI_APMAINT
Authorizations - Application
Admin (Expert) - for SSI Admin
application
SAP_FRN_SDA_ALL All Authorizations for SDA Admin
application
SAP_FRN_SSI_ALL All Authorizations - Super Admin
-for SSI Admin application
Simple System Integration SAP_FRN_LDB_DISP FOCUSED RUN LMDB Object
Display
SAP_FRN_SDA_DISP Display authorizations for SDA
Admin application
SAP_FRN_SSI_WSEXEC Access to Execute SSI
WebServices
SAP_FRN_SSI_DISP Display auhorizations for SSI
Admin application
84
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Addendum
Detail function Role Name Short description
SAP_FRN_LDB_ALL FOCUSED RUN LMDB Full
Access
SAP_FRN_SDA_MAINT Maintenance authorizations for
SDA Admin application
SAP_FRN_SSI_MAINT Authorizations: Execute for SSI
Admin application
SAP_FRN_SSI_APMAINT
Authorizations - Application
Admin (Expert) - for SSI Admin
application
SAP_FRN_SDA_ALL All Authorizations for SDA Admin
application
SAP_FRN_SSI_ALL All Authorizations - Super Admin
-for SSI Admin application
Agent Administration SAP_FRN_LDB_DISP
FOCUSED RUN LMDB Object
Display
SAP_FRN_SDA_DISP Display authorizations for SDA
Admin application
SAP_FRN_SDA_MAINT Maintenance authorizations for
SDA Admin application
SAP_FRN_SDA_ALL All Authorizations for SDA Admin
application
Agent Mass Update SAP_FRN_LDB_DISP
FOCUSED RUN LMDB Object
Display
SAP_FRN_SDA_DISP Display authorizations for SDA
Admin application
SAP_FRN_SDA_MAINT Maintenance authorizations for
SDA Admin application
SAP_FRN_SDA_ALL All Authorizations for SDA Admin
application
Self-Monitoring / Self-
Monitoring Dashboard SAP_FRN_APP_MOAL_DISP
Display authorizations for
System Monitoring & Alert
Management
Central Notification
Management SAP_FRN_CNM_DISP
Central Notification
Management Display
authorizations
SAP_FRN_CNM_ALL Notification Management - full
authorization
Focused Run for SAP Solution Manager
Addendum
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 85
Detail function Role Name Short description
Expert Scheduling
Management Cockpit SAP_FRN_LDB_OB_DSIP
Authorization to display all
LMDB Objects
SAP_FRN_SRA_DISP
Display Auth. for Appl.
Scheduling Aggregation &
Replication FWK
SAP_FRN_SRA_ALL All Auth. for Appl. Scheduling
Aggregation & Replication FWK
16.5.7 MAI Tools (transaction "mai_tools")
Role Name Short description
SAP_FRN_AAD_MOAL_ALL
All authorizations for System
Monitoring & Alert Management
Administration
SAP_FRN_APP_MOAL_ALL All authorizations for System
Monitoring & Alert Management
SAP_FRN_LDB_ALL FOCUSED RUN LMDB Full Access
SAP_FRN_SDA_ALL All Authorizations for SDA Admin
application
16.5.8 Customer Network access
Role Name Short description
SAP_FRN_CNW_ACCESS_ADMIN
Role to grant access to all
FOCUSED RUN Customer
Networks as an Admin
SAP_FRN_CNW_ACCESS
Role to grant access to FOCUSED
RUN Customer Networks
86
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Addendum
16.5.9 Partner Reporting
Role Name Short description
SAP_FRN_OPR_ALL
All authorizations for Partner
Reporting
Focused Run for SAP Solution Manager
Addendum
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 87
16.6 Role changes for FOCUSED RUN FP 02
16.6.1 Roles created for FP02
Role Name Short description
SAP_FRN_AAD_MOAL_MOC Authorize MO individual Monitoring & Alert Configuration
SAP_FRN_AAD_SUM_ALL All Authorizations for SUM Configuration
SAP_FRN_AAD_SUM_DISP Display authorizations for SUM Configuration
SAP_FRN_AAD_SUM_MAINT Maintenance Authorizations for SUM Configuration
SAP_FRN_APP_AAD_ADM_ALL
All authorizations for Application & Admin for Application Adv.
Monitoring
SAP_FRN_APP_PAS_DISP Display authorizations for Predictive Analytics
SAP_FRN_APP_SUM_ALL All authorizations for App SUM
SAP_FRN_APP_SYA_WOD All authorizations for App System Analytics, but no user data
SAP_FRN_BTC_AEM Authorizations for AEM specific background processing
SAP_FRN_BTC_SMP Authorizations for SPM specific background processing
SAP_FRN_EXM Role for technical user FRN_EXM_<CID>
SAP_FRN_FLP_CAT_AAD_AVM Access to FOCUSED RUN FLP: Catalogue AVM Admin
SAP_FRN_FLP_CAT_AAD_SUM
Access to FOCUSED RUN FLP: Catalogue SUM Application
Configuration
SAP_FRN_FLP_CAT_APP_SUM Access to FOCUSED RUN FLP: Catalogue SUM Applications
SAP_FRN_LDB_NOTIF_SSI
Authorizations: Execute for SSI Admin application in BTC by
FRN_BTC_LDB
SAP_FRN_LDB_OB_DSIP Authorization to display all LMDB Objects
SAP_FRN_SND_SNMP_TRAP Authorizes Sending alerts via SNMP Trap
SAP_FRN_SUM Role for technical user FRN_SUM_<CID>
88
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Addendum
16.6.2 Roles changed for FP02
SAP_FRN_AAD_AIM_ALL All
Authorizations
for AIM
Administration
SAP_FRN_AAD_AIM_DISP Display
Authorizations
for AIM
Administration
SAP_FRN_AAD_AVM_ALL All
authorizations
to Administer
Application
Adv.
Monitoring
SAP_FRN_AAD_AVM_DISP Display
authorizations
to Administer
Application
Adv.
Monitoring
SAP_FRN_AAD_CSA_ALL All
Authorization
for CSA
Administration
SAP_FRN_AAD_CSA_DISP Authorization
for CSA
Administration:
in Display
Mode
SAP_FRN_AAD_CSA_MAINT Authorization
for CSA
Administration:
in Maintenance
Mode, but not
templates
SAP_FRN_AAD_RUM_ALL All
Authorizations
Focused Run for SAP Solution Manager
Addendum
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 89
for RUM
Administration
SAP_FRN_AAD_SYA_ALL All
authorizations
for System
Analytics
Application
Administration
SAP_FRN_AEM_UMD_ALR Authorization
to create
unmodeled
Alerts
SAP_FRN_APP_AEM_ALR_INB_DISP Access to Alert
Inbox Display;
no Confirm
SAP_FRN_APP_AVM_ALL All
authorizations
for Application
Adv.
Monitoring
SAP_FRN_APP_CSA_DISP Authorization
for CSA APP in
display mode
SAP_FRN_APP_CSA_MAINT Authorization
for CSA APP: in
Maintenance
Mode
SAP_FRN_APP_CSA_PROTECTED Authorization
for CSA APP in
display mode,
but incl.
protected
results
SAP_FRN_APP_GP_ALL Full access to
Guided
Procedures
Application
SAP_FRN_APP_GP_DISP Display access
to Guided
Procedures
Application
SAP_FRN_APP_GP_EXE Execute access
to Guided
90
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Addendum
Procedures
Application
SAP_FRN_APP_MOAL_ALL All
authorizations
for System
Monitoring &
Alert
Management
SAP_FRN_APP_MOAL_DISP Display
authorizations
for System
Monitoring &
Alert
Management
SAP_FRN_APP_RUM_ALL All
authorizations
for App RUM
SAP_FRN_APP_SYA_ALL All
authorizations
for System
Analysis
Application
SAP_FRN_APP_TA_ALL All
Authorizations
for APP Trace
Analysis
SAP_FRN_APP_TA_DISP Display
Authorizations
for APP Trace
Analysis
SAP_FRN_BTC_CSA Authorizations
for CSA
specific
background
processing
SAP_FRN_BTC_GPA Authorizations
for GPA
specific
background
processing
SAP_FRN_CNM_ALL Notification
Management -
full
authorization
Focused Run for SAP Solution Manager
Addendum
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 91
SAP_FRN_CNM_DISP Central
Notification
Management
Display
authorizations
SAP_FRN_FLP_CAT_GPB Access to
FOCUSED RUN
FLP: Catalogue
GP ASM
SAP_FRN_FLP_CAT_GPR Access to
FOCUSED RUN
FLP: Catalogue
GP AEM
SAP_FRN_LDB_ALL FOCUSED RUN
LMDB Full
Access
SAP_FRN_LDB_DISP FOCUSED RUN
LMDB Object
Display
SAP_FRN_LDB_MAINT FOCUSED RUN
LMDB Object
Maintain
SAP_FRN_LICM_ALL full access to
License
Management
Application
SAP_FRN_SDA_ALL All
Authorizations
for SDA Admin
application
SAP_FRN_SDA_DISP Display
authorizations
for SDA Admin
application
SAP_FRN_SDA_MAINT Maintenance
authorizations
for SDA Admin
application
SAP_FRN_SDAGENT_AIM_MS AIM
Authorizations
for SDAgent
User
SAP_FRN_SDAGENT_GPA_MS GPA
Authorizations
92
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Addendum
for SDAgent
User
SAP_FRN_SRA_ALL All Auth. for
Appl.
Scheduling
Aggregation &
Replication
FWK
SAP_FRN_SSI_ALL All
Authorizations
- Super Admin
-for SSI Admin
application
SAP_FRN_SSI_APMAINT Authorizations
- Application
Admin (Expert)
- for SSI Admin
application
SAP_FRN_SSI_MAINT Authorizations:
Execute for SSI
Admin
application
SAP_FRN_SSI_WSEXEC Access to
Execute SSI
Web Services
SAP_FRN_UI5_PERS_PUB Authorizations
to create
public UI5
Custom Pages
Focused Run for SAP Solution Manager
Addendum
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 93
To grant full authorization for the authorization objects, you need to maintain these objects as follows:
8. In the Role Maintenance, choose Authorizations tab.
9. Choose the Change button.
10. Maintain all activity values for each authorization object according to your needs. For instance, if you
want to grant full authorization, always choose all activities.
11. Generate the profile.
12. To assign this profile to a user, choose the User tab, add your user in the table.
Note: If users are already assigned execute also the user comparison.
13. Save.
Result: You have now created a role for your specific needs.
This procedure is similar to is the maintenance of the new role introduced by FP01 "SAP_FRN_CNW_ACCESS" for
network controlled data access. See the short description below:
If LMDB scope is set to LMDB_CN "limited access, authorization object LMDB_CN will be used", this evaluates
LMDB_CN object authors.
16.7 Roles with authorizations objects to be maintained:
The roles listed below contain authorization objects fields delivered by SAP with <empty> authorizations.
Maintain the field values in your customer roles to grant access to dedicated LMDB namespaces and to grant
application authorizations, depending on the dialog user roles.
94
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Addendum
The table below is for overview purposes. It contains authorization objects and fields to be maintained. Other
authorization objects and fields are not listed. You can view and work with the roles in TX PFCG. Reference PFCG,
for available documentation.
The maintenance of the roles for technical users and the most important role for dialog user are described in
previous chapters.
Role Name Authorization
Object
Selective
Authorization
Filed
Comment Recommended
value
SAP_FRN_CNW_ACCESS LMDB_CN LDB_CUSNET
LDB_CUST
LDB_DC
Customer network
attributes to separate
access
Custom
SAP_FRN_AAD_MOAL_ALL S_BTCH_JOB JOBGROUP Demanded by Job
Management
*
S_BTCH_NAM BTCUNAME FOCUSED RUN Batch
Users
FOCUSED
RUN_BTC*
S_DEVELOP OBJNAME
P_GROUP
Display all Object and
Groups as in the defined
package
*
S_SYS_RWBO DESTSYS
DOMAIN
Customer specific how
to transport the
templates
Custom
S_DATASET FILENAME Filenames not known *
SAP_FRN_AAD_SYA_ALL S_BTCH_JOB JOBGROUP Demanded by Job
Management
*
S_DATASET FILENAME Filenames not known *
SAP_FRN_LICM_ALL S_DATASET FILENAME Filenames not known *
SAP_FRN_APP_GP_DISP S_DEVELOP DEVCLASS
OBJNAME
P_GROUP
Customer Specific for
LOGO integrated in
HTML report
Custom
SAP_FRN_APP_GP_EXE S_DEVELOP DEVCLASS
OBJNAME
P_GROUP
Customer Specific for
LOGO integrated in
HTML report
Custom
SAP_FRN_APP_GP_ALL S_BTCH_JOB JOBGROUP Demanded by Job
Management
*
S_DATASET FILENAME Filenames not known *
S_DEVELOP DEVCLASS
OBJNAME
P_GROUP
Customer Specific for
LOGO integrated in
HTML report
Custom
Focused Run for SAP Solution Manager
Addendum
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 95
Role Name Authorization
Object
Selective
Authorization
Filed
Comment Recommended
value
S_DOKU_AUT DOKU_DEVCL Customer Specific
document class
Custom
S_SYS_RWBO DESTSYS
DOMAIN
Customer Specific
where to transport GPs
Custom
S_APPL_LOG ALG_OBJECT
ALG_SUBOBJ
Various application log
objects
*
SM_SETUP SCENARIOS
STEPS
Scenarios and Steps not
known
*
SAP_FRN_AAD_RUM_ALL S_BTCH_JOB JOBGROUP Demanded by Job
Management
*
SAP_FRN_APP_CSA_DISP SRSM_CA_AP CA_AREA Security Object ready
for coming releases to
separate access to
different CSA functions.
With FP2, * is to be set
*
SRSM_CV_TS CV_TARDEF
CV_TARUSR
Customer Specific
SAP_FRN_APP_CSA_MAIN
T
SRSM_CA_AP CA_AREA Security Object ready
for coming releases to
separate access to
different CSA functions.
With FP2, * is to be set
*
SRSM_CV_TS CV_TARDEF
CV_TARUSR
Target system and user
where the CS&A should
be effective
*
SAP_FRN_APP_CSA_PROT
ECTED
SRSM_CA_AP CA_AREA Security Object ready
for coming releases to
separate access to
different CSA functions.
With FP2, * is to be set
*
SRSM_CV_TS CV_TARDEF
CV_TARUSR
Target system and user
where the CS&A should
be effective
*
SAP_FRN_LDB_DISP AI_LMDB_OB LMDB_NAME
S
LMDB_OBJID
LMDB names and Object
ID's are random Hashes
*
96
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Addendum
Role Name Authorization
Object
Selective
Authorization
Filed
Comment Recommended
value
AI_LMDB_OB LMDB_STYPE Specific limit to access
(limit to Systems Types
only, for example)
As delivered,
unless limited
access desired
AI_LMDB_PS LMDB_NAME
S
PS_NAME
LMDB names are
random Hashes
*
AI_LMDB_TM LMDB_NAME
S
LMDB names are
random Hashes
*
AI_LMDB_TM LMDB_DOMA LMDB Domain only LDB
is supported
LDB
SAP_FRN_SDA_ALL S_BTCH_JOB JOBGROUP Demanded by Job
Management
*
SAP_FRN_LDB_ALL S_BTCH_JOB JOBGROUP Demanded by Job
Management
*
AI_LMDB_AD LMDB_NAME
S
LMDB names are
random Hashes
AI_LMDB_OB LMDB_NAME
S
LMDB_OBJID
LMDB names and Object
ID's are random Hashes
*
AI_LMDB_OB LMDB_MTYP
E
LMDB_STYPE
Depending on functional
team roles customer
specific
* unless limits
desired
AI_LMDB_PS LMDB_NAME
S
PS_NAME
LMDB names are
random Hashes
*
AI_LMDB_TM LMDB_DOMA LMDB Domain only LDB
is supported
LDB
AI_LMDB_TM LMDB_NAME
S
LMDB names are
random Hashes
*
SAP_FRN_LDB_MAINT S_BTCH_JOB JOBGROUP Demanded by Job
Management
*
AI_LMDB_AD LMDB_NAME
S
LMDB names are
random Hashes
*
AI_LMDB_OB LMDB_NAME
S
LMDB_OBJID
LMDB names and Object
ID's are random Hashes
*
Focused Run for SAP Solution Manager
Addendum
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 97
Role Name Authorization
Object
Selective
Authorization
Filed
Comment Recommended
value
AI_LMDB_OB LMDB_MTYP
E
LMDB_STYPE
Depending on team
roles customer specific
* Unless limits
desired
AI_LMDB_PS LMDB_NAME
S
PS_NAME
LMDB names are
random Hashes
*
AI_LMDB_TM LMDB_NAME
S
LMDB names are
random Hashes
*
SAP_FRN_SSI_DISP S_DATASET FILENAME Filenames not known *
S_DEVELOP OBJNAME
OBJTYPE
P_GROUP
<empty> <empty>
SAP_FRN_SSI_MAINT S_RFC_ADM ICF_VALUE
Not used by SSI but
need to exist in role
<empty>
S_RFC_ADM RFCDEST Value are the SM59
destination to external
servers
(SAPHOSTAGENT) to be
created by SSI,
convention is
HOSTNAME_NAMESPA
CE. As such needs to be
created for all hosts
connected to FOCUSED
RUN * is recommended
*
S_BTCH_JOB JOBGROUP Demanded by Job
Management
S_DATASET FILENAME Filenames not known *
S_DEVELOP DEVCLASS
OBJNAME
OBJTYPE
P_GROUP
<empty> <empty>
SAP_FRN_SSI_APMAINT S_RFC_ADM ICF_VALUE Not used by SSI but
need to exist in role
<empty>
S_RFC_ADM RFCDEST Value are the SM59
destination to external
servers
(SAPHOSTAGENT) to be
*
98
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
Focused Run for SAP Solution Manager
Addendum
Role Name Authorization
Object
Selective
Authorization
Filed
Comment Recommended
value
created by SSI,
convention is
HOSTNAME_NAMESPA
CE. As such needs to be
created for all hosts
connected to FOCUSED
RUN, * is recommended
S_BTCH_JOB JOBGROUP Demanded by Job
Management
*
S_DATASET FILENAME Filenames not known *
S_DEVELOP DEVCLASS
OBJNAME
OBJTYPE
P_GROUP
<empty> <empty>
SAP_FRN_SSI_ALL S_RFC_ADM ICF_VALUE Not used by SSI but
need to exist in role
<empty>
S_RFC_ADM RFCDEST Value are the SM59
destination to external
servers
(SAPHOSTAGENT) to be
created by SSI,
convention is
HOSTNAME_NAMESPA
CE. As such needs to be
created for all hosts
connected to FOCUSED
RUN, * is recommended
*
S_BTCH_JOB JOBGROUP Demanded by Job
Management
*
S_DATASET FILENAME Filenames not known *
S_DEVELOP DEVCLASS
OBJNAME
OBJTYPE
P_GROUP
<empty> <empty>
AI_LMDB_OB LMDB_NAME
S
LMDB_OBJID
LMDB names and Object
ID_'s are random hashes
*
AI_LMDB_OB LMDB_STYPE Customer specific
Focused Run for SAP Solution Manager
Addendum
PUBLIC
© 2018 SAP SE or an SAP affiliate company. All rights reserved. 99
Role Name Authorization
Object
Selective
Authorization
Filed
Comment Recommended
value
SAP_FRN_CNM_DISP S_RFC_ADM ICF_VALUE
Depend on customer
'SCOT' settings
*
S_RFC_ADM RFCDEST Depend on customer
'SCOT' settings
*
S_LDAP LDAP_SERV external LMDB if used <empty> or
customer
specific
S_USER_GRP CLASS In case User ID's from
SU01 should be utilized
to create notification
groups
* or IDs of users
for notification
from SU01
SM_CNM_AU
T
CNM_APPAC
T
Only possible value with
FP2 I WMM
WMM
SAP_FRN_CNM_ALL S_RFC_ADM ICF_VALUE
RFCDEST
Depend on customer
'SCOT' settings
*
S_LDAP LDAP_SERV external LMDB if used <empty> or
customer
specific
S_USER_GRP CLASS In case User ID's from
SU01 should be utilized
to create notification
groups
* or IDs of users
for notification
from SU01
SM_CNM_AU
T
CNM_APPAC
T
Only possible value with
FP2 I WMM
WMM
SAP_FRN_TECH_MON_TOO
L
S_DEVELOP DEVCLASS
OBJNAME
OBJTYPE
P_GROUP
Dev Support role *
S_DATASET FILENAME
PROGRAM
Dev Support role *
S_PROGRAM P_GROUP Dev Support role *
S_TRANSLAT TLANGUAGE Dev Support role EN, DE
S_APPL_LOG ALG_OBJECT
ALG_SUBOBJ
Dev Support role *
SAP_FRN_OPR_ALL S_DATASET FILENAME Filenames not known *
www.sap.com/contactsap
© 2018 SAP SE or an SAP affiliate company. All rights reserved.
No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP SE
or an SAP affiliate company
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of
SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the
trademarks of their respective companies. Please see
www.sap.com/corporate-en/legal/copyright/index.epx#trademark
for additional trademark information and notices.