Focused Run for SAP Solution Manager - SAP Help … Run for SAP Solution Manager Feature Pack 2 . 2...

Security Guide

Document Version: 1.23– 2018-02-26

PUBLIC

Focused Run for SAP Solution Manager Feature Pack 2

2

PUBLIC

© 2018 SAP SE or an SAP affiliate company. All rights reserved.

Focused Run for SAP Solution Manager

Acronyms and Terms

Typographic Conventions

Type Style Description

Example Words or characters quoted from the screen. These include field names, screen titles,

pushbuttons labels, menu names, menu paths, and menu options.

Textual cross-references to other documents.

Example Emphasized words or expressions.

EXAMPLE Technical names of system objects. These include report names, program names,

transaction codes, table names, and key concepts of a programming language when they

are surrounded by body text, for example, SELECT and INCLUDE.

Example Output on the screen. This includes file and directory names and their paths, messages,

names of variables and parameters, source text, and names of installation, upgrade and

database tools.

Example Exact user entry. These are words or characters that you enter in the system exactly as

they appear in the documentation.

<Example> Variable user entry. Angle brackets indicate that you replace these words and characters

with appropriate entries to make entries in the system.

EXAMPLE Keys on the keyboard, for example, F2 or ENTER .


Acronyms and Terms

PUBLIC

© 2018 SAP SE or an SAP affiliate company. All rights reserved. 3

Document History

Caution

Before you start the implementation, make sure that you have the latest version of this document that is

available at https://help.sap.com/viewer/p/FOCUSED RUN.

Version Date Change

1.0 2016-10-21 Initial version

1.01 2016-10-31 Minor changes

1.10 2017-04-11 Feature Pack 1

1.20 2017-11-20 Feature Pack 2

1.21 2017-12-27 Adding FP2 roles lists, adding authorization objects descriptions, minor

improvements

1.22 2018-01-02 Adoption of FRN_BTC_AIM & FRN_BTC_SRA

1.23 2018-02-26 Correction of proxy descriptions (p.12) and minor improvements

https://help.sap.com/viewer/p/FRUN

4

PUBLIC



Acronyms and Terms

Table of Contents

1 Acronyms and Terms ...................................................................................................................... 7

2 Introduction ................................................................................................................................... 10

3 Overview of Security-Relevant Components in the Focused Run Infrastructure ......................... 11

4 Introduction Communication Channel Simplification .................................................................. 13

5 Introduction to Data Separation ................................................................................................... 15

6 Inbound HTTP SICF Services for Focused Run ............................................................................. 16 6.1 Enable Strong Data Separation at Data Collection Time .................................................................. 17

6.1.1 SAP Web Dispatcher ............................................................................................................ 17 6.1.2 Apache ..................................................................................................................................19

7 Role Generation and User Comparison ......................................................................................... 21

8 Technical Users ............................................................................................................................. 22 8.1 Technical Users to Authenticate Data Send Requests to the Focused Run System (ABAP) ...... 23

8.1.2 *SAP_FRN_LDB_DS ........................................................................................................... 25 8.2 Technical Users for Batch Processing in ABAP ................................................................................ 25

8.2.2 *SAP_FRN_BTC_EWA ........................................................................................................ 27 8.2.3 *SAP_FRN_BTC_LDB ......................................................................................................... 28 8.2.4 *SAP_FRN_BTC_MAI .......................................................................................................... 28 8.2.5 *SAP_FRN_SND_SNMP_TRAP ......................................................................................... 29 8.2.6 *SAP_FRN_BTC_SRA ......................................................................................................... 29 8.2.7 *SAP_FRN_AAD_SYA_ALL ................................................................................................ 30 8.2.8 *SAP_FRN_BTC_GPA ......................................................................................................... 30

8.3 Technical Users for Internal RFC Communication in Central ABAP Stack ..................................... 31 8.3.2 *SAP_FRN_IADM_SSI_USER ............................................................................................. 32

9 Data Protection and Privacy .......................................................................................................... 33 9.1 FOCUSED RUN Dialog Users and Business Partners ...................................................................... 33 9.2 Landscape Objects and Business Partners ...................................................................................... 33 9.3 Real User Monitoring ........................................................................................................................... 34 9.4 Synthetic User Monitoring .................................................................................................................. 34 9.5 Trace Analysis ...................................................................................................................................... 34 9.6 System Analytics ................................................................................................................................. 36 9.7 Advanced Event Management ........................................................................................................... 36 9.8 Central Notification Management ...................................................................................................... 37 9.9 Change and Security Analysis ............................................................................................................ 37

9.9.1 How to Display Data Stored in the Configuration and Change Database ...................... 37 9.9.2 How to Delete User-Dependent Data from Configuration and Change Database ........ 38


Acronyms and Terms

PUBLIC


10 Dialog Users .................................................................................................................................. 42 10.1 Dialog User Roles with SAP Fiori Tiles ............................................................................................... 42 10.2 Proposed Work Flow to Assign Authorizations in FOCUSED RUN .................................................. 42 10.3 Role types ............................................................................................................................................. 43

10.3.1 SAP NetWeaver Basic Roles and Customer Roles Designed Prior to FOCUSED RUN . 43 10.3.2 Cross-Application FOCUSED RUN Roles .......................................................................... 43 10.3.3 FOCUSED RUN Tools Roles ............................................................................................... 46 10.3.4 FOCUSED RUN SAP Fiori roles .......................................................................................... 46 10.3.5 FOCUSED RUN Application Roles ..................................................................................... 49

10.4 Dialog User Roles for Incident processing by SAP ........................................................................... 49 10.5 Special Protected Tables ................................................................................................................... 50 10.6 Proposal for Setup User during FOCUSED RUN Initial Preparation before Going Live ................. 51

11 Technical Users for Managed Systems ......................................................................................... 52 11.1 Technical Users for SAP NetWeaver ABAP ....................................................................................... 52

11.1.2 * SAP_FRN_SDAGENT_CSA_MS ...................................................................................... 53 11.2 Technical Users for SAP NetWeaver Java ......................................................................................... 55 11.3 Technical Users for Apache Tomcat .................................................................................................. 56 11.4 Technical Users for BOBJ ................................................................................................................... 56 11.5 Technical Users for SMP ..................................................................................................................... 56 11.6 Technical Users for Managed DB ....................................................................................................... 57 11.7 Technical Users for Managed OS ....................................................................................................... 58

12 CA APM EM Users ........................................................................................................................ 59

13 System Landscape Data Router Configuration ........................................................................... 60

14 Enable Network Communication Encryption ................................................................................ 61 14.1 Configure Encryption Usage for Customer Network Configuration in SSI UI ................................ 62 14.2 Configure Encryption Usage for SDA Configuration in Agent Administration ............................... 62

15 Users and Authorizations in SAP Support Portal ......................................................................... 63

16 Addendum .................................................................................................................................... 64 16.1 Role Changes for FOCUSED RUN FP02............................................................................................. 64

16.1.1 Roles Created for FP02....................................................................................................... 64 16.1.2 Roles Changed with FP02 ................................................................................................... 65

16.2 Cross FOCUSED RUN Application Roles ........................................................................................... 67 16.3 FOCUSED RUN Tool Roles .................................................................................................................. 67 16.4 All SAP Fiori Roles sorted by SAP Fiori Group Names ..................................................................... 67

16.4.1 General SAP Fiori roles ....................................................................................................... 67 16.4.2 Focus Run Home ................................................................................................................. 68 16.4.3 Advanced System Management ........................................................................................ 68 16.4.4 Advanced User Monitoring .................................................................................................69 16.4.5 Advanced Integration Monitoring ...................................................................................... 70 16.4.6 Advanced Event & Alert Management .............................................................................. 70 16.4.7 Configuration and Security Analytics ................................................................................ 71 16.4.8 Infrastructure Administration ............................................................................................ 72

16.5 All Application Roles Sorted by FOCUSED RUN Applications ......................................................... 73 16.5.1 Advanced System Management (ASM) ............................................................................ 74

6

PUBLIC



Acronyms and Terms

16.5.2 Advanced User Monitoring (AUM) .................................................................................... 77 16.5.3 Advanced Integration Monitoring (AIM) ........................................................................... 80 16.5.4 Advanced Event & Alert Management (AEM) ...................................................................81 16.5.5 Configuration & Security Analytics (CSA) ........................................................................ 82 16.5.6 Infrastructure Administration ............................................................................................ 82 16.5.7 MAI Tools (transaction "mai_tools") ................................................................................. 85 16.5.8 Customer Network access ................................................................................................. 85 16.5.9 Partner Reporting ............................................................................................................... 86

16.6 Role changes for FOCUSED RUN FP 02 ............................................................................................ 87 16.6.1 Roles created for FP02 ....................................................................................................... 87 16.6.2 Roles changed for FP02 ..................................................................................................... 88

16.7 Roles with authorizations objects to be maintained: ....................................................................... 93


Acronyms and Terms

PUBLIC


1 Acronyms and Terms

Acronym or Short

Long Form Comment

AEM Advanced Event and

Alert Management

Inbound of unmolded alerts and outbound to

external ticketing

AIM Advanced Interface

Monitoring

An application in Focused Run

ASM Advanced System

Monitoring


BCIA /BCI agent Byte Code Injection

Agent

SAP or a third-party byte code injection agent

CA APM EM Computer Associates

Application

Performance

Management Enterprise

Manager

Third-party product utilized by Focused Run for

collection of non-ABAP metrics. Before being

renamed, earlier versions of this product are

known as CA Introscope EM and Wily Introscope

EM, before CA acquired it.

CF Configuration Analysis

Framework

An application in Focused Run, often used in

coding, user, and URL utilized by configuration

analysis.

CID Customer Identification A three-character string

CNW Central Notification

Management


DPC Data Provider Connector Very often used in coding, user,

and URL utilized by the monitoring infrastructure

EA Exception Analysis Part of system analysis, which is an application in

Focused Run

8

PUBLIC



Acronyms and Terms

Acronym or Short

Long Form Comment

Focused Run Focused Run for SAP

Solution Manager

The central managing SAP ABAP system. May

also refer to the whole Focused Run infrastructure

GP FWK Guided Procedure

Framework

Guided Procedure are delivered as FOCUSED RUN

Content and the framework provide the possibility

to create customer GP

ISA Infrastructure

Administration

Administration and self-monitoring of Focused

Run infrastructure

LMDB Landscape Management

Database

Focused Run landscape model is provided by

LMDB

MAI Monitoring Alerting

Infrastructure

Often used by the monitoring infrastructure for

coding, user, and URL

OP On Premise

PA Performance Analysis Part of system analysis, which is an application in

Focused Run

RUM Real User Monitoring An application in Focused Run

SAM Service Availability

Management


SDA Simple Diagnostics

Agent

SAP java application running on all hosts of the

managed systems

SHA SAP Host Agent SAP native OS application running on all hosts of

the managed systems.

SLD SAP Landscape Data SLD DS is part of nearly all SAP products (known

exception: ASE Database)

SLDR System Landscape Data

Router

SAP java application running in the SDA

SSI Simple System

Integration


ST/A-PI Support Tool for

Application Plug In

ABAP add-on

ST-PI Support Tool Plug In ABAP add-on

TA Transaction Analysis Transaction analysis is an application in Focused

Run

Technical User Technical User Authenticates data collection and send requests.

Cannot be used to log on to a user interface.


Acronyms and Terms

PUBLIC


Acronym or Short

Long Form Comment

TLS Transport Layer

Security

Is the predecessor of SSL (secure socket layer)

UI User Interface

WMM Work Mode

Management


10

PUBLIC



Introduction

2 Introduction

The security concept of Focused Run for SAP Solution Manager (also referenced in this guide as Focused Run and

FOCUSED RUN) is designed to provide a secure infrastructure within IT environments, which have a central

administration network and managed systems in multiple, separate networks with different network security

policies.

Because the system, network, and IT infrastructure security is customer-specific, this guide can only describe the

features of Focused Run, based on past experiences and best practices.


Overview of Security-Relevant Components in the Focused Run Infrastructure

PUBLIC


3 Overview of Security-Relevant Components in the Focused Run Infrastructure

Name Description Comment

Focused Run

ABAP on

HANA DB

Central NW 750 ABAP application server

that receives and processes all incoming

managed system metrics and other

collected data. This central ABAP

application service also provides all Focused

Run application user interfaces.

The HANA DB saves all managed-system

metrics and other collected data, as well as

Focused Run administrative data.

Focused Run incorporates in general the

NW 750 security features, see:

https://help.sap.com/saphelp_nw73ehp

1/helpdata/en/f3/780118b9cd48c7a66

8c60c3f8c4030/frameset.htm

For the HANA DB security feature, see:

http://help.sap.com/hana/SAP_HANA_

Security_Guide_en.pdf

SAP Host

Agent

The SHA is installed on every host of a

managed system. It installs and upgrades

the Simple Diagnostics Agent on these

hosts, as well as providing runtime control

(start/stop). It acts as proxy for all requests

sent to the simple diagnostics agent. The

SHA provides the OD in Focused Run.

While not delivered as part of Focused

Run, SHA is used by Focused Run and is

mandatory for Focused Run operation.

For further details about SHA, see:


1/helpdata/en/48/c6f9627a004da5e10

000000a421937/content.htm

Simple

Diagnostics

Agent

The SDA is installed on every host of a

managed system. The Simple Agent offers

different data collection applications.

Part of the Focused Run delivery.

SLDR The System Landscape Data Router

distributes SLD DS payloads.

Part of the Focused Run delivery.

Managed

System

Listed as associated with Focused Run

infrastructure because some of the different

management systems need dedicated users

and security-relevant features enabled for

Focused Run.

In general, see the relevant product

documentation of the management

system.

ST-PI

ST/A-PI

ABAP add-on delivers Focused Run

functions.

No special Focused Run security features

need to be enabled for this add-on.

Authorizations to execute the delivered

functions are documented with the

technical user.

CA APM EM CA APM EM is temporary saved data that is

collected by the different BCI Adapters and

sent to Focused Run (optional, but needed

CA APM EM is part of SAP Solution

Manager delivery. For further details, see:

https://help.sap.com/saphelp_nw73ehp1/helpdata/en/f3/780118b9cd48c7a668c60c3f8c4030/frameset.htm



http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf

http://help.sap.com/hana/SAP_HANA_Security_Guide_en.pdf

https://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/c6f9627a004da5e10000000a421937/content.htm



12

PUBLIC



Overview of Security-Relevant Components in the Focused Run Infrastructure

Name Description Comment

to get full scope of metrics of non-ABAP

managed systems).

https://wiki.scn.sap.com/wiki/display/T

echOps/RCA_Introscope_Home

Reverse

Proxy

In the Focused Run infrastructure, a reverse

proxy is a type of proxy that retrieves

resources on behalf of the SHA and

managed systems from Focused Run

(optional, but needed if strong data

separation is to be achieved). See also:

https://en.wikipedia.org/wiki/Proxy_server

There are different third-party reverse

proxies (see the relevant

documentation). SAP Web Dispatcher

can provide reverse proxy functionality.

Reference:


1/helpdata/en/48/8fe37933114e6fe100

00000a421937/frameset.htm?original_f

qdn=help.sap.de

Proxy In the Focused Run infrastructure, a proxy

server acts as an intermediary for requests

from the Focused Run central system

(SHA). Focused Run supports calls to the

SHA using a proxy (optional, depending on

customer network security

implementation). See also:

https://en.wikipedia.org/wiki/Intermediary

There are different third-party proxies.

SAP Web Dispatcher does not use the

http request command "CONNECT" and

therefore does not act as a proxy in the

common meaning.

Focused Run is commonly installed with

multiple-application servers for high-

availability and load-distribution purposes.

Focused Run supports third-party

hardware and software load balancers

(see vendor documentation). SAP Web

Dispatcher can provide software-load

balancing functionality. Reference:


1/helpdata/en/48/8fe37933114e6fe100

00000a421937/frameset.htm?original_f

qdn=help.sap.de

Firewall A firewall is a network security system that

monitors and controls the incoming and

outgoing network traffic based on

predetermined security rules.

Focused Run supports third-party

hardware and software for firewall

security (see vendor documentation).

https://wiki.scn.sap.com/wiki/display/TechOps/RCA_Introscope_Home

https://wiki.scn.sap.com/wiki/display/TechOps/RCA_Introscope_Home

https://en.wikipedia.org/wiki/Proxy_server

https://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/8fe37933114e6fe10000000a421937/frameset.htm?original_fqdn=help.sap.de




https://en.wikipedia.org/wiki/Intermediary






Introduction Communication Channel Simplification

PUBLIC


4 Introduction Communication Channel Simplification

Communication between the central Focused Run ABAP application server and the agent, the managed ABAP

system and the CA APM EM is simplified to the HTTP protocol only.

This communication can be protected by enabling TLS encryption so that the HTTP becomes HTTPS.

The TLS pass-through or TLS termination needs to be carefully considered. Of issue is for which components

certificates need to be requested, and how these certificates must be stored, impacting overall effort and costs.

Managed Host

Focused Run

HANA DB Instances

Rev

ers

e

Pro

xy

Managed Systems

(AS ABAP, J2EE,

SBOP, …)

AnyDBManaged DB

CA APM

Focused Run

ABAP Instances

Host Agent

Simple DA

SLDR

IS BCIAOutbound

Inbound

Applications

Applications

Customer Network

Pro

xy

Admin Network

ST-PI ST/A-PI

Lo

ad

Bala

nce

r

R

http(s)

R

http(s)

R

http(s)

R

http(s)

RRMI

R

http(s)

R

R

Mandatory Component

Optional Component

Managed Object

Component integrated

but not part of SRSM

delivery

14

PUBLIC



Introduction Communication Channel Simplification

Depending on the technology, there are different protocols for local communication between the agents, the

managed system and databases, and the CA AP EM.

This communication is local on the hosts or within the same network. Insofar as requested, it is to be enabled for

TLS communication. With very high effort, all components acting as client/server in this local communication can

enable encrypted communication. The effort involved is not cost-effective in relation to the added security. So far,

Focused Run has not made a request for this. If you have such a request, you can contact the Focused Run team

for project support.

Managed Host

Focused Run

HANA DB Instances

Rev

ers

e

Pro

xy

Managed Systems

(AS ABAP, J2EE,

SBOP, …)

AnyDBManaged DB

CA APM

Focused Run

ABAP Instances

Host Agent

Simple DA

SLDR

IS BCIAOutbound

Inbound

Applications

Applications

Customer Network

Pro

xy

Admin Network

ST-PI ST/A-PI

Lo

ad

Bala

nce

r

R

http(s)

R

http(s)

R

http(s)

R

http(s)

RLocal

DB

Connection

RRRFC R

http

RRMI

R

http(s)

R

R

R

p4


Introduction to Data Separation

PUBLIC


5 Introduction to Data Separation

In a segmented network environment, it is common that different networks have different security policies. For

example, a host provider might entrust for the hosted systems the security policy of the hosted customer.

Because of this, Focused Run has strong data separation capabilities. If one customer network is compromised, it

is ensured that no other connected network/system can be compromised by means of the central Focused Run

infrastructure. The data separation is also a main pillar to protect customer data against threats such as

information disclosure and data tampering.

Focused Run Customer Network A

Outbound

Inbound

HANA

A B

Applications

AB

Applications

Managed Systems

Agents

Customer Network B

Managed Systems

AgentsR

http(s) rev

ers

e

pro

xy

rev

ers

e

pro

xy

http(s)

R

http(s)

R

Customer Network A

http(s)R

http(s)

http(s)

R

R

Focused Run

ABAP Instances

Op

tiona

l

Pro

xy

Op

tiona

l

Pro

xy

B

A

The above figure illustrates the idea behind data separation in Focused Run. All managed object configurations

are network/customer specific. All reported metrics and data are sent specifically to a network/customer. The

reverse proxy plays an important role in this concept. The reverse proxy must not be accessible from the

customer network. All ports except HTTP(S) are assumed to be closed by firewall. On the reverse proxy, an

"inbound fencing" string is added to all requests from that network. This inbound fencing string is mapped to

the customer-network identification. Focused Run checks whether a configuration exists for this metric and

network for each incoming request. If not, the request is rejected.

Without the reverse proxy, no inbound fencing is possible, and no data separation is applied.

16

PUBLIC



Inbound HTTP SICF Services for Focused Run

6 Inbound HTTP SICF Services for Focused Run

Only the mentioned SICF services, being relevant for data separation, must be configured on the reverse proxies

to enable strong data separation. Find the complete list of SICF services for Focused Run in the master guide.

URI Function Description

/lmdb/ds Entry point for SLD DS SLD DS payload can send

directly to Focused Run using

this service.

/sld/ds Entry point for SLD DS SLD DS payload can send

directly to Focused Run using

this service. Same service as

/lmdb/ds with a different

alias.

/sap/srsm_mai/push_metrics Entry point for all monitoring

metrics

Metrics collected by the

simple DA monitoring aglet

and the CA APM EM are sent

to this service.

/sap/bc/rest/cof/COF_SEND_TO_SRSM/ Entry point for all

configuration analysis data

Configuration data from the

different configurations stores

are collected as snapshot

every 24 hours and sent to

this service.

/sap/bc/sdf/sdcc/ Entry point for all ABAP EWA

data

The ABAP SDCC data

collector sends data collected

for ABAP EWA to this service

(among all non-ABAP EWA

data, it is calculated from the

monitoring data)

/sap/bc/rest/e2e_ta_col Entry point of data that is

collected for E2E trace

analysis

E2E trace data collected by

the simple diagnostics agent

is sent to this service.

/sap/srsm/E2E_trace_upl Entry point for E2E TA

recordings by SAP UI5

diagnostics

Recorded UI5 sessions are

uploaded to FRUM by this

service.

/sap/bc/rest/rumdataservice Entry point for real user

monitoring data

Header data resp. statistical

recode data of recorded user

requests are uploaded to

Focused Run by this service.



PUBLIC


URI Function Description

/sap/bc/rest/aimdataservice Entry point for advanced

interface monitoring data

Header data resp. statistical

recode data of recorded

electronic requests are

uploaded to Focused Run by

this service.

/sap/bc/rest/statraggdatasrv Entry point for collection of

aggregated statistical data

Collected for long-term

analysis and predictions.

/sap/bc/rest/sumdataservice Entry point for synthetic user

monitoring data

Script executions are reported

to Focused Run by this

service.

Reference the master guide for more information about requisite web service activation.

6.1 Enable Strong Data Separation at Data Collection Time

To enable the strong data separation on the reverse proxy, the inbound fencing parameter must be set as part of

the reverse path configuration.

The syntax of the reverse paths are usually specific to the vendor of the proxy:

SAP Web Dispatcher

https://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/9266f7aa6b17cee10000000a421937/content.htm

Apache

http://httpd.apache.org/docs/2.4/howto/reverse_proxy.html

Tiny Proxy

https://tinyproxy.github.io/

See sections below for examples of vender-dependent reverse paths. Note: Paths should not contain carriage

return characters.

6.1.1 SAP Web Dispatcher

To make FOCUSED RUN known to the SAP Web Dispatcher, add FOCUSED RUN in the SAP Web Dispatcher

profile:

wdisp/system_0 = SID=<SID>, SRCURL=/, SSL_ENCRYPT=0, CLIENT=<default client>,

EXTSRV=<FOCUSED RUN Host>:<FOCUSED RUN HTTP Port>

https://help.sap.com/saphelp_nw73ehp1/helpdata/en/48/9266f7aa6b17cee10000000a421937/content.htm

http://httpd.apache.org/docs/2.4/howto/reverse_proxy.html

https://tinyproxy.github.io/

18

PUBLIC




Write reverse rules to a rules file and add them in the SAP Web Dispatcher profile:

icm/HTTP/mod_0=PREFIX=/,FILE=/usr/sap/<SID>/W<Inst>/proxy/rules.txt

Reverse rules, in rules text, look like this:

# allow Web Admin UI

if %{PATH} regimatch ^/sap/wdisp/admin

nop [break]

# Rewrite rules

RegIRewriteRawUrl ^/sap/bc/sdf/sdcc/$ /sap/bc/sdf/sdcc/?smgwa=<AdmReqParam>

[qsreplace,break]

RegIRewriteRawUrl ^/sld/ds$ /sap/bc/cim/ds?smgwa=<AdmReqParam> [qsreplace,break]

RegIRewriteRawUrl ^/sap/srsm_mai/push_metrics/$

/sap/srsm_mai/push_metrics?smgwa=<AdmReqParam> [qsreplace,break]

RegIRewriteRawUrl ^/sap/bc/rest/cof/COF_SEND_TO_SRSM/$

/sap/bc/rest/cof/COF_SEND_TO_SRSM?smgwa=<AdmReqParam> [qsreplace,break]

RegIRewriteRawUrl ^/sap/bc/rest/e2e_ta_col/AgentCollector$

/sap/bc/rest/e2e_ta_col/AgentCollector?smgwa=<AdmReqParam> [qsreplace,break]

RegIRewriteRawUrl ^/sap/bc/rest/rumdataservice/records$

/sap/bc/rest/rumdataservice/records?smgwa=<AdmReqParam> [qsreplace,break]

RegIRewriteRawUrl ^/sap/bc/rest/aimdataservice/data$

/sap/bc/rest/aimdataservice/data?smgwa=<AdmReqParam> [qsreplace,break]

RegIRewriteRawUrl ^/sap/bc/rest/ statraggdatasrv/records$

/sap/bc/rest/ statraggdatasrv/records?smgwa=<AdmReqParam> [qsreplace,break]

RegIRewriteRawUrl ^/sap/bc/rest/sumdataservice/records$

/sap/bc/rest/sumdataservice/records?smgwa=<AdmReqParam> [qsreplace,break]

# Reject all other URLs

#RegForbiddenUrl ^(.*) - [break]

You can define multiple customer networks with one SAP Web Dispatcher. To do so, configure different ports. The

port dependent rewrite rules are in the same rules.txt:

# Rewrite rules

if %{SERVER_PORT} = 8080

begin

RegIRewriteRawUrl ^/sap/bc/sdf/sdcc/$ /sap/bc/sdf/sdcc/?smgwa=<AdmReqParam>

[qsreplace,break]

RegIRewriteRawUrl ^/sld/ds$ /sap/bc/cim/ds?smgwa=<AdmReqParam> [qsreplace,break]

RegIRewriteRawUrl ^/sap/srsm_mai/push_metrics/$

/sap/srsm_mai/push_metrics?smgwa=<AdmReqParam> [qsreplace,break]



PUBLIC


RegIRewriteRawUrl ^/sap/bc/rest/cof/COF_SEND_TO_SRSM/$

/sap/bc/rest/cof/COF_SEND_TO_SRSM?smgwa=<AdmReqParam> [qsreplace,break]

RegIRewriteRawUrl ^/sap/bc/rest/e2e_ta_col/AgentCollector$

/sap/bc/rest/e2e_ta_col/AgentCollector?smgwa=<AdmReqParam> [qsreplace,break]

RegIRewriteRawUrl ^/sap/bc/rest/rumdataservice/records$

/sap/bc/rest/rumdataservice/records?smgwa=<AdmReqParam> [qsreplace,break]

RegIRewriteRawUrl ^/sap/bc/rest/aimdataservice/data$

/sap/bc/rest/aimdataservice/data?smgwa=<AdmReqParam> [qsreplace,break]

RegIRewriteRawUrl ^/sap/bc/rest/ statraggdatasrv/records$

/sap/bc/rest/ statraggdatasrv/records?smgwa=<AdmReqParam> [qsreplace,break]

RegIRewriteRawUrl ^/sap/bc/rest/sumdataservice/records$

/sap/bc/rest/sumdataservice/records?smgwa=<AdmReqParam> [qsreplace,break]

if %{SERVER_PORT} = 8081

begin

…

end

RegForbiddenUrl ^(.*) - [break]

6.1.2 Apache

Reverse path syntax:

ReWriteRule ^/sld/ds$ http://<host>:<port>/sld/ds?smgwa=<AdmReqParam> [P,NC,L]

ReWriteRule ^/lmdb/ds$ http://<host>:<port>//lmdb/ds?smgwa=<AdmReqParam>

[P,NC,L]

ReWriteRule ^/sap/srsm_mai/push_metrics/$

http://<host>:<port>//sap/srsm_mai/push_metrics?smgwa=<AdmReqParam> [P,NC,L]

ReWriteRule ^/sap/bc/rest/cof/COF_SEND_TO_SRSM/$

http://<host>:<port>//sap/bc/rest/cof/COF_SEND_TO_SRSM?smgwa=<AdmReqParam> [P,NC,L]

ReWriteRule ^/sap/bc/sdf/sdcc/$ http://

<host>:<port>//sap/bc/sdf/sdcc/?smgwa=<AdmReqParam> [P,NC,L]

ReWriteRule ^/sap/bc/rest/e2e_ta_col/AgentCollector/$ http://

<host>:<port>//sap/bc/rest/e2e_ta_col/AgentCollector?smgwa=<AdmReqParam> [P,NC,L]

ReWriteRule ^/sap/srsm/E2E_trace_upl$ http://

<host>:<port>//sap/srsm/E2E_trace_upl?smgwa=<AdmReqParam> [P,NC,L]

ReWriteRule ^/sap/bc/rest/rumdataservice$ http://

<host>:<port>/sap/bc/rest/rumdataservice?smgwa=<AdmReqParam> [P,NC,L]

ReWriteRule ^/sap/bc/rest/aimdataservice/data$ http://

<host>:<port>/sap/bc/rest/aimdataservice/data?smgwa=<AdmReqParam> [P,NC,L]

ReWriteRule ^/sap/bc/rest/ statraggdatasrv/records$ http:// <host>:<port>/sap/bc/rest/

statraggdatasrv/records?smgwa=<AdmReqParam> [P,NC,L]

20

PUBLIC




ReWriteRule ^/sap/bc/rest/sumdataservice$ http://

<host>:<port>/sap/bc/rest/sumdataservice?smgwa=<AdmReqParam> [P,NC,L]

Please note that the service implementation of sdcc requires a slash before the question mark. For example:

/sdcc/?smgwa.


Role Generation and User Comparison

PUBLIC


7 Role Generation and User Comparison

After upgrade of FOCUSED RUN to new FP or after a new installation, we recommend that you run PFCG Mass

Generation and Mass Comparison for roles SAP_FOCUSED RUN to avoid authorization problems due to missing

profiles.

22

PUBLIC



Technical Users

8 Technical Users

For security, reliability, and traceability reasons, we have created separate users and roles for separate functions

in Focused Run.


Technical Users

PUBLIC


8.1 Technical Users to Authenticate Data Send Requests to the Focused Run System (ABAP)

To have their own set of users for each customer namespace, some of the technical users have a three-character

customer ID (CID) in their names. These users are used to authenticate requests with incoming data. Even if

there is only one network/namespace and no data separation in Focused Run, there is at least one CID. These

technical users are of type System, and are created automatically by SSI at the customer network creation. To

achieve this automatic creation, the below mentioned template users shall be created manually, as a prerequisite.

Note: Template users type: Reference.

The technical users of applications not yet integrated in SSI like RUM, AIM, and Performance KPI Setup need to be

created manually. Copy the user from the template user and change the user type to system. Remember the

password. You need to enter it accordingly to RUM, AIM, and Performance KPI Setup preparations.

Template user ABAP Role Technical User in

generated by SSI

Description

TPL_FRN_LDDS

TPL_FRN_LDSR

SAP_FRN_LDB_DS*

FRN_LDDS_<CID>

FRN_LDSR_<CID>

FRN_LDDS_<CID> user is for the

authentication of data suppliers sending SLD

payloads directly to Focused Run (LMDB).

FRN_LDSR_<CID> user is for authentication of

data suppliers sending SLD payloads via an

SLDR. The SLDR has its own user to easily

identify the SLD payload sent via SLDR.

Both users are special in Focused Run.

TPL_FRN_CSA SAP_FRN_CSA FRN_CSA_<CID> User to authenticate configuration-analysis

requests sent from the SDA to Focused Run

(collection of configuration data).

TPL_FRN_DPC SAP_FRN_DPC

FRN_DPC_<CID> User to authenticate monitoring requests sent

from the SDA to Focused Run (collection of

host, DB, system monitoring, and analysis

data).

TPL_FRN_DPI SAP_FRN_DPI

FRN_DPI_<CID> User to authenticate monitoring requests sent

from the CA APM EM to Focused Run

(collection of host, DB, system monitoring and

analysis data).

TPL_FRN_EWA SAP_FRN_EWA FRN_EWA_<CID> User to authenticate EWA requests sent from

the ABAP managed system to Focused Run

(collection of ABAP EWA data).

24

PUBLIC



Technical Users

Roles in bold with prefix * contain authorization objects need to be maintained.

8.1.1.1 How to Maintain Authorization Objects

To grant authorization for the authorization object, you need to maintain these objects as follows:

1. In the Role Maintenance of PFCG, choose Authorizations tab.

2. Choose Change.

3. From the utilities menu, select Technical Names On.

4. Maintain all activity values for each authorization object as above in the roles of the template users.

5. Generate the profile.

TPL_FRN_TA SAP_FRN_TA FRN_TA_<CID> User to authenticate TA requests sent from

the SDA managed system to Focused Run

(collection of TA data).

TPL_FRN_RUM SAP_FRN_RUM FRN_RUM_<CID>

User to authenticate RUM requests sent from


(collection of RUM data).

TPL_FRN_AIM SAP_FRN_AIM FRN_AIM_<CID> User to authenticate AIM requests sent from


(collection of AIM data).

TPL_FRN_ASM SAP_FRN_ASM FRN_ASM_<CID>

User to authenticate STATRAG requests sent

from the SDA managed system to Focused

Run (collection of STATRAG data).

TPL_FRN_EXM SAP_FRN_EXM FRN_EXM_<CID>

User to authenticate EXM requests sent from


(collection of EXM data).

TPL_FRN_SUM SAP_FRN_SUM FRN_SUM_<CID> User to authenticate SUM requests sent from


(collection of SUM data).

TPL_FRN_SLDS no role FRN_SLDS_<CID> This user is special. It's only generated at

network generation as a preparation of an

external user-management effort. This user is

intended for authentication of send requests to

the SLDR (java application of the SDA) from

the SLD DS. This user has no role and no

password in ABAP. Do not enter user and

password at:

RSSI_CHANGE_NETWORK_PASSWORD.

If you have no integration with external user

management for the SLD DS, enter this user

password when you configure the SLDR itself.


Technical Users

PUBLIC


6. To assign this profile to a user, choose the User tab, add your user in the table.

Note: If users are already assigned execute also the user comparison.

7. Save.

Result: You have now created a role for your specific needs.

Please ensure the roles for the users listed above have been generated, before the users get copied.

If you assign customer roles to the template users listed above, adjust the authorizations for user

SAP_FRN_IADM_SSI_USER accordingly. For details, see section Technical Users for Internal RFC Communication

in Central ABAP Stack.

8.1.2 *SAP_FRN_LDB_DS

The role SAP_FRN_LDB_DS contains authorization objects delivered by SAP with no authorization. Please

maintain as shown below:

Authorization

Objects of role

SAP_FRN_LDB_DS

to be maintained

Authorization

Field

Recommended

Value

Comment

S_BTCH_JOB JOBGROUP * Job management requirement

AI_LMDB_DS LMDB_DOMA LDB Only the domain LDB (landscape management

database) is currently available.

AI_LMDB_DS LMDB_NAMES * The technical users FRN_LDDS_<CID>

FRN_LDSR_<CID> write into the customer

namespaces identified internally by namespace

hashes.

These users are created from template user. The

namespace hashes are randomly generated.

After the namespaces are operative, consider

creating a dedicated role for each namespace and

add the namespace with the known namespace

hash.

8.2 Technical Users for Batch Processing in ABAP

Note: Batch processing users type: System.

26

PUBLIC



Technical Users

Technical User for

Batch Processing

Role Description

FRN_BTC_CSA SAP_FRN_BTC_CSA User with authorizations to run CSA-specific batch

processing

FRN_BTC_EWA *SAP_FRN_BTC_EWA

User with authorizations to run EWA-specific batch

processing

FRN_BTC_LDB *SAP_FRN_BTC_LDB

SAP_FRN_CNW_ACCESS_ADMIN

SAP_FRN_LDB_NOTIF_SSI

User with authorizations to run LMDB-specific

batch processing

Starting SSI procedures via LMDB notification

FRN_BTC_MAI *SAP_FRN_BTC_MAI

SAP_FRN_BTC_GPA


*SAP_FRN_SND_SNMP_TRAP

User with authorizations to run MAI-specific batch

processing

FRN_BTC_RUM SAP_FRN_BTC_RUM

SAP_FRN_AEM_UMD_ALR


User with authorizations to run RUM-specific batch

processing

FRN_BTC_SAM No role User doesn't need dedicated authorizations to run

SAM-specific batch processing

FRN_BTC_SMP SAP_FRN_BTC_SMP


User with authorizations to run SMP-specific batch

processing see also

FRN_BTC_WMM SAP_FRN_BTC_WMM User with authorizations to run WMM- specific

batch processing

FRN_BTC_TA SAP_FRN_BTC_TA User with authorizations to run TA-specific batch

processing

FRN_BTC_CNM No role User doesn't need dedicated authorizations to run

CNM-specific batch processing

FRN_BTC_AIM SAP_FRN_BTC_AIM: Note

2584160 needs to be applied


SAP_FRN_AEM_UMD_ALR

User with authorizations to run AIM-specific batch

processing

Data separation controlled by customer network

Authorization to create unmodeled alerts

FRN_BTC_SRA *SAP_FRN_BTC_SRA

SAP_FRN_AIM


*SAP_FRN_AAD_SYA_ALL

Running jobs for aggregation for system analytics

and data collection of cloud integration monitoring.

Data separation controlled by customer network

All authorizations for system analytics application

administration

FRN_BTC_AEM SAP_FRN_BTC_AEM User with authorizations to run AEM-specific batch

processing

https://i7p.wdf.sap.corp/sap/support/notes/2584160


Technical Users

PUBLIC


Technical User for

Batch Processing

Role Description

FRN_BTC_ASM SAP_FRN_BTC_ASM User with authorizations to run ASM-specific batch

processing

FRN_BTC_GPA SAP_FRN_BTC_GPA


User with authorizations to run guided procedure-

specific batch processing

Roles in bold with prefix * contain authorization objects that need to be maintained.




2. Choose Change.





Note: If users are already assigned, execute user comparison.

7. Save.


.

8.2.2 *SAP_FRN_BTC_EWA

The role SAP_FRN_BTC_EWA contains authorization objects delivered by SAP with no authorization. Please


Authorization

Objects of role

SAP_FRN_BTC_EWA

to be maintained

Authorization

Field

Recommended

Value

Comment

S_RFC_ADM ICF_VALUE * See online documentation.

S_RFC_ADM RFCTYPE * Depends on connection type not

known at installation you might enter

the known destination type of

destination created with SDCCN.

S_BTC_JOB JOBGROUP * Job management requirement.

28

PUBLIC



Technical Users

8.2.3 *SAP_FRN_BTC_LDB

The role SAP_FRN_BTC_LDB contains authorization objects delivered by SAP with no authorization. Please


Authorization

Objects of role

SAP_FRN_BTC_LDB

to be maintained

Authorization

Field

Recommended

Value

Comment


S_RFC_ADM RFCDEST * Depends on the name(s) of the destination to

SLD; for content sync not known at installation

you might enter the known destination name.

S_BTCH_JOB JOBGROUP * Job management requirement.

AI_LMDB_AD LMDB_NAMES * The technical users FRN_BTC_LDB must have

access to all LMDB namespaces (filter here is

only advised for dialog user, to restrict access).

AI_LMDB_OB LMDB_MTYPE

LMDB_NAMES

LMDB_OBJID

LMDB_STYPE

*

*

*

*

The technical users FRN_BTC_LDB must have

access to all LMDB objects (a filter here is only

advised for dialog user, to restrict access).

8.2.4 *SAP_FRN_BTC_MAI

The role SAP_FRN_BTC_MAI contains authorization objects delivered by SAP with no authorization. Please


Authorization

Objects of role

SAP_FRN_BTC_MAI

to be maintained

Authorization

Field

Recommended

Value

Comment


S_RFC_ADM RFCDEST * Destination names to all SAP host agents needed

in case of mass update of configurations. It is

advised to keep this as * due to the high effort to

maintain.

S_USER_GRUP Class * See online documentation.


Technical Users

PUBLIC


Authorization

Objects of role

SAP_FRN_BTC_MAI

to be maintained

Authorization

Field

Recommended

Value

Comment

AI_LMDB_AD LMDB_NAMES * The technical users FRN_BTC_MAI must have

access to all LMDB namespaces (filter here is

only advised for dialog user, to restrict access).


LMDB_NAMES

LMDB_OBJID

LMDB_STYPE

*

*

*

*

The technical users FRN_BTC_MAI must have

access to all LMDB objects (a filter here is only

advised for dialog user, to restrict access).

8.2.5 *SAP_FRN_SND_SNMP_TRAP

The role SAP_FRN_SND_SNMP_TRAP contains authorization objects delivered by SAP with no authorization.

Please maintain as shown below:

Authorization Objects of role

SAP_FRN_SND_SNMP_TRAP

to be maintained

Authorization

Field

Recommended

Value

Comment

S_LOG_COM HOST <hostname> Hostname of Focused Run application

server, which should create SNMP traps

for alert-forwarding with SNMP.

8.2.6 *SAP_FRN_BTC_SRA

The role SAP_FRN_BTC_SRA contains authorization objects delivered by SAP with no authorization. Please



SAP_FRN_BTC_SRA to be

maintained

Authorization

Field

Recommended

Value

Comment


LMDB_NAMES

LMDB_OBJID

LMDB_STYPE

*

*

*

*

The technical users FRN_BTC_MAI must

have access to all LMDB objects (a filter

here is only advised for dialog user, to

restrict access).

30

PUBLIC



Technical Users

8.2.7 *SAP_FRN_AAD_SYA_ALL

The role SAP_FRN_AAD_SYA_ALL contains authorization objects delivered by SAP with no authorization. Please



SAP_FRN_AAD_SYA_ALL to

be maintained

Authorization

Field

Recommended

Value

Comment

S_BTCH_JOB JOBGROUP * Job management requirement.

S_DATASET FILENAME * File name not known at configuration

time.

8.2.8 *SAP_FRN_BTC_GPA

The role SAP_FRN_BTC_GPA contains authorization objects delivered by SAP with no authorization. Please



SAP_FRN_BTC_GPA to be

maintained

Authorization

Field

Recommended

Value

Comment

S_ICF_ADM ICF_NODE * A randomly generated hash, created at

GP generation. The batch user must

have access to all GPs (for

housekeeping, for example).

S_BTC_JOB JOBGROUP * Job management requirement.

S_DATASET FILENAME * File name not known at creation time of

the GP.

S_DEVELOP DEV_CLASS * Customer package name for logos to be

included in HTML reports generated as

part of the GPs.

S_DEVELOP OBJNAME * Customer object name for logos to be

included in HTML reports generated as

part of the GPs.

S_DEVELOP P_GROUP * Customer programs to be included in the

GPs.


LMDB_NAMES

LMDB_OBJID

*

*

*

The technical users FRN_BTC_GPA

must have access to all LMDB objects (a


Technical Users

PUBLIC



SAP_FRN_BTC_GPA to be

maintained

Authorization

Field

Recommended

Value

Comment

LMDB_STYPE * filter here is only advised for dialog user,

to restrict access).

SM_SETUP SCENARIOS * GP scenario name not known before GP

creation.

SM_SETUP STEPS * GP step name not known before GP

creation.

8.3 Technical Users for Internal RFC Communication in Central ABAP Stack

Note: User type: System.

Technical User for

Batch Processing

Role Description

FRN_IADM_SSI SAP_FRN_IADM_SSI_COMP

Composite role including roles:

*SAP_FRN_IADM_SSI_USER

SAP_FRN_IADM_SSI_USER_DELETE

User FRN_IADM_SSI is necessary for

integrated users, management with internal

RFC communication, if no external user

management solution is available at customer

site.

The user having this role is used in the local

SM59 RFC destination:

SSI_USER_ADMIN_CONNECTION


To grant full authorization for the authorization objects, you need to maintain these objects as follows:

1. In the Role Maintenance, choose Authorizations tab.

2. Choose Change.


4. Maintain all activity values for each authorization object according to your needs. For instance, if you

want to grant full authorization, always choose all activities.

Note: Name of the roles assigned to the template users - Users called TPL* - need to be authorized

for authorization object: S_USER_AGR and S_USER_SAS


32

PUBLIC



Technical Users



7. Save.


8.3.2 *SAP_FRN_IADM_SSI_USER

The role SAP_FRN_IADM_SSI_USER contains authorization objects delivered by SAP with minimal authorization.

Please maintain as shown below:


SAP_FRN_IADM_SSI_USER

to be maintained

Authorization

Field

Delivered

Value

Comment

S_USER_AGR ACT_GROUP SAP_FRN* The role needed to grant authorization

to assign the roles you have assigned

to the template users - see section

Technical Users to Authenticate Data

Send Requests to the Focused Run

system. After you have created

custom roles you need to maintain

this group with your role names

S_USER_SAS ACT_GROUP I_SAP_FRN*,

SAP_FRN_*

The role needed to grant authorization

to assign the roles you have assigned

to the template users - see section

Technical Users to Authenticate Data

Send Requests to the Focused Run

system. After you have created

custom roles you need to maintain

this group with your role names


Data Protection and Privacy

PUBLIC


9 Data Protection and Privacy

The purpose of FOCUSED RUN is to support organizations (IT departments, host providers) that run technical

operations on business systems.

As part of technical operations, FOCUSED RUN collects monitoring data such as metrics, configurations, traces,

and exceptions from designated business systems. This monitoring data can contain personal data such as user

IDs when exposed by the business systems.

Taking the consent to store and process personal data in business operations and expose them in monitoring data

is to be done by the managed business system. Part of the monitoring operation personal data is stored together

with the operational data. This personal data in the monitoring data is to be deleted in the FOCUSED RUN on

demand, and as part of regular housekeeping.

FOCUSED RUN requires personal data of its dialog users for administrative purposes. In other cases, FOCUSED

RUN stores personal data for the productive operations of IT departments.

FOCUSED RUN users effectively consent to FOCUSED RUN storing and processing personal data when

conducting FOCUSED RUN transactions that require personal data to complete.

This chapter describes where the personal data is stored and used in FOCUSED RUN

9.1 FOCUSED RUN Dialog Users and Business Partners

All dialog users and business partners in FOCUSED RUN are created and maintained with SAP NetWeaver 7.5

standard functionality. For more information, reference SAP NetWeaver documentation:

https://help.sap.com/viewer/p/SAP_NETWEAVER_750.

9.2 Landscape Objects and Business Partners

Landscape objects include customer networks, technical systems, instances, databases, and hosts. Landscape

Objects are maintained in the LMDB. It is not uncommon in LMDB, as part of productive IT operations, to map

technical objects to business partners responsible for them. If business partners are deleted using SAP

NetWeaver functions (see above 8.1), this mapping is invalidated.

Depending on individual organizational policies, personal data can be maintained and deleted in the LMDB's

technical system editor, via the additional attributes (such as system owner).

Delete landscape objects in the LMDB's technical system editor. Please note, however, that deleting landscape

objects may lead to orphan configurations, which complicate clean-up efforts if the landscape object is already

deleted. A safe option is to decommission landscape objects using the report RSRSM_SSI_CLEANUP_NETWORK.

For more information reference the relevant documentation (https://support.sap.com/en/solution-

manager/focused-solutions/focused-run.html), under Decommissioning => Automatic Decommissioning.

For safe deletion of changelog documents contain user-id's after a defined retention period please execute

RLMDB_CLEAR_CHANGELOG

https://help.sap.com/viewer/p/SAP_NETWEAVER_750

https://support.sap.com/en/solution-manager/focused-solutions/focused-run.html

https://support.sap.com/en/solution-manager/focused-solutions/focused-run.html

34

PUBLIC




9.3 Real User Monitoring

User IDs collected by real user monitoring are stored in these protected tables:

/RUM/AGGRECIN

/RUM/AGGRECOUT

/RUM/SNGLRECIN

/RUM/SNGLRECOUT

To delete all data older than a given number of days, execute report /rum/housekeeping. The time period is

configurable.

To delete a single user ID outside of executing the housekeeping function, manually delete the ID from the tables

listed above.

9.4 Synthetic User Monitoring

A best practice for synthetic user monitoring is to remove all personal data in the synthetic user monitoring script

editor when parameterizing scripts. As a result, data of technical tests users replaces all personal data. This is the

standard recommendation for creating scripts for automatic execution in SUM.

9.5 Trace Analysis

If a user records a trace for their own activity, this action collects the user ID. The user can delete their trace

manually from the trace application.

To delete all data older than a given number of hours, execute report E2E_TRACE_DELETE. The time period is

configurable.

To delete a single user ID outside of executing the housekeeping function, manually delete the ID from the trace

tables as follows:

Go to SE24 and choose CL_E2E_CPT_SEARCH_AMDP.

Execute class (F8).

Select Search.



PUBLIC


Enter the user name in field IV_VALUE.

Execute the method.

If the result ET_BT is empty, no trace is available or it contains traces of the entered user name only.

The following entries from ET_BT need to deleted in the trace application.

36

PUBLIC




9.6 System Analytics

User IDs of ABAP backend systems are collected if the collection of statistic records is configured for a system.

To delete all data older than a given number of days, execute report AI_STATRAGG_HOUSEKEEPING. The time

period is configurable.

To delete a single user ID outside of executing the housekeeping function, manually delete it from the table

STATDBUSERTCODE where ACCOUNT = the user ID and from table STATDBUSERWORKLO where USERNAME =

the user ID

9.7 Advanced Event Management

In advanced event management, you can assign an alert to a user for processing. The assigned user can be a

dialog user in FOCUSED RUN or be an external user. When assigning an alert for processing, enter personal data

of the user such as a name, user ID, or an e-mail address. This personal data remains visible in the alert action log.

The personal data is stored in the table AEM_ACTION_LOG. Due to the technical settings of this table, it is not

possible to remove the personal data with TX SE16.

The following code can be used to create a custom program to remove this personal data:

PARAMETERS: p1 TYPE ac_guid, "context id

p2 TYPE ac_guid, "alert type id

p3 TYPE hash160, "hash metric path

p4 TYPE acc_action, "action id

p5 TYPE sydatum, "action date

p6 TYPE syuzeit. "action time

IF p1 IS NOT INITIAL AND

p2 IS NOT INITIAL AND



p6 IS NOT INITIAL.

DELETE FROM aem_action_log WHERE context_id = p1 AND

alert_type_id = p2 AND

hash_metric_path = p3 AND

action_id = p4 AND

action_date_utc = p5 AND

action_time_utc = p6.

IF sy-subrc EQ 0.

WRITE : 'Entry deleted'.

ELSE.

WRITE : 'Failed to delete entry'.

ENDIF.

ELSE.

WRITE: 'Insufficient data input'.

ENDIF.



PUBLIC


9.8 Central Notification Management

In central notification management (CNM), recipient groups are maintained to send alerts and other notifications

to recipients.

Notification groups can be populated by selecting registered users from the FOCUSED RUN NW user

management (see 8.1) or by entering external recipients. Register an external recipient can be entered with their

name, telephone numbers, and email addresses.

You can maintain and delete this entry in CNM.

The tables of the CNM are as follows:

CNM_CID -> stores the email and phone number. Once the external recipient is deleted from the UI, these details

are deleted from the table as well:

CNM_RECIPIENT

CNM_RL

CNM_RL_CN

CNM_RL_MAP

9.9 Change and Security Analysis

Change and security analysis can monitor critical authorizations (such as SAP_ALL, J2EE_Administrator). When

this special monitoring is active, the user ID containing the critical authorization is recorded.

Change and security analysis uses its collector framework to transfer technical data of the connected managed

systems into the configuration and change database (CCDB). CCDB is a set of tables stored in FOCUSED RUN's

database. This transferred technical configuration data does contain user IDs. Other personal and sensitive data

is not extracted or stored.

9.9.1 How to Display Data Stored in the Configuration and Change Database

To display of user-dependent data:

Start application Configuration & Security Analytics.

For your scope, select systems or use an asterisk on the extended system ID for all systems.

Select the panel Search, enter the user ID bracketed by asterisks (for example, *sdagent*), confirm the selection

as shown in the screenshot below:

38

PUBLIC




Notes:

• Data deletion takes place in two steps, both logically and physically. As soon as data is deleted logically it is

not displayed anymore by the above search. The physical deletion of data is performed periodically. The

physical data deletion is performed within a few hours of the logical deletion.

• The display of data is protected by authorizations. The CCDB authorization to display all data, including the

protected data, is required here. In addition, you must ensure you have authorization for all customer

networks.

• The search does not display configuration items that are marked as deleted in CCDB. These are elements

which have not been delivered by the last snapshot of the corresponding data transfer. Such deleted

configuration items can be found and displayed by the data deletion utility only.

9.9.2 How to Delete User-Dependent Data from Configuration and Change Database

The CSA checks configuration data of managed systems. Due to its technical configuration, data is transferred

into the CCDB of the FOCUSED RUN system (such as configuration data of RFC connections or authorization data

containing user IDs).

For deletion of CCDB data on FOCUSED RUN SP02, use report CCDB_SEL_DATA_DEL. For an installation

reference, see SAP Note 2562443, Collective Corrections for CSA Collector Framework in FOCUSED RUN FP02.

Data Display

Execute Report CCDB_SEL_DATA_DEL.



PUBLIC


Enter the user between asterisks with DISPLAY enabled, DELETE disabled, and execute.

As a result, a screen displays the technical store IDs that match the search pattern (case insensitive search).

Depending on the number of connected systems with which the user is working, the number of stores displayed

will vary. If the list is empty, there is no user data regarding the search pattern in CCDB.

Choosing the back icon displays a second screen containing additional data.

Scroll to the right to find the searched data if it is not in the initial view.

40

PUBLIC




Choose the back icon to end the report.

Data Deletion

Important notes:

• During data deletion, the whole content of stores containing the user ID is deleted. This means all other data in

the store and his history is removed as well. It takes approximately 24 hours until current data is reloaded.

The possibility to reload the current data makes the process not critical, but the history of data that is not

user-dependent is lost.

Until the current data is retransferred to CCDB, applications like configuration validation and SAP EarlyWatch

Alert, which use the CCDB data, may run into an error or report incorrect or missing data.

• Depending on the user ID, stores are selected for deletion that contain text rather than the specific user ID to

match the search. Such deletions cannot be avoided technically.

• The data is deleted logically only. The physical deletion takes place within a few hours automatically. As soon

as the data is deleted logically it cannot be accessed anymore by applications.

• Before performing the deletion process, consider that the user data must be deleted in the managed systems

at first. Otherwise, the periodic data push may transfer the user data again into the CCDB.

To perform the deletion, enter the user between asterisks with DISPLAY disabled and DELETE enabled:

Execute the report and wait until it has finished. The report is designed for user data deletion only, and therefore a

high number of search hits is not expected.

FOCUSED RUN supports different procedures to implement data protection and privacy. This chapter describes

the procedures per use case. The different FOCUSED RUN use cases where data privacy protection is applicable

are:



PUBLIC


• Dialog User Management and Business Partner

• LMDB

• Real User Monitoring (RUM)

• Synthetic User Monitoring (SUM)

• Advanced Alert Management

• Advanced Integration Monitoring (AIM)

• Advanced Notification Management

• Change and Security Analysis

42

PUBLIC



Dialog Users

10 Dialog Users

Focused Run for SAP Solution Manager 1.0 FP02 applications protect access to managed objects on the

customer network level.

SAP Fiori launchpad features redesigned authorization groups for FP2. If you are currently operating with

Focused Run for SAP Solution Manager 1.0 FP00 or FP01, be sure to reassign new authorizations as described in

the following sections.

10.1 Dialog User Roles with SAP Fiori Tiles

This chapter provides an overview of how and why roles are designed the way they are in FOCUSED RUN 1.0

FP02.

All roles are listed in the addendum.

For additional details on the authorization object, please see the role documentation in SU22 or in PFCG.

10.2 Proposed Work Flow to Assign Authorizations in FOCUSED RUN

The workflow for roles follows conventions from other SAP systems:

1. Define operation team responsibilities and team members. For guests and customers, define self-service

responsibilities.

2. Create a named dialog user in FOCUSED RUN for each team member. Similarly, create a dialog user for

guests and customers.

3. Create custom cross-FOCUSED RUN applications roles from the delivered SAP roles. According to defined

responsibilities, maintain the authorization object of the role for granting visibility to systems, custom

networks, customers, and others. Assign these custom roles to dialog users.

Use * to access all objects in the LMDB.

4. Assign custom cross-FOCUSED RUN applications roles to dialog users.

5. Assign the needed SAP Fiori tiles to fulfill team tasks to the dialog user. Similarly, assign tiles for guests and

customers

6. Create custom common FOCUSED RUN application roles from the delivered SAP roles. According to defined

responsibilities, maintain the authorization object of the role for granting operations. Authorization objects of

these roles must be maintained before you can use the roles.

Maintaining roles with * grants all objects and operations.

All roles with authorization objects to be maintained are listed in the addendum.


Dialog Users

PUBLIC


7. Assign custom common FOCUSED RUN applications roles to the dialog user.

10.3 Role types

Group the roles for dialog users in FOCUSED RUN into different types.

10.3.1 SAP NetWeaver Basic Roles and Customer Roles Designed Prior to FOCUSED RUN

This guide describes FOCUSED RUN roles sufficient to run all FOCUSED RUN applications. Please see SAP

NetWeaver documentation for SAP NetWeaver basic functions such as transport management or user

management. Also, be sure to reference your company's policies with regard to customizing basic roles.

10.3.2 Cross-Application FOCUSED RUN Roles

The cross-application roles help you to separate which managed objects of your IT landscape can be displayed

and operated by the FOCUSED RUN dialog user owning the roles:

Role Name Short Text Assign to

SAP_FRN_CNW_ACCESS

Grants access for the customer

networks level, the customer

level, or the datacenter

All (see below)


Grants access to all customer

networks, customers, or

datacenters

Technical user (see above) or

Super Admin

SAP_FRN_LDB_OB_DSIP Grants access on the technical

system and hosts level

All (see below)

10.3.2.1 SAP_FRN_CNW_ACCESS

The role SAP_FRN_CNW_ACCESS contains authorization object LMDB_SCOPE, delivered by SAP with field value

LMDB_CN. Please maintain in your customer roles the object LMDB_CN to grant access to dedicated LMDB

namespaces.

44

PUBLIC



Dialog Users

Authorization Objects of

role

SAP_FRN_CNW_ACCESS

to be maintained

Authorization

Field

Delivered

Value

To be maintained

LMDB_SCOPE LMDB_SCOPE LMDB_CN no

LMDB_CN LDB_CUSTNET <empty> Name of Customer Network

LMDB_CN LDB_CUSTNET <empty> Customer ID

LMDB_CN LDB_DC <empty> Data Center ID

Since LMDB _SCOPE is set to LMDB_CN with limited access, the fields of object LMDB_CN are evaluated.

In the example below, which grants data access of customer ID ABC only, all fields must be maintained.

10.3.2.2 SAP_FRN_CNW_ACCESS_ADMIN

The role SAP_FRN_CNW_ACCESS_ADMIN contains the authorization object LMDB _SCOPE, delivered by SAP

with authorization field LMDB_SCOPE value ADMIN. Since LMDB _SCOPE is set to ADMIN, the fields of object

LMDB_CN will not be evaluated

This role is typically granted to technical users for batch processing (see chapter 8.2). The role can also be

assigned to Super Admin needing access in FOCUSED RUN to all customer namespaces.


role

SAP_FRN_CNW_ACCESS

to be maintained

Authorization

Group

Delivered

Value

To be maintained

LMDB_SCOPE LMDB_SCOPE ADMIN No

As shown below, this role does not contain the authorization object LMDB_CN


Dialog Users

PUBLIC


10.3.2.3 SAP_FRN_LDB_OB_DSIP

The role SAP_FRN_LDB_OB_DSIP contains authorization objects delivered by SAP with no authorization

separations. Maintain the listed authorization objects in your customer roles as below to grant access to

dedicated LMDB objects according to your team roles:


role

SAP_FRN_LDB_OB_DSIP

to be maintained

Authorization

Group

Delivered Value Comment

AI_LMDB_OB LDB_NAMES * See documentation (maintain this field as an

exception only; namespace access is granted

with SAP_FRN_CNW_ACCESS).

AI_LMDB_OB LMDB_STYPE ABAP

ATC

BOBJ

CLOUD_CONN

DBSYSTEM

DIAGNAGENT

EXT_SRV

HANADB

IS_EM

IS_MOM

JAVA

LIVE_CACHE

MDM

MSIISINST

MS_.NET

SUP

TREX

UNSP3TIER

UNSPAPP

UNSPECIFIC

Maintain this authorization group for

separate access by different functional

groups (such as "Database administrators

only").

46

PUBLIC



Dialog Users


role

SAP_FRN_LDB_OB_DSIP

to be maintained

Authorization

Group

Delivered Value Comment

WEBDISP

WEBSPHERE

10.3.3 FOCUSED RUN Tools Roles

The tools roles grant access to certain tools that are offered by different applications. For example, the

authorization to create a scope selection is useful in all applications with scope selections.

Role Description

SAP_FRN_SCOPE_SEL Role to authorize scope selection for FOCUSED RUN.

SAP_FRN_CNM_SND_NOTIF Authorizations to send notifications.

SAP_FRN_APP_AEM_ALR_INB_DISP Access to alert inbox display; no confirm.

SAP_FRN_APP_AEM_ALR_TIC Access to alert ticker.

10.3.4 FOCUSED RUN SAP Fiori roles

SAP Fiori roles control access to SAP Fiori launchpad (FLP), implemented by FOCUSED RUN.

SAP Fiori authorizations are effective on SAP Fiori catalogs and SAP Fiori groups.

The catalogs and groups are named according to FOCUSED RUN applications.


Dialog Users

PUBLIC


SAP Fiori Group Contains tiles for

Focused Run Home Navigation tiles only to open:

• SAP Focused Solutions for SAP Solution

Manager

• SAP Focused Run: SAP Help Portal

• SAP Focused Run: Technical Details

• SAP Focused Run: Whitepaper

Advanced System Management (ASM) • System Monitoring

• System Monitoring: Template Maintenance

• System Monitoring: Individual Maintenance

• System Monitoring: Content Update

• Advanced Monitoring

• Advanced Monitoring: Configuration

• System Analytics

• System Analytics: Configuration

• System Management: Guided Procedure

Catalogue

• System Management: Guided Procedure

Reporting

• IT Calendar & Work Mode Management

• Service Availability Management

• License Management

• EWA Reports: ONE Support Cloud

• Maintenance Planner: ONE Support Cloud

Advanced User Monitoring (AUM) • Real User Monitoring

• Real User Monitoring: Configuration

• Synthetic User Monitoring

• Synthetic User Monitoring: Configuration

• Trace Analysis

Advanced Integration Monitoring (AIM) • Integration Monitoring

• Integration Monitoring: Configuration

• Cloud Service Management: Configuration

Advanced Event & Alert Management (AEM) • Alert Management

• Alert Management: Alert Consumer

Configuration

• Alert Management: Guided Procedure Catalogue

• Alert Management: Guided Procedure Reporting

48

PUBLIC



Dialog Users

SAP Fiori Group Contains tiles for

Configuration & Security Analytics • Configuration & Security Analytics

• Configuration & Security Analytics:

Administration

Infrastructure Administration • LMDB (Administration, Setup and Object

Maintenance)

• Global Settings & Network Configuration

• Simple System Integration

• Agent Administration

• Agent Mass Update

• Self-Monitoring

• Self-Monitoring: Dashboard

• Central Notification Management

• Expert Scheduling Management Cockpit

Please assign SAP Fiori roles to dialog users according to the different tasks of IT teams, guests, and customers.

Here are the naming conventions of SAP Fiori Roles:

Role Name Short Text Assign to

SAP_FRN_FLP_EMBEDDED Authorization to open SAP Fiori

launchpad.

All

SAP_FRN_FLP_CAT_APP_<XXX>

SAP_FRN_FLP_CAT_AAD_<XXX>

Allow access SAP Fiori catalog to

organize (move, add, delete) the

tiles within the catalog.

APP indicates that the catalog

contains tile for applications.

AAD indicates that the catalog

contains tile for applications

administration.

Administrators, key users

SAP_FRN_FLP_<number>_<XXX>

Allows access to the tiles in SAP

Fiori launchpad.

For example, Advanced System

Management (ASM), and

Advanced User Monitoring (AUM).

The <XXX> is a placeholder for

the application acronym.

The <number> is for internal

reference only.

Operators and administrators

according to the assigned tasks;

guests and customers

All SAP Fiori roles are listed in the addendum.


Dialog Users

PUBLIC


10.3.5 FOCUSED RUN Application Roles

FOCUSED RUN application roles grant authorizations at the applications level, as accessed by SAP Fiori tiles.

That means if you can see a SAP Fiori tile in SAP Fiori launchpad, you can open the application, but without

authorization on the application level, you cannot work with the application.

To use the application, you need to assign application roles to dialog users. The roles for the application are

designed to grant sufficient authorizations depending on the responsibility of the dialog user in the operation

team. Similarly, roles for the application grant guests and customers selected self-service responsibilities.

Some roles indicate by name that they are intended for application administration

SAP_FRN_AAD_<XXX>_<XXX>, or are designed for the application purpose only SAP_FRN_APP_XXX_XXX.

In cases where there is little distinction between AAD or AAP, the role name is shortened, such as

SAP_FRN_LDB_DISP.

Role Short Text Assign to

SAP_FRN_SSI_WSEXEC Dedicated role to execute SSI via

web service calls.

Administrators, Technical Users

SAP_FRN_*_ALL, ADMIN All authorizations on the

applications

Administrators, Key Users

SAP_FRN_RUM_WOD

SAP_FRN_SIA_WOD

SAP_FRN_AIM_ WOD

Access to special protected data

like UID in RUM or Business

payload in AIM (collected only if

dedicated customizing exists)

Administrators (if administrators

should not see business data, do

not assign *_ALL)

SAP_FRN_*_ EXE Execute the applications Key Users, Operations

SAP_FRN_*_ MAINT Maintain content Operators

SAP_FRN_ *_ REVIEW, REV Review certain content Key users, Customers

SAP_FRN_*_DISP Display data Customers, Guests

SAP_FRN_CSA_PROTECTED Access to critical data in CSA (has

user SAP_ALL, etc.)

Key Users

All application roles are listed in the addendum.

10.4 Dialog User Roles for Incident processing by SAP

We recommend creating a dedicated user for incident processing by SAP. Grant this user the following roles:

50

PUBLIC



Dialog Users

Role Description

SAP_FRN_FLP_EMBEDDED

SAP_FRN_SCOPE_SEL

SAP_FRN_FLP_5_ISA

SAP_FRN_APP_MOAL_ALL

SAP_FRN_LDB_ALL

SAP_FRN_SDA_ALL

SAP_FRN_SSI_ALL

SAP_FRN_TECH_MON_TOOL

Customer own Role

SAP Fiori launchpad authorization

Filter bar

ISA SAP Fiori Group

All authorizations for system-

monitoring application

LMDB: Full authorizations

Administration authorizations for

agent administration (SLDR

configuration, upload SDA/JRE

binaries, mass installation. debug)

Administration authorization for

Simple System Integration

Monitoring support: Full

authorizations

Grant access to the following

transactions: SE16, SE80, SM37,

etc. Please see further

authorization in SAP Note

2042794 Prerequisites for Efficient

Incident Processing

10.5 Special Protected Tables

Through RUM and AIM, FOCUSED RUN delivers two applications that collect sensitive data in FOCUSED RUN

tables.

RUM saves user IDs. AIM saves business payload data (if customized on the application side)

The relevant tables for RUM are:

/RUM/AGGRECIN

/RUM/AGGRECOUT

/RUM/SNGLRECIN

/RUM/SNGLRECOUT

The relevant tables for AIM are:

/IMA/EDID4

/IMA/PIMSGABAPUD

EXM_COLL_CTXT

Due to sensitive data potential, we have protected the SE16 access to the tables with the authorization object

S_TABU_NAM, in the roles:

SAP_FRN_AAD_RUM_ALL

SAP_FRN_APP_RUM_ALL


Dialog Users

PUBLIC


SAP_FRN_AAD_AIM_ALL

SAP_FRN_AAP_AIM_ALL

This way, users without special SE16 access cannot see sensitive data.

The roles should be granted to selected persons only. The roles are used by development support and

administrators for troubleshooting,

Please note that we expect that the SE16 access to tables is granted within customer roles with authorization

object S-TABU_DISP and that the values contain the relevant table fields specified and not be substituted by *, If

S_TABU_DISP value is * for the table group, table content is at risk of unauthorized display access.

10.6 Proposal for Setup User during FOCUSED RUN Initial Preparation before Going Live

The initial preparation of FOCUSED RUN is executed by a small team of experts. Profiles SAP_ALL & SAP_NEW do

not contain needed authorization to access SAP Fiori tiles. Experience shows that it is very helpful during

preparation phase to have all needed authorization for configuration, configuration check, and troubleshooting

assigned to the named users of the small team performing the preparation.

For your convenience, here a list of all FOCUSED RUN-specific roles required in addition to SAP_ALL & SAP_NEW

for initial preparation:

Role Short text

SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP: Group Infrastructure

Administration

SAP_FRN_FLP_4_CSA Access to FOCUSED RUN FLP: Group CSA

SAP_FRN_FLP_3_AEM Access to FOCUSED RUN FLP: Group AEM

SAP_FRN_FLP_3_1_AIM Access to FOCUSED RUN FLP: Group AIM

SAP_FRN_FLP_2_AUM Access to FOCUSED RUN FLP: Group AUM

SAP_FRN_FLP_1_ASM Access to FOCUSED RUN FLP: Group ASM

SAP_FRN_FLP_0_FRNH Access to FOCUSED RUN FLP: Group FRNH

52

PUBLIC



Technical Users for Managed Systems

11 Technical Users for Managed Systems

The technical users in managed systems and databases are required to authenticate data collection requests.

The technical users on OS level are required to authenticate ad-hoc requests to SAP host agent or simple

diagnostics agent.

Focused Run does not create these technical users; they must be created by different tools according to

customer policies as part of the preparation. The user credentials must be provided to SSI at configuration call.

11.1 Technical Users for SAP NetWeaver ABAP

This user must be created in one managed system ABAP client, for which the simple diagnostics agent connects

to via RFC for data collection.



PUBLIC


This needs to be created in the managed system as preparation. SDAGENT/PW needs to be provided when

executing Simple System Integration in the Focused Run system.

The roles below are delivered with latest version of ST-PI. In addition, the most recent version of the roles is

attached to SAP Note 2450740 - Roles to authorize access in managed Systems to collect data for FOCUSED RUN.

Technical User ID Role Description

SDAGENT *SAP_FRN_SDAGENT_CSA_MS

SAP_FRN_SDAGENT_CSA_SEC_M

S

SAP_FRN_SDAGENT_EWA_MS

SAP_FRN_SDAGENT_MAI_MS

SAP_FRN_SDAGENT_TA_MS

SAP_FRN_SDAGENT_RUM_MS

SAP_FRN_SDAGENT_AIM_MS

Authorizations to collect CSA

data

Display special users (such as

SAP*) with default passwords

Authorization to collect EWA data

Authorization to collect

monitoring data

Authorization to collect TA data

Authorization to collect RUM data

Authorization to collect AIM data

<customer> SAP_SDCCN_ALL Execute SDCCN Job

11.1.1.1 How to Maintain authorization objects



9. Choose the Change button.





Note: If users are already assigned, execute the user comparison.

14. Save.

11.1.2 * SAP_FRN_SDAGENT_CSA_MS

The role SAP_FRN_SDAGENT_CSA_MS contains authorization objects delivered by SAP with no authorization. To

use Focused Run scenario Configuration and Security Analysis, maintain as shown below:

54

PUBLIC





SAP_FRN_BTC_SRA to be

maintained

Authorization

Field

Recommended

Value

Comment

S_RFC_ADM ICF_VALUE * See online documentation

S_DATASET FILENAME

PROGRAM

*

S_LOG_COM HOST

OPSYSTEM

*



PUBLIC


11.2 Technical Users for SAP NetWeaver Java

This user needs to be created in the managed system as preparation.

The SDAGENTJ/password needs to be provided when executing SSI in Focused Run.

The following roles and actions must be assigned if the described functionality or metric is planned to be

consumed:

Technical User ID JAVA Role / Action Description

SDAGENTJ • Java Roles

o NWA_READONLY

o SAP_JAVA_WSNAVIGATO

R

o XI_FOCUSED

RUN_GET_MSG

(Available with

PI 7.31 SP18+

PI 7.40 SP13+

PI 7.50 SP02+)

o Administrator

• Java Action

o Spml_Read_Action

(See SAP Note 1647157 -

How to Set up Access to the

SPML Service on AS Java)

Needed for Java message

monitoring in Focused Run AIM.

Needed for monitoring metrics of

Java job monitoring Focused Run

ASM.

Need to collect message payload

in FOCUSED RUN AIM monitoring

(only possible if relevant

customizing is done in the PI).

Needed to collect data of "Java

PSE Certificates" for validation

check in Focused Run CSA

Needed for security check of

whether default users are

disabled in FOCUSED RUN CSA.

Needed for Monitoring Metric

Java Named Users in Focused

Run ASM

56

PUBLIC




11.3 Technical Users for Apache Tomcat

This user needs to be created in managed system as preparation. Then JMXUSR/password needs to be provided

when executing SSI in Focused Run.

Technical User ID JAVA Start-up Parameter Description

JMXUSR -Dcom.sun.management.jmxremote

Needed to collect SysMon and

System Analysis data via JMX

calls. See SAP Note 1633036 -

SAP Solution Manager 7.1 E2E

RCA Setup for Apache Tomcat

11.4 Technical Users for BOBJ

This user needs to be created in the managed system as preparation. Then usr/pwd needs to be provided when

executing SSI in Focused Run.

Technical User ID BOBJ Role Description

<customer> CMS Admin

Created at installation. Needed

to enable tracing (TA), monitor

data collection (SYSMON), and

configure store snapshot

Creations (configuration and

security analytics

administration)

11.5 Technical Users for SMP

This user needs to be created in the managed system as preparation. Then user/password need to be provided

when executing SSI in Focused Run.

Technical User ID SMP Role Description

<customer> Help Desk

Needed to enable tracing (TA), monitor data

collection (SYSMON), and configure store

https://css.wdf.sap.corp/sap/support/notes/1633036





PUBLIC


Technical User ID SMP Role Description

snapshot creations (configuration and

security analytics administration). See SMP

3-0 Guide:

http://scn.sap.com/community/developer-

center/mobility-

platform/blog/2015/04/26/granting-role-

based-access-in-sap-mobile-platform-30

11.6 Technical Users for Managed DB

For database monitoring, a dedicated user should exist on each database to authenticate connections from SAP

Host Agent to the database.

Please check your database documentation.

The user needs to be created and user/password needs to be provided to SAP Host Agent as preparation. SAP

host agent offers the web service method SetDatabaseProperty. This preparation is also mandatory for outside

discovery on all DBs except HANA

For providing user credentials to SAP host agent, see the following SAP Notes:

DB SAP Note

SAP HANA 2023587 - Maintaining "hdbuserstore" using

"setProperty" for SAP Host Agent

SAP ASE 2236137 - SYB: saphostctrl/sapdbctrl - enable

discovery for native ASE database installations

1797040 - SYB: SAP Host Agent - Using global or local

secure storage

MS SQL Server 1877727 - sapdbctrl: not member of sysadmin

1564275 - How to Install SAP Systems Using Virtual

Host Names on Windows

Oracle Database No note. OS user is used by SAP host agent.

Reference:

http://scn.sap.com/docs/DOC-34217

IBM DB2 for LUW No note. OS user is used by SAP host agent.

Reference:


SAP Max DB 2018919 - SAP MaxDB/SAPHost Agent: Setting

connect information as SetDatabaseProperty

http://scn.sap.com/community/developer-center/mobility-platform/blog/2015/04/26/granting-role-based-access-in-sap-mobile-platform-30




http://service.sap.com/sap/support/notes/1877727



58

PUBLIC




11.7 Technical Users for Managed OS

All requests from Focused Run to the simple diagnostics agent are sent to SAP host agent. SAP host agent acts as

a proxy for these requests. These requests must be authenticated with the OS user sapadm. This user is to be

created as part of SAP host agent installation. Then user/password need to be provided when executing SSI

customer network creation in Focused Run.

A SM59 HTTP destination to SAP host agent is created automatically with this sapadm/password, the first time

the host is registered at the Focused Run. The automatic generation of HTTP SM59 destinations in Focused Run

support only the same sapadm/password in the created network. If SAPadm/password is different on each host,

the SM59 HTTP destination needs to be adapted manually.


CA APM EM Users

PUBLIC


12 CA APM EM Users

For more information, see the CA APM Security Guide:

https://support.ca.com/cadocs/0/CA%20Application%20Performance%20Management%209%206-

ENU/Bookshelf_Files/HTML/APM--Security%20Guide/index.htm

https://support.ca.com/cadocs/0/CA%20Application%20Performance%20Management%209%206-ENU/Bookshelf_Files/HTML/APM--Security%20Guide/index.htm

https://support.ca.com/cadocs/0/CA%20Application%20Performance%20Management%209%206-ENU/Bookshelf_Files/HTML/APM--Security%20Guide/index.htm

60

PUBLIC



System Landscape Data Router Configuration

13 System Landscape Data Router Configuration

The system landscape data router is a simple diagnostics agent application with a small footprint. It has the

function of forwarding the payload of SLD data supplier to different SLDs of NW JAVA or Focused Run. This is the

same function as the NW Java SLD "Automatic Data Forwarding", except that no full NW Java is required.

The SLD DS are sending data to the SLDR. The SLDR requests an inbound authentication. Then the SLDR

forwards the SLD DS payload to different targets, which also require authentication. These are the outbound

authentications for the SLDR.

SSI sets up Focused Run-relevant inbound and outbound user creation for the SLDR. The configuration of the

authentication to other outbound targets must be provided manually in the user interface of the diagnostics agent

administration.

Refer to the Managed Systems Preparation guide for additional details about the amount of SLDRs to enable in the

relevant customer networks.


Enable Network Communication Encryption

PUBLIC


14 Enable Network Communication Encryption

For enabling network encryption, refer to the relevant documentation.

If you have questions or special requirements, contact the Focused Run team for project support.

• SAP NetWeaver

http://help.sap.com/saphelp_nw75/helpdata/en/49/2f0050d5ac612fe10000000a44176d/content.ht

m

• Simple Diagnostics Agent

Not enabled with first delivery of Focused Run.

• System Landscape Data Router

Not enabled with first delivery of Focused Run.

• SAP Host Agent

https://help.sap.com/saphelp_nw73ehp1/helpdata/en/6a/ac42c2e742413da050eaecd57f785d/conte

nt.htm

• CA APM EM

https://support.ca.com/cadocs/0/CA%20Application%20Performance%20Management%209%206-

ENU/Bookshelf_Files/HTML/APM--Configuration%20Administration%20Guide/index.htm

• Proxy/Reverse proxy are vendor-dependent

o SAP Web Dispatcher

https://help.sap.com/saphelp_nw73ehp1/helpdata/en/49/3db10a19341067e10000000a42189c/c

ontent.htm?frameset=/en/48/8fe37933114e6fe10000000a421937/frameset.htm&current_toc=/e

n/ed/2429371ec14c23a7508affa1280d07/plain.htm&node_id=106&show_children=false

o Apache

http://httpd.apache.org/docs/2.4/ssl/

o Tiny Proxy

not TLS/SSL-enabled

• Load balancer

o Software load balancer

SAP Web Dispatcher

https://help.sap.com/saphelp_nw73ehp1/helpdata/en/49/3db10a19341067e10000000a42189c/c

ontent.htm?frameset=/en/48/8fe37933114e6fe10000000a421937/frameset.htm&current_toc=/e

n/ed/2429371ec14c23a7508affa1280d07/plain.htm&node_id=106&show_children=false

o Other software load balancers are documented by vendor.

o Hardware load balancers are documented by vendor.

http://help.sap.com/saphelp_nw75/helpdata/en/49/2f0050d5ac612fe10000000a44176d/content.htm

http://help.sap.com/saphelp_nw75/helpdata/en/49/2f0050d5ac612fe10000000a44176d/content.htm

https://help.sap.com/saphelp_nw73ehp1/helpdata/en/6a/ac42c2e742413da050eaecd57f785d/content.htm

https://help.sap.com/saphelp_nw73ehp1/helpdata/en/6a/ac42c2e742413da050eaecd57f785d/content.htm

https://support.ca.com/cadocs/0/CA%20Application%20Performance%20Management%209%206-ENU/Bookshelf_Files/HTML/APM--Configuration%20Administration%20Guide/index.htm

https://support.ca.com/cadocs/0/CA%20Application%20Performance%20Management%209%206-ENU/Bookshelf_Files/HTML/APM--Configuration%20Administration%20Guide/index.htm

https://help.sap.com/saphelp_nw73ehp1/helpdata/en/49/3db10a19341067e10000000a42189c/content.htm?frameset=/en/48/8fe37933114e6fe10000000a421937/frameset.htm&current_toc=/en/ed/2429371ec14c23a7508affa1280d07/plain.htm&node_id=106&show_children=false



http://httpd.apache.org/docs/2.4/ssl/




62

PUBLIC



Enable Network Communication Encryption

14.1 Configure Encryption Usage for Customer Network Configuration in SSI UI

Communication direction Focused Run ABAP Managed System

At the installation of a simple diagnostics agent, SSI automatically creates an SM59 HTTP destination to SAP Host

Agent of the known managed system (with sapadm as OS user). You can configure the SM59 HTTP destination to

support SSL. The automatic configuration by SSI can be configured either globally or specifically for each network

using the SSI configuration UI SM59 HTTP.

14.2 Configure Encryption Usage for SDA Configuration in Agent Administration

Communication direction Managed System -> Reverse proxy resp. Focused Run ABAP.

At the installation of an SDA, the agent administration sends the basic configuration with the connection

credentials to the SDA and enables the TSl/SSl communication. Not available with first delivery of Focused

Run.

Further Information

The following documents provide more information about <name of scenario>:

Content Location

Scenario Description See the documentation in SAP Solution Manager.

Configuration Documentation See the documentation in SAP Solution Manager.

Scenario Security Guide For more information, reference SAP Help Portal:

https://help.sap.com/viewer/p/FOCUSED RUN.

https://help.sap.com/viewer/p/FRUN


Users and Authorizations in SAP Support Portal

PUBLIC


15 Users and Authorizations in SAP Support Portal

To upload (LMDB technical data; for example, SAP service data: EWA) and download (license data; for example,

ST-CONT update), Focused Run requires the same authorizations for S-USER in SAP Service Marketplace as

already known from SAP Solution Manager; no new authorization added.

64

PUBLIC



Addendum

16 Addendum

16.1 Role Changes for FOCUSED RUN FP02

16.1.1 Roles Created for FP02

Role Name Short description

SAP_FRN_AAD_MOAL_MOC Authorize MO individual monitoring and alert configuration

SAP_FRN_AAD_SUM_ALL All authorizations for SUM configuration

SAP_FRN_AAD_SUM_DISP Display authorizations for SUM configuration

SAP_FRN_AAD_SUM_MAINT Maintenance authorizations for SUM configuration

SAP_FRN_APP_AAD_ADM_ALL

All authorizations for application and admin for application advanced

monitoring

SAP_FRN_APP_PAS_DISP Display authorizations for predictive snalytics

SAP_FRN_APP_SUM_ALL All authorizations for app SUM

SAP_FRN_APP_SYA_WOD All authorizations for app system analytics, but no user data

SAP_FRN_BTC_AEM Authorizations for AEM specific background processing

SAP_FRN_BTC_SMP Authorizations for SPM specific background processing

SAP_FRN_EXM Role for technical user FRN_EXM_<CID>

SAP_FRN_FLP_CAT_AAD_AVM Access to FOCUSED RUN FLP: Catalogue AVM Admin

SAP_FRN_FLP_CAT_AAD_SUM

Access to FOCUSED RUN FLP: Catalogue SUM application

configuration

SAP_FRN_FLP_CAT_APP_SUM Access to FOCUSED RUN FLP: Catalogue SUM applications


Authorizations: Execute for SSI admin application in BTC by

FRN_BTC_LDB

SAP_FRN_LDB_OB_DSIP Authorization to display all LMDB objects

SAP_FRN_SND_SNMP_TRAP Authorizes Sending alerts via SNMP Trap

SAP_FRN_SUM Role for technical user FRN_SUM_<CID>


Addendum

PUBLIC


16.1.2 Roles Changed with FP02

Role name Short description

SAP_FRN_AAD_AIM_ALL All authorizations for AIM administration

SAP_FRN_AAD_AIM_DISP Display authorizations for AIM administration

SAP_FRN_AAD_AVM_ALL All authorizations to administer application advanced

monitoring

SAP_FRN_AAD_AVM_DISP Display authorizations to administer application

advanced monitoring

SAP_FRN_AAD_CSA_ALL All authorizations for CSA administration

SAP_FRN_AAD_CSA_DISP Authorization for CSA administration: in display

mode

SAP_FRN_AAD_CSA_MAINT Authorization for CSA administration: in

maintenance mode, but not templates

SAP_FRN_AAD_RUM_ALL All authorizations for RUM administration

SAP_FRN_AAD_SYA_ALL All authorizations for system analytics application

administration

SAP_FRN_AEM_UMD_ALR Authorization to create unmodeled alerts

SAP_FRN_APP_AEM_ALR_INB_DISP Access to alert inbox display; no confirm

SAP_FRN_APP_AVM_ALL All authorizations for application advanced

monitoring

SAP_FRN_APP_CSA_DISP Authorization for CSA APP in display mode

SAP_FRN_APP_CSA_MAINT Authorization for CSA APP in maintenance mode

SAP_FRN_APP_CSA_PROTECTED Authorization for CSA APP in display mode, including

protected results

SAP_FRN_APP_GP_ALL Full access to guided procedures application

SAP_FRN_APP_GP_DISP Display access to guided procedures application

SAP_FRN_APP_GP_EXE Execute access to guided procedures application

SAP_FRN_APP_MOAL_ALL All authorizations for system monitoring and alert

management

SAP_FRN_APP_MOAL_DISP Display authorizations for system monitoring and

alert management

SAP_FRN_APP_RUM_ALL All authorizations for App RUM

SAP_FRN_APP_SYA_ALL All authorizations for system analysis application

SAP_FRN_APP_TA_ALL All authorizations for APP trace analysis

66

PUBLIC



Addendum

Role name Short description

SAP_FRN_APP_TA_DISP Display authorizations for APP trace Analysis

SAP_FRN_BTC_CSA Authorizations for CSA specific background

processing

SAP_FRN_BTC_GPA Authorizations for GPA specific background

processing

SAP_FRN_CNM_ALL Notification management - full authorization

SAP_FRN_CNM_DISP Central notification management display

authorizations

SAP_FRN_FLP_CAT_GPB Access to FOCUSED RUN FLP: Catalogue GP ASM

SAP_FRN_FLP_CAT_GPR Access to FOCUSED RUN FLP: Catalogue GP AEM

SAP_FRN_LDB_ALL FOCUSED RUN LMDB full access

SAP_FRN_LDB_DISP FOCUSED RUN LMDB object display

SAP_FRN_LDB_MAINT FOCUSED RUN LMDB object maintain

SAP_FRN_LICM_ALL Full access to license management application

SAP_FRN_SDA_ALL All authorizations for SDA admin application

SAP_FRN_SDA_DISP Display authorizations for SDA admin application

SAP_FRN_SDA_MAINT Maintenance authorizations for SDA Admin

application

SAP_FRN_SDAGENT_AIM_MS AIM authorizations for SDAgent User

SAP_FRN_SDAGENT_GPA_MS GPA authorizations for SDAgent User

SAP_FRN_SRA_ALL All authorizations for scheduling aggregation and

replication FWK

SAP_FRN_SSI_ALL All authorizations - Super Admin - for SSI admin

application

SAP_FRN_SSI_APMAINT Authorizations - application admin (expert) - for SSI

admin application

SAP_FRN_SSI_MAINT Authorizations: Execute for SSI admin application

SAP_FRN_SSI_WSEXEC Access to execute SSI web services

SAP_FRN_UI5_PERS_PUB Authorizations to create public UI5 custom pages


Addendum

PUBLIC


16.2 Cross FOCUSED RUN Application Roles

Role Name Short Text

SAP_FRN_CNW_ACCESS Grant access on level of customer

networks, customer, or datacenter

SAP_FRN_LDB_OB_DSIP Grant access on level of technical

system and hosts

16.3 FOCUSED RUN Tool Roles

Role Short Text

SAP_FRN_SCOPE_SEL Role to authorize scope selection for FOCUSED RUN

SAP_FRN_CNM_SND_NOTIF Authorizations to send notifications

SAP_FRN_APP_AEM_ALR_INB_DISP Access to alert inbox display; no confirm

SAP_FRN_APP_AEM_ALR_TIC Access to alert ticker

16.4 All SAP Fiori Roles sorted by SAP Fiori Group Names

16.4.1 General SAP Fiori roles

Function Role FOCUSED RUN Sort Text

Launch SAP Fiori

Launchpad

SAP_FRN_FLP_EMBEDDED

Embedded use of SAP Fiori

launchpad in SAP FOCUSED

RUN

Public UI5

Personalization SAP_FRN_UI5_PERS_PUB

Authorizations to create

public UI5 Custom Pages

Public Scope Selection

Filter

SAP_FRN_SCOPE_SEL_PUB_FILTER

Authorizations to create

public filters for scope

selection

68

PUBLIC



Addendum

16.4.2 Focus Run Home

SAP Fiori Tile Title SAP Fiori Tile sub

title

Role FOCUSED RUN Sort Text

SAP Focused

Solutions for SAP

Solution Manager

SAP_FRN_FLP_0_FRNH Access to FOCUSED

RUN FLP: Group &

Catalogue FRNH

SAP Focused Run

SAP Help Portal SAP_FRN_FLP_0_FRNH Access to FOCUSED

RUN FLP: Group &

Catalogue FRNH

SAP Focused Run Technical Details SAP_FRN_FLP_0_FRNH Access to FOCUSED

RUN FLP: Group &

Catalogue FRNH

SAP Focused Run Whitepaper SAP_FRN_FLP_0_FRNH Access to FOCUSED

RUN FLP: Group &

Catalogue FRNH

16.4.3 Advanced System Management

SAP Fiori Tile Title SAP Fiori Tile sub title Role FOCUSED RUN Sort Text

SAP_FRN_FLP_1_ASM

Access to FOCUSED RUN

FLP: Group ASM

System Monitoring

SAP_FRN_FLP_CAT_APP_SYM Access to FOCUSED RUN

FLP: Catalogue system

monitoring applications

System Monitoring Template Maintenance SAP_FRN_FLP_CAT_AAD_SYM Access to FOCUSED RUN



administration

System Monitoring

Individual Maintenance SAP_FRN_FLP_CAT_AAD_SYM Access to FOCUSED RUN



administration

System Monitoring Content Update SAP_FRN_FLP_CAT_AAD_SYM Access to FOCUSED RUN



administration


Addendum

PUBLIC



Advanced Monitoring SAP_FRN_FLP_CAT_AVM Access to FOCUSED RUN

FLP: Catalogue AVM

Advanced Monitoring Configuration SAP_FRN_FLP_CAT_AAD_AVM Access to FOCUSED RUN

FLP: Catalogue AVM

admin

System Analytics SAP_FRN_FLP_CAT_APP_SYA Access to FOCUSED RUN


analytics application

System Analytics Configuration SAP_FRN_FLP_CAT_APP_SYA Access to FOCUSED RUN


analytics application

System Management Guided Procedure

Catalogue

SAP_FRN_FLP_CAT_GPB Access to FOCUSED RUN

FLP: Catalogue GP ASM

System Management Guided Procedure

Reporting

SAP_FRN_FLP_CAT_GPB Access to FOCUSED RUN

FLP: Catalogue GP ASM

IT Calendar & Work Mode

Management

SAP_FRN_FLP_CAT_APP_ITC Access to FOCUSED RUN

FLP: Catalogue IT CAL &

WMM application

Service Availability

Management

SAP_FRN_FLP_CAT_APP_SAM Access to FOCUSED RUN

FLP: Catalogue SAM

application

License Management

SAP_FRN_FLP_CAT_LICM Access to FOCUSED RUN

FLP: Catalogue LICM

EWA Reports ONE Support Cloud SAP_FRN_FLP_CAT_EWA Access to FOCUSED RUN

FLP: Catalogue EWA

Maintenance Planner ONE Support Cloud SAP_FRN_FLP_CAT_MPL Access to FOCUSED RUN

FLP: Catalogue MPL

16.4.4 Advanced User Monitoring


SAP_FRN_FLP_2_AUM Access to FOCUSED RUN

FLP: Group AUM

Real User Monitoring

SAP_FRN_FLP_CAT_APP_RUM Access to FOCUSED RUN

FLP: Catalogue RUM

applications

70

PUBLIC



Addendum


Real User Monitoring Configuration SAP_FRN_FLP_CAT_AAD_RUM Access to FOCUSED RUN

FLP: Catalogue RUM

application

administration

Synthetic User Monitoring SAP_FRN_FLP_CAT_APP_SUM Access to FOCUSED RUN

FLP: Catalogue SUM

applications

Synthetic User Monitoring Configuration SAP_FRN_FLP_CAT_AAD_SUM Access to FOCUSED RUN

FLP: Catalogue SUM

application configuration

Trace Analysis SAP_FRN_FLP_CAT_APP_TA Access to FOCUSED RUN

FLP: Catalogue TA

applications

16.4.5 Advanced Integration Monitoring


SAP_FRN_FLP_3_1_AIM

Access to FOCUSED RUN

FLP: Group AIM

Integration

Monitoring

SAP_FRN_FLP_CAT_APP_AIM Access to FOCUSED RUN

FLP: Catalogue AIM

applications

Integration

Monitoring

Configuration SAP_FRN_FLP_CAT_AAD_AIM Access to FOCUSED RUN

FLP: Catalogue AIM

administration

Cloud Service

Management

Configuration SAP_FRN_FLP_CAT_AAD_AIM Access to FOCUSED RUN

FLP: Catalogue AIM

administration

16.4.6 Advanced Event & Alert Management


SAP_FRN_FLP_3_AEM Access to FOCUSED RUN

FLP: Group AEM


Addendum

PUBLIC



Alert Management SAP_FRN_FLP_CAT_APP_AEM Access to FOCUSED RUN

FLP: Catalogue AEM

applications

Alert Management Alerting Consumer Settings SAP_FRN_FLP_CAT_AAD_AEM Access to FOCUSED RUN

FLP: Catalogue AEM

application administration

Alert Management Guided Procedure Catalogue SAP_FRN_FLP_CAT_GPR Access to FOCUSED RUN

FLP: Catalogue GP AEM

Alert Management Guided Procedure Reporting SAP_FRN_FLP_CAT_GPR Access to FOCUSED RUN

FLP: Catalogue GP AEM

16.4.7 Configuration and Security Analytics


SAP_FRN_FLP_4_CSA Access to FOCUSED RUN FLP:

Group CSA

Configuration &

Security

Analytics

SAP_FRN_FLP_CAT_APP_CSA Access to FOCUSED RUN FLP:

Catalogue CSA applications

Configuration &

Security

Analytics

Administration SAP_FRN_FLP_CAT_AAD_CSA Access to FOCUSED RUN FLP:

Catalogue CSA application

administration

72

PUBLIC



Addendum

16.4.8 Infrastructure Administration


SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP:

Group and catalogue

infrastructure administration

LMDB Object Maintenance SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP:

Group and catalogue


Setup SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP:

Group and catalogue


Administration SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP:

Group and catalogue


Global Settings & Network

Configuration


Group and catalogue


Simple System Integration SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP:

Group and catalogue


Agent Administration SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP:

Group and catalogue


Agent Mass Update SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP:

Group and catalogue


Self-Monitoring SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP:

Group and catalogue


Self-Monitoring Dashboard SAP_FRN_FLP_5_ISA Access to FOCUSED RUN FLP:

Group and catalogue


Central Notification

Management


Group and catalogue


Expert Scheduling

Management Cockpit


Group and catalogue



Addendum

PUBLIC


16.5 All Application Roles Sorted by FOCUSED RUN Applications

Where cross-application roles are used, they are listed redundantly.

74

PUBLIC



Addendum

16.5.1 Advanced System Management (ASM)


Addendum

PUBLIC


Detail function Role Name Short description

"Cross application"

assign independent of

application

SAP_FRN_CNW_ACCESS Role to grant access to FOCUSED

RUN customer networks

SAP_FRN_LDB_OB_DSIP

Authorization to display all LMDB

objects

"Tools" assign independent

of application SAP_FRN_SCOPE_SEL

Role to authorize scope selection

for FOCUSED RUN

SAP_FRN_CNM_SND_NOTIF Authorizations to send notifications

SAP_FRN_APP_AEM_ALR_INB_DISP Access to alert inbox display; no

confirm

SAP_FRN_APP_AEM_ALR_TIC Access to alert ticker

System Monitoring SAP_FRN_APP_MOAL_DISP Display authorizations for system

monitoring and alert management

SAP_FRN_AAD_MOAL_MOC Authorize MO individual monitoring

and alert configuration

SAP_FRN_APP_MOAL_ALL All authorizations for system


SAP_FRN_AAD_MOAL_ALL

All authorizations for system


administration

SAP_FRN_APP_PAS_DISP Display authorizations for

predictive analytics

Advanced Monitoring SAP_FRN_APP_AVM_ALL All authorizations for application

advanced monitoring

SAP_FRN_AAD_AVM_DISP

Display authorizations to

administer application advanced

monitoring

SAP_FRN_SDA_DISP Display authorizations for SDA

admin application

SAP_FRN_AAD_AVM_ALL All authorizations to administer

application advanced monitoring

SAP_FRN_SDA_MAINT Maintenance authorizations for

SDA admin application

System Analytics SAP_FRN_APP_SYA_ALL All authorizations for system

analysis application

76

PUBLIC



Addendum


SAP_FRN_APP_PAS_DISP Display Authorizations for

Predictive Analytics

SAP_FRN_APP_SYA_WOD All authorizations for System

Analysis Application

SAP_FRN_AAD_SYA_ALL

All authorizations for System

Analytics Application

Administration

Guided Procedure

Catalogue/Reporting SAP_FRN_APP_GP_DISP

Display access to Guided

Procedures Application

SAP_FRN_APP_GP_EXE Execute access to Guided


SAP_FRN_APP_GP_ALL Full access to Guided Procedures

Application

IT Calendar & Work Mode

Management SAP_FRN_APP_ITC Authorize using IT-Calendar

SAP_FRN_APP_WMM_DISP Work Mode Management Display

Authorizations

SAP_FRN_APP_WMM_ALL Work Mode Management Full

Authorizations

Service Availability

Management SAP_FRN_APP_SAM_DISP

Service Availability Management

Display authorizations

SAP_FRN_APP_SAM_OUTAGE Authorizations for SAM

Application: Manage Outages

SAP_FRN_APP_SAM_OUTAGE_REV Authorizations for SAM

Application: Review Outages

SAP_FRN_APP_SAM_DEF

Authorizations for SAM

Application: Manage Service

Definitions

SAP_FRN_APP_SAM_ALL All Authorizations for SAM

Application

License Management SAP_FRN_LICM_ALL Full access to License Management

Application


Addendum

PUBLIC


16.5.2 Advanced User Monitoring (AUM)

78

PUBLIC



Addendum

Detail function Role Name Short descibtion

"Cross application"


application


RUN Customer Networks

SAP_FRN_LDB_OB_DSIP


Objects


of application SAP_FRN_APP_AEM_ALR_INB_DISP

Access to Alert Inbox Display; no

Confirm

SAP_FRN_CNM_SND_NOTIF Authorizations to send

Notifications

SAP_FRN_APP_AEM_ALR_TIC Access to Alert Ticker

Real User Monitoring SAP_FRN_APP_RUM_WOD All authorizations for App RUM,

but no user data

SAP_FRN_APP_RUM_ALL All authorizations for App RUM


SDA Admin application

(Attention)

SAP_FRN_AAD_RUM_ALL

All Authorizations for RUM

Administration

Synthetic User Monitoring SAP_FRN_APP_TA_DISP Display Authorizations for APP

Trace Analysis

SAP_FRN_APP_SUM_ALL All authorizations for App SUM


Admin application

SAP_FRN_AAD_SUM_DISP Display Authorizations for SUM

Configuration



SAP_FRN_AAD_SUM_MAINT Maintenance Authorizations for

SUM Configuration

SAP_FRN_AAD_SUM_ALL All Authorizations for SUM

Configuration

Trace Analysis SAP_FRN_APP_TA_DISP Display Authorizations for APP

Trace Analysis

SAP_FRN_APP_TA_ALL All Authorizations for APP Trace

Analysis


Addendum

PUBLIC


(Attention) This role is special security-relevant. The owner of this role is able to see the user ID of the user

sending a request monitored by RUM. This authorization is mandatory for investigating subjective complaints

(such as "slow response times") by an end user. If the application is monitored by RUM, find the user request

searching by the user ID to see the measured responsive and where the time is spent. This authorization is also

mandatory for SAP dev-support. Grant this authorization to selected users only. For more information, see also

8.3 Special protected tables.

80

PUBLIC



Addendum

16.5.3 Advanced Integration Monitoring (AIM)


"Cross application"


application



SAP_FRN_LDB_OB_DSIP


Objects


of application SAP_FRN_APP_AEM_ALR_INB_DISP


Confirm



Notifications

Integration Monitoring SAP_FRN_APP_AIM_DISP Display Authorizations for

Integration Monitoring

SAP_FRN_APP_AIM_ALL All Authorizations for Integration

Monitoring

SAP_FRN_SRA_ALL

All Auth. for Appl. Scheduling

Aggregation & Replication FWK

(Attention)

SAP_FRN_AAD_AIM_ALL

All Authorizations for AIM

Administration

SAP_FRN_SRA_DISP

Display Auth. for Appl. Scheduling


SAP_FRN_AAD_AIM_DISP Display Authorizations for AIM

Administration

Cloud Service

Administration SAP_FRN_SRA_ALL

All Auth. for Appl. Scheduling


SAP_FRN_AAD_AIM_ALL All Authorizations for AIM

Administration

SAP_FRN_SRA_DISP

Display Auth. for Appl. Scheduling


SAP_FRN_AAD_AIM_DISP

Display Authorizations for AIM

Administration

(Attention) This role is special security-relevant. The owner of this role is able to see the business payload of the

electronic document monitored by AIM, if payload data monitoring is customized. This authorization is mandatory

for investigating problem with processing of certain payload, if the endpoint and document type is monitored by


Addendum

PUBLIC


AIM. This authorization is mandatory is mandatory for SAP dev-support. Grant this authorization to selected

users only. For more information, see also section 8.3 Special protected tables.

16.5.4 Advanced Event & Alert Management (AEM)


"Cross application"


application



SAP_FRN_LDB_OB_DSIP


Objects



Role to authorize Scope Selection

for FOCUSED RUN


Notifications

SAP_FRN_APP_AEM_ALR_INB_DISP Access to Alert Inbox Display; no

Confirm


Alert Management SAP_FRN_APP_GP_EXE Execute access to Guided


SAP_FRN_APP_MOAL_ALL All authorizations for System

Monitoring & Alert Management




Administration

Guided Procedure

Catalogue/Reporting SAP_FRN_APP_GP_DISP

Display access to Guided


SAP_FRN_APP_GP_EXE Execute access to Guided


SAP_FRN_APP_GP_ALL Full access to Guided Procedures

Application

82

PUBLIC



Addendum

16.5.5 Configuration & Security Analytics (CSA)


"Cross application"


application



SAP_FRN_LDB_OB_DSIP


Objects



Role to authorize Scope Selection

for FOCUSED RUN


Notifications

SAP_FRN_APP_AEM_ALR_INB_DISP Access to Alert Inbox Display; no

Confirm


Configuration & Security

Analytics SAP_FRN_APP_AEM_ALR_INB_DISP


Confirm

SAP_FRN_APP_CSA_DISP Authorization for CSA APP in disply

mode

SAP_FRN_APP_CSA_MAINT Authorization for CSA APP: in

Maintenance Mode

SAP_FRN_APP_CSA_PROTECTED Authorization for CSA APP in disply

mode, but incl. protectd results

SAP_FRN_AAD_CSA_DISP Authorization for CSA

Administration: in Display Mode

SAP_FRN_AAD_CSA_MAINT

Authorization for CSA

Administration: in Maintenance

Mode, but not templates

SAP_FRN_AAD_CSA_ALL All Authorization for CSA

Administration

16.5.6 Infrastructure Administration


Addendum

PUBLIC



"Cross application"


application

SAP_FRN_CNW_ACCESS

Role to grant access to

FOCUSED RUN Customer

Networks

LMDB SAP_FRN_LDB_DISP FOCUSED RUN LMDB Object

Display

SAP_FRN_LDB_MAINT FOCUSED RUN LMDB Object

Maintain

SAP_FRN_LDB_ALL FOCUSED RUN LMDB Full

Access

Global Settings & Network

Configuration SAP_FRN_LDB_DISP

FOCUSED RUN LMDB Object

Display


Admin application

SAP_FRN_SSI_WSEXEC Access to Execute SSI Web

Services

SAP_FRN_SSI_DISP Display authorizations for SSI

Admin application


Access



SAP_FRN_SSI_MAINT Authorizations: Execute for SSI

Admin application

SAP_FRN_SSI_APMAINT

Authorizations - Application

Admin (Expert) - for SSI Admin

application

SAP_FRN_SDA_ALL All Authorizations for SDA Admin

application

SAP_FRN_SSI_ALL All Authorizations - Super Admin

-for SSI Admin application

Simple System Integration SAP_FRN_LDB_DISP FOCUSED RUN LMDB Object

Display


Admin application

SAP_FRN_SSI_WSEXEC Access to Execute SSI

WebServices

SAP_FRN_SSI_DISP Display auhorizations for SSI

Admin application

84

PUBLIC



Addendum



Access



SAP_FRN_SSI_MAINT Authorizations: Execute for SSI

Admin application

SAP_FRN_SSI_APMAINT

Authorizations - Application

Admin (Expert) - for SSI Admin

application


application

SAP_FRN_SSI_ALL All Authorizations - Super Admin

-for SSI Admin application

Agent Administration SAP_FRN_LDB_DISP


Display


Admin application




application

Agent Mass Update SAP_FRN_LDB_DISP


Display


Admin application




application

Self-Monitoring / Self-

Monitoring Dashboard SAP_FRN_APP_MOAL_DISP

Display authorizations for

System Monitoring & Alert

Management


Management SAP_FRN_CNM_DISP


Management Display

authorizations

SAP_FRN_CNM_ALL Notification Management - full

authorization


Addendum

PUBLIC



Expert Scheduling

Management Cockpit SAP_FRN_LDB_OB_DSIP

Authorization to display all

LMDB Objects

SAP_FRN_SRA_DISP

Display Auth. for Appl.

Scheduling Aggregation &

Replication FWK

SAP_FRN_SRA_ALL All Auth. for Appl. Scheduling


16.5.7 MAI Tools (transaction "mai_tools")





Administration

SAP_FRN_APP_MOAL_ALL All authorizations for System


SAP_FRN_LDB_ALL FOCUSED RUN LMDB Full Access


application

16.5.8 Customer Network access



Role to grant access to all

FOCUSED RUN Customer

Networks as an Admin

SAP_FRN_CNW_ACCESS

Role to grant access to FOCUSED


86

PUBLIC



Addendum

16.5.9 Partner Reporting


SAP_FRN_OPR_ALL

All authorizations for Partner

Reporting


Addendum

PUBLIC


16.6 Role changes for FOCUSED RUN FP 02

16.6.1 Roles created for FP02


SAP_FRN_AAD_MOAL_MOC Authorize MO individual Monitoring & Alert Configuration

SAP_FRN_AAD_SUM_ALL All Authorizations for SUM Configuration

SAP_FRN_AAD_SUM_DISP Display authorizations for SUM Configuration

SAP_FRN_AAD_SUM_MAINT Maintenance Authorizations for SUM Configuration

SAP_FRN_APP_AAD_ADM_ALL

All authorizations for Application & Admin for Application Adv.

Monitoring

SAP_FRN_APP_PAS_DISP Display authorizations for Predictive Analytics

SAP_FRN_APP_SUM_ALL All authorizations for App SUM

SAP_FRN_APP_SYA_WOD All authorizations for App System Analytics, but no user data

SAP_FRN_BTC_AEM Authorizations for AEM specific background processing

SAP_FRN_BTC_SMP Authorizations for SPM specific background processing

SAP_FRN_EXM Role for technical user FRN_EXM_<CID>

SAP_FRN_FLP_CAT_AAD_AVM Access to FOCUSED RUN FLP: Catalogue AVM Admin

SAP_FRN_FLP_CAT_AAD_SUM

Access to FOCUSED RUN FLP: Catalogue SUM Application

Configuration

SAP_FRN_FLP_CAT_APP_SUM Access to FOCUSED RUN FLP: Catalogue SUM Applications


Authorizations: Execute for SSI Admin application in BTC by

FRN_BTC_LDB

SAP_FRN_LDB_OB_DSIP Authorization to display all LMDB Objects

SAP_FRN_SND_SNMP_TRAP Authorizes Sending alerts via SNMP Trap

SAP_FRN_SUM Role for technical user FRN_SUM_<CID>

88

PUBLIC



Addendum

16.6.2 Roles changed for FP02

SAP_FRN_AAD_AIM_ALL All

Authorizations

for AIM

Administration

SAP_FRN_AAD_AIM_DISP Display

Authorizations

for AIM

Administration

SAP_FRN_AAD_AVM_ALL All

authorizations

to Administer

Application

Adv.

Monitoring

SAP_FRN_AAD_AVM_DISP Display

authorizations

to Administer

Application

Adv.

Monitoring

SAP_FRN_AAD_CSA_ALL All

Authorization

for CSA

Administration

SAP_FRN_AAD_CSA_DISP Authorization

for CSA

Administration:

in Display

Mode

SAP_FRN_AAD_CSA_MAINT Authorization

for CSA

Administration:

in Maintenance

Mode, but not

templates

SAP_FRN_AAD_RUM_ALL All

Authorizations


Addendum

PUBLIC


for RUM

Administration

SAP_FRN_AAD_SYA_ALL All

authorizations

for System

Analytics

Application

Administration

SAP_FRN_AEM_UMD_ALR Authorization

to create

unmodeled

Alerts

SAP_FRN_APP_AEM_ALR_INB_DISP Access to Alert

Inbox Display;

no Confirm

SAP_FRN_APP_AVM_ALL All

authorizations

for Application

Adv.

Monitoring

SAP_FRN_APP_CSA_DISP Authorization

for CSA APP in

display mode

SAP_FRN_APP_CSA_MAINT Authorization

for CSA APP: in

Maintenance

Mode

SAP_FRN_APP_CSA_PROTECTED Authorization

for CSA APP in

display mode,

but incl.

protected

results

SAP_FRN_APP_GP_ALL Full access to

Guided

Procedures

Application

SAP_FRN_APP_GP_DISP Display access

to Guided

Procedures

Application

SAP_FRN_APP_GP_EXE Execute access

to Guided

90

PUBLIC



Addendum

Procedures

Application

SAP_FRN_APP_MOAL_ALL All

authorizations

for System

Monitoring &

Alert

Management

SAP_FRN_APP_MOAL_DISP Display

authorizations

for System

Monitoring &

Alert

Management

SAP_FRN_APP_RUM_ALL All

authorizations

for App RUM

SAP_FRN_APP_SYA_ALL All

authorizations

for System

Analysis

Application

SAP_FRN_APP_TA_ALL All

Authorizations

for APP Trace

Analysis

SAP_FRN_APP_TA_DISP Display

Authorizations

for APP Trace

Analysis

SAP_FRN_BTC_CSA Authorizations

for CSA

specific

background

processing

SAP_FRN_BTC_GPA Authorizations

for GPA

specific

background

processing

SAP_FRN_CNM_ALL Notification

Management -

full

authorization


Addendum

PUBLIC


SAP_FRN_CNM_DISP Central

Notification

Management

Display

authorizations

SAP_FRN_FLP_CAT_GPB Access to

FOCUSED RUN

FLP: Catalogue

GP ASM

SAP_FRN_FLP_CAT_GPR Access to

FOCUSED RUN

FLP: Catalogue

GP AEM

SAP_FRN_LDB_ALL FOCUSED RUN

LMDB Full

Access

SAP_FRN_LDB_DISP FOCUSED RUN

LMDB Object

Display

SAP_FRN_LDB_MAINT FOCUSED RUN

LMDB Object

Maintain

SAP_FRN_LICM_ALL full access to

License

Management

Application

SAP_FRN_SDA_ALL All

Authorizations

for SDA Admin

application

SAP_FRN_SDA_DISP Display

authorizations

for SDA Admin

application

SAP_FRN_SDA_MAINT Maintenance

authorizations

for SDA Admin

application

SAP_FRN_SDAGENT_AIM_MS AIM

Authorizations

for SDAgent

User

SAP_FRN_SDAGENT_GPA_MS GPA

Authorizations

92

PUBLIC



Addendum

for SDAgent

User

SAP_FRN_SRA_ALL All Auth. for

Appl.

Scheduling

Aggregation &

Replication

FWK

SAP_FRN_SSI_ALL All

Authorizations

- Super Admin

-for SSI Admin

application

SAP_FRN_SSI_APMAINT Authorizations

- Application

Admin (Expert)

- for SSI Admin

application

SAP_FRN_SSI_MAINT Authorizations:

Execute for SSI

Admin

application

SAP_FRN_SSI_WSEXEC Access to

Execute SSI

Web Services

SAP_FRN_UI5_PERS_PUB Authorizations

to create

public UI5

Custom Pages


Addendum

PUBLIC


To grant full authorization for the authorization objects, you need to maintain these objects as follows:

8. In the Role Maintenance, choose Authorizations tab.

9. Choose the Change button.

10. Maintain all activity values for each authorization object according to your needs. For instance, if you

want to grant full authorization, always choose all activities.




13. Save.


This procedure is similar to is the maintenance of the new role introduced by FP01 "SAP_FRN_CNW_ACCESS" for

network controlled data access. See the short description below:

If LMDB scope is set to LMDB_CN "limited access, authorization object LMDB_CN will be used", this evaluates

LMDB_CN object authors.

16.7 Roles with authorizations objects to be maintained:

The roles listed below contain authorization objects fields delivered by SAP with <empty> authorizations.

Maintain the field values in your customer roles to grant access to dedicated LMDB namespaces and to grant

application authorizations, depending on the dialog user roles.

94

PUBLIC



Addendum

The table below is for overview purposes. It contains authorization objects and fields to be maintained. Other

authorization objects and fields are not listed. You can view and work with the roles in TX PFCG. Reference PFCG,

for available documentation.

The maintenance of the roles for technical users and the most important role for dialog user are described in

previous chapters.

Role Name Authorization

Object

Selective

Authorization

Filed

Comment Recommended

value

SAP_FRN_CNW_ACCESS LMDB_CN LDB_CUSNET

LDB_CUST

LDB_DC

Customer network

attributes to separate

access

Custom

SAP_FRN_AAD_MOAL_ALL S_BTCH_JOB JOBGROUP Demanded by Job

Management

*

S_BTCH_NAM BTCUNAME FOCUSED RUN Batch

Users

FOCUSED

RUN_BTC*

S_DEVELOP OBJNAME

P_GROUP

Display all Object and

Groups as in the defined

package

*

S_SYS_RWBO DESTSYS

DOMAIN

Customer specific how

to transport the

templates

Custom

S_DATASET FILENAME Filenames not known *

SAP_FRN_AAD_SYA_ALL S_BTCH_JOB JOBGROUP Demanded by Job

Management

*


SAP_FRN_LICM_ALL S_DATASET FILENAME Filenames not known *

SAP_FRN_APP_GP_DISP S_DEVELOP DEVCLASS

OBJNAME

P_GROUP

Customer Specific for

LOGO integrated in

HTML report

Custom

SAP_FRN_APP_GP_EXE S_DEVELOP DEVCLASS

OBJNAME

P_GROUP


LOGO integrated in

HTML report

Custom

SAP_FRN_APP_GP_ALL S_BTCH_JOB JOBGROUP Demanded by Job

Management

*


S_DEVELOP DEVCLASS

OBJNAME

P_GROUP


LOGO integrated in

HTML report

Custom


Addendum

PUBLIC



Object

Selective

Authorization

Filed

Comment Recommended

value

S_DOKU_AUT DOKU_DEVCL Customer Specific

document class

Custom

S_SYS_RWBO DESTSYS

DOMAIN

Customer Specific

where to transport GPs

Custom

S_APPL_LOG ALG_OBJECT

ALG_SUBOBJ

Various application log

objects

*

SM_SETUP SCENARIOS

STEPS

Scenarios and Steps not

known

*

SAP_FRN_AAD_RUM_ALL S_BTCH_JOB JOBGROUP Demanded by Job

Management

*

SAP_FRN_APP_CSA_DISP SRSM_CA_AP CA_AREA Security Object ready

for coming releases to

separate access to

different CSA functions.

With FP2, * is to be set

*

SRSM_CV_TS CV_TARDEF

CV_TARUSR

Customer Specific

SAP_FRN_APP_CSA_MAIN

T

SRSM_CA_AP CA_AREA Security Object ready


separate access to



*


CV_TARUSR

Target system and user

where the CS&A should

be effective

*

SAP_FRN_APP_CSA_PROT

ECTED

SRSM_CA_AP CA_AREA Security Object ready


separate access to



*


CV_TARUSR

Target system and user

where the CS&A should

be effective

*

SAP_FRN_LDB_DISP AI_LMDB_OB LMDB_NAME

S

LMDB_OBJID

LMDB names and Object

ID's are random Hashes

*

96

PUBLIC



Addendum


Object

Selective

Authorization

Filed

Comment Recommended

value

AI_LMDB_OB LMDB_STYPE Specific limit to access

(limit to Systems Types

only, for example)

As delivered,

unless limited

access desired

AI_LMDB_PS LMDB_NAME

S

PS_NAME

LMDB names are

random Hashes

*

AI_LMDB_TM LMDB_NAME

S

LMDB names are

random Hashes

*

AI_LMDB_TM LMDB_DOMA LMDB Domain only LDB

is supported

LDB

SAP_FRN_SDA_ALL S_BTCH_JOB JOBGROUP Demanded by Job

Management

*

SAP_FRN_LDB_ALL S_BTCH_JOB JOBGROUP Demanded by Job

Management

*

AI_LMDB_AD LMDB_NAME

S

LMDB names are

random Hashes

AI_LMDB_OB LMDB_NAME

S

LMDB_OBJID



*

AI_LMDB_OB LMDB_MTYP

E

LMDB_STYPE

Depending on functional

team roles customer

specific

* unless limits

desired


S

PS_NAME

LMDB names are

random Hashes

*

AI_LMDB_TM LMDB_DOMA LMDB Domain only LDB

is supported

LDB


S

LMDB names are

random Hashes

*

SAP_FRN_LDB_MAINT S_BTCH_JOB JOBGROUP Demanded by Job

Management

*

AI_LMDB_AD LMDB_NAME

S

LMDB names are

random Hashes

*


S

LMDB_OBJID



*


Addendum

PUBLIC



Object

Selective

Authorization

Filed

Comment Recommended

value

AI_LMDB_OB LMDB_MTYP

E

LMDB_STYPE

Depending on team

roles customer specific

* Unless limits

desired


S

PS_NAME

LMDB names are

random Hashes

*


S

LMDB names are

random Hashes

*

SAP_FRN_SSI_DISP S_DATASET FILENAME Filenames not known *

S_DEVELOP OBJNAME

OBJTYPE

P_GROUP

<empty> <empty>

SAP_FRN_SSI_MAINT S_RFC_ADM ICF_VALUE

Not used by SSI but

need to exist in role

<empty>

S_RFC_ADM RFCDEST Value are the SM59

destination to external

servers

(SAPHOSTAGENT) to be

created by SSI,

convention is

HOSTNAME_NAMESPA

CE. As such needs to be

created for all hosts

connected to FOCUSED

RUN * is recommended

*

S_BTCH_JOB JOBGROUP Demanded by Job

Management


S_DEVELOP DEVCLASS

OBJNAME

OBJTYPE

P_GROUP

<empty> <empty>

SAP_FRN_SSI_APMAINT S_RFC_ADM ICF_VALUE Not used by SSI but


<empty>



servers


*

98

PUBLIC



Addendum


Object

Selective

Authorization

Filed

Comment Recommended

value

created by SSI,

convention is

HOSTNAME_NAMESPA




RUN, * is recommended


Management

*


S_DEVELOP DEVCLASS

OBJNAME

OBJTYPE

P_GROUP

<empty> <empty>

SAP_FRN_SSI_ALL S_RFC_ADM ICF_VALUE Not used by SSI but


<empty>



servers


created by SSI,

convention is

HOSTNAME_NAMESPA




RUN, * is recommended

*


Management

*


S_DEVELOP DEVCLASS

OBJNAME

OBJTYPE

P_GROUP

<empty> <empty>


S

LMDB_OBJID


ID_'s are random hashes

*

AI_LMDB_OB LMDB_STYPE Customer specific


Addendum

PUBLIC



Object

Selective

Authorization

Filed

Comment Recommended

value

SAP_FRN_CNM_DISP S_RFC_ADM ICF_VALUE

Depend on customer

'SCOT' settings

*

S_RFC_ADM RFCDEST Depend on customer

'SCOT' settings

*

S_LDAP LDAP_SERV external LMDB if used <empty> or

customer

specific

S_USER_GRP CLASS In case User ID's from

SU01 should be utilized

to create notification

groups

* or IDs of users

for notification

from SU01

SM_CNM_AU

T

CNM_APPAC

T

Only possible value with

FP2 I WMM

WMM

SAP_FRN_CNM_ALL S_RFC_ADM ICF_VALUE

RFCDEST

Depend on customer

'SCOT' settings

*

S_LDAP LDAP_SERV external LMDB if used <empty> or

customer

specific

S_USER_GRP CLASS In case User ID's from

SU01 should be utilized

to create notification

groups

* or IDs of users

for notification

from SU01

SM_CNM_AU

T

CNM_APPAC

T

Only possible value with

FP2 I WMM

WMM

SAP_FRN_TECH_MON_TOO

L

S_DEVELOP DEVCLASS

OBJNAME

OBJTYPE

P_GROUP

Dev Support role *

S_DATASET FILENAME

PROGRAM

Dev Support role *

S_PROGRAM P_GROUP Dev Support role *

S_TRANSLAT TLANGUAGE Dev Support role EN, DE

S_APPL_LOG ALG_OBJECT

ALG_SUBOBJ

Dev Support role *

SAP_FRN_OPR_ALL S_DATASET FILENAME Filenames not known *

www.sap.com/contactsap


No part of this publication may be reproduced or transmitted in any

form or for any purpose without the express permission of SAP SE

or an SAP affiliate company

SAP and other SAP products and services mentioned herein as well

as their respective logos are trademarks or registered trademarks of

SAP SE (or an SAP affiliate company) in Germany and other

countries. All other product and service names mentioned are the

trademarks of their respective companies. Please see

www.sap.com/corporate-en/legal/copyright/index.epx#trademark

for additional trademark information and notices.

http://www.sap.com/contactsap

http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark

Date post:	17-May-2018
Category:	Documents
Upload:	voxuyen
View:	424 times
Download:	19 times

Focused Run for SAP Solution Manager - SAP Help … Run for SAP Solution Manager Feature Pack 2 . 2...

Documents