Required Authorizations for Solution Manager RFC and Adminstrative Users

Solution Manager utilizes 3 RFC and a few Admin users to connect to managed system that. These RFC’s and admin users allow Solution Manager to perform a number of different applications including Technical Monitoring, Root Cause Analysis, and,ChaRm, just to name a few. To ensure all of these Solution Manager applications function properly it is important that the users that are used by the RFC and the Admin users have the correct and up to data authorizations.This blog is designed to provide instruction on all the details required to keep them up to date and the exact roles required by the users.

The First step is to update Solution Tools ST-PI and ST-A/PI in all the ABAP managed systems. The latest patches will update the following security roles used by the Admin users listed below.

1. SM_ADMIN_<SID of SOLMAN>
   1. SAP_SM_USER_ADMIN
   2. SAP_RCA_CONF_ADMIN
2. SMDAGENT_<SID of SOLMAN>
   1. SAP_IS_MONITOR
3. SAPSUPPORT
   1. SAP_RCA_SAT_DISP

The second step is to update the Security roles used by the RFC’s users. The RFC roles listed below are only updated in 2 ways. From updating the Component ST in Solution Manager or by manually uploading from either Note listed below, depending on the Support Pack of Solution Manager. To ensure you have the latest version of the roles, you will want to update manually from the 2 notes below.

1830640 – Authorizations for SAP Solution Manager RFC users as of SP09

1. SAP_SOLMAN_READ
2. SAP_SOLMAN_READ_702          
3. SAP_SOLMAN_READ_702_ADD
4. SAP_SOLMAN_TMW
5. SAP_SOLMAN_TMW_702
6. SAP_SOLMAN_READ
7. SAP_SOLMAN_READ_620
8. SAP_SOLMAN_READ_70         
9. SAP_SOLMAN_READ_70_ADD
10. SAP_SOLMAN_TMW
11. Z_SOLMAN_BACK

  1572183 – Authorizations for SAP Solution Manager RFC users  Up to SP08

1. SAP_SOLMAN_READ
2. SAP_SOLMAN_READ_620
3. SAP_SOLMAN_READ_70         
4. SAP_SOLMAN_READ_70_ADD
5. SAP_SOLMAN_TMW
6.   Z_SOLMAN_BACK

NOTE — If a Super user is provided with the security access to create a user, create a role, Generate a profile and complete a user comparison on a role. All of the work below can be completed automatically by Solution Manager. Unless Production is set to not allow the direct creation of Roles. In that case the RFC roles must be uploaded and transported to Prod Manually.

Note — If Solution Manager is used to upload the RFC Roles. Update the Roles from the notes listed above into Solution Manager. This will ensure the managed systems receive the latest roles and that Solution Manager functions properly.

When manually updating the security roles for the RFC users the following steps will be required.

1. Download the roles attached to either note 1830640 or 1572183
2. Copy relevant SAP roles into the customer namespace
3. Transport the roles through to all environments
4. Create the users listed below in the primary client of each system.
5. Securely transmit the credentials of all users listed below to the Solution Manager Administrator to complete Managed System Configuration.

READ RFC ABAP User  (SYSTEM Account):

• SM_<SOLMAN SID>  — – created in all ABAP systems including Solution Manager (it monitors itself) (e.g., SM_SMD)

Assigned Roles:

• Customer version of SAP_SOLMAN_READ
• Customer version of SAP_SOLMAN_READ_702
• Customer version of SAP_SOLMAN_READ_702_ADD

  TMW RFC ABAP User (SYSTEM Account):

• SMTM<SOLMAN SID> –created in all ABAP systems including Solution Manager (it monitors itself). (e.g., SMTMSMD)

Assigned Roles:

• Customer version of SAP_SOLMAN_TMW
• Customer version of SAP_SOLMAN_TMW_702

Create a user for each managed ABAP system within Solution Manager (SYSTEM Account):

Back RFC User:

• SMB_<SID of each managed system> — Create in  Solution Manager only  One user for each system. Examples – (e.g., SMB_SMD,  SMB_ECD)

Assigned Roles:

• Customer version of SAP_SOLMAN_BACK

Create and Assign roles for the following required Admin users (Not Specified in the Note):

ADMIN ABAP User (SYSTEM Account):

• SM_ADMIN_<SOLMAN SID>   — created in all ABAP systems including Solution Manager (it monitors itself) (e.g., SM_ADMIN_SMD)

Assigned Roles:

• Customer version of SAP_SM_USER_ADMIN
• Customer version of SAP_RCA_CONF_ADMIN

Diagnostic Agent ABAP User (SYSTEM Account):

• SMDAGENT_<SOLMAN SID>    — created in all ABAP systems including Solution Manager (it monitors itself) (e.g., SMDAGENT_SMD)

Assigned Roles:

• Customer version of SAP_IS_MONITOR

Within all JAVA stacks, the following note must but be followed. Please assign the newly created Full Access SPML role to the following Java Admin Users. The Admin users below are used by solution manager to collect data on a JAVA managed systems.

1647157 – How to Set up Access to the SPML Service on AS Java

• Solution Manager JAVA User – J2EE_ADMIN
• All Managed JAVA Systems — ADMINISTRATOR

Diagnostic JAVA User needed (SYSTEM Account) :

• SM_COLL_<SOLMAN SID> — Created All JAVA systems Including Solution Manager (e.g., SM_COLL_SMD)

Required Roles for all systems:

• Administrator
• NWA_SUPERADMIN
• SAP_JAVA_NWADMIN_CENTRAL
• SAP_JAVA_NWADMIN_LOCAL
• SAP_JAVA_WSNAVIGATOR

Additional Roles for PI system

• SAP_XI_ADMINISTRATOR_J2EE
• SAP_XI_API_DISPLAY_J2EE
• SAP_XI_APPL_SERV_USER
• SAP_XI_RWB_SERV_USER
• SAP_XI_RWB_SERV_USER_MAIN
• SAP_XI_ALERTCONF_DISPLAY_J2EE               
• SAP_XI_ALERTCONFIG_DISPLAY_J2EE
• SAP_XI_ALERTCONFIGURATOR_DISPLAY_J2EE
• SAP_XI_ALERTCONFIGURATOR_J2EE
• SAP_XI_ALERT_CONSUMER

Additional Roles for Solution Manager

• SAP_BPM_SolutionManager
• SAP_J2EE_ADMIN
• SAP_SLD_CONFIGURATOR
• SAP_XI_RWB_SERV_USER
• administrators

Finally, the SAPSUPPORT user must the following roles in all Systems:

All ABAP Systems:

• Customer version of SAP_RCA_SAT_DISP

All JAVA Systems:

Required Roles for all systems:

• Customer version of NWA_JAVA_SUPPORT
• Customer version of SAP_JAVA_NWADMIN_CENTRAL_READONLY

Additional Roles for PI system Only:

• SAP_SLD_GUEST_J2EE
• SAP_XI_API_DISPLAY_J2EE
• SAP_XI_DISPLAY_USER_J2EE
• SAP_XI_MONITOR_J2EE