Required Authorizations for Solution Manager RFC and Adminstrative Users
Solution Manager utilizes 3 RFC and a few Admin users to connect to managed system that. These RFC’s and admin users allow Solution Manager to perform a number of different applications including Technical Monitoring, Root Cause Analysis, and,ChaRm, just to name a few. To ensure all of these Solution Manager applications function properly it is important that the users that are used by the RFC and the Admin users have the correct and up to data authorizations.This blog is designed to provide instruction on all the details required to keep them up to date and the exact roles required by the users.
The First step is to update Solution Tools ST-PI and ST-A/PI in all the ABAP managed systems. The latest patches will update the following security roles used by the Admin users listed below.
- SM_ADMIN_<SID of SOLMAN>
- SMDAGENT_<SID of SOLMAN>
The second step is to update the Security roles used by the RFC’s users. The RFC roles listed below are only updated in 2 ways. From updating the Component ST in Solution Manager or by manually uploading from either Note listed below, depending on the Support Pack of Solution Manager. To ensure you have the latest version of the roles, you will want to update manually from the 2 notes below.
NOTE — If a Super user is provided with the security access to create a user, create a role, Generate a profile and complete a user comparison on a role. All of the work below can be completed automatically by Solution Manager. Unless Production is set to not allow the direct creation of Roles. In that case the RFC roles must be uploaded and transported to Prod Manually.
Note — If Solution Manager is used to upload the RFC Roles. Update the Roles from the notes listed above into Solution Manager. This will ensure the managed systems receive the latest roles and that Solution Manager functions properly.
When manually updating the security roles for the RFC users the following steps will be required.
- Download the roles attached to either note 1830640 or 1572183
- Copy relevant SAP roles into the customer namespace
- Transport the roles through to all environments
- Create the users listed below in the primary client of each system.
- Securely transmit the credentials of all users listed below to the Solution Manager Administrator to complete Managed System Configuration.
READ RFC ABAP User (SYSTEM Account):
- SM_<SOLMAN SID> — – created in all ABAP systems including Solution Manager (it monitors itself) (e.g., SM_SMD)
- Customer version of SAP_SOLMAN_READ
- Customer version of SAP_SOLMAN_READ_702
- Customer version of SAP_SOLMAN_READ_702_ADD
TMW RFC ABAP User (SYSTEM Account):
- SMTM<SOLMAN SID> –created in all ABAP systems including Solution Manager (it monitors itself). (e.g., SMTMSMD)
- Customer version of SAP_SOLMAN_TMW
- Customer version of SAP_SOLMAN_TMW_702
Create a user for each managed ABAP system within Solution Manager (SYSTEM Account):
Back RFC User:
- SMB_<SID of each managed system> — Create in Solution Manager only One user for each system. Examples – (e.g., SMB_SMD, SMB_ECD)
- Customer version of SAP_SOLMAN_BACK
Create and Assign roles for the following required Admin users (Not Specified in the Note):
ADMIN ABAP User (SYSTEM Account):
- SM_ADMIN_<SOLMAN SID> — created in all ABAP systems including Solution Manager (it monitors itself) (e.g., SM_ADMIN_SMD)
- Customer version of SAP_SM_USER_ADMIN
- Customer version of SAP_RCA_CONF_ADMIN
Diagnostic Agent ABAP User (SYSTEM Account):
- SMDAGENT_<SOLMAN SID> — created in all ABAP systems including Solution Manager (it monitors itself) (e.g., SMDAGENT_SMD)
- Customer version of SAP_IS_MONITOR
Within all JAVA stacks, the following note must but be followed. Please assign the newly created Full Access SPML role to the following Java Admin Users. The Admin users below are used by solution manager to collect data on a JAVA managed systems.
- Solution Manager JAVA User – J2EE_ADMIN
- All Managed JAVA Systems — ADMINISTRATOR
Diagnostic JAVA User needed (SYSTEM Account) :
- SM_COLL_<SOLMAN SID> — Created All JAVA systems Including Solution Manager (e.g., SM_COLL_SMD)
Required Roles for all systems:
Additional Roles for PI system
Additional Roles for Solution Manager
Finally, the SAPSUPPORT user must the following roles in all Systems:
All ABAP Systems:
- Customer version of SAP_RCA_SAT_DISP
All JAVA Systems:
Required Roles for all systems:
- Customer version of NWA_JAVA_SUPPORT
- Customer version of SAP_JAVA_NWADMIN_CENTRAL_READONLY
Additional Roles for PI system Only: