====== User authorizations ====== ===== OS Level application ===== * The **root** access will be required **only for the installation** * A dedicated user and group (**promonitor:promonitor**) will be created during the installation * The Redpeaks application is running with this user ===== Network authorization ====== * Network routes must be open between Redpeaks server and all nodes of the monitored SAP systems. * The all ports needed are listed on [[.:prerequisites:|prerequisites]] ===== NetWeaver - ABAP ===== * Redpeaks uses a **Communications data** user associated with the [[https://agentil.box.com/s/7wg9iazwq6839joo6i3y5dp53p1ha3bq|provided authorization profile]]\\ * In most cases, user can be created in client 000. * Sometimes access to target client must be necessary as well. * Extract from PFCG transaction of authorization profile : ^ OBJECT ^ FIELD ^ LOW ^ ACCESS REASON ^ | S_ADMI_FCD | S_ADMI_FCD | ST0R | Read uptime with Function Module | | S_BTCH_ADM | BTCADMIN | * | Get background job status | | S_DATASET | ACTVT | 33,A6 | Read lock entries | | S_DBCON | ACTVT | 03 | DBA Job & backup status | | S_RFC | ACTVT | 16 | RFC connection | | S_RFC | RFC_NAME | /BDL/BDL11 | RFC destination check | | S_RFC | RFC_NAME | /BDL/BDL3 | RFC destination check | | S_RFC | RFC_NAME | CTS_WB0_DIS | Read RZ20 | | S_RFC | RFC_NAME | EDI1 | EDI: Processing of one IDoc | | S_RFC | RFC_TYPE | FUGR | Read RZ20 | | S_RFC | RFC_NAME | GET_DB16_INFO | Get Oracle DB info (DBA jobs) | | S_RFC | RFC_NAME | IRFC | TRFC_QINS_OVERVIEW | | S_RFC | RFC_NAME | ORFC | TRFC_QOUT_OVERVIEW | | S_RFC | RFC_NAME | RFC1 | Read rz20 | | S_RFC | RFC_NAME | RSPC_API | Process chains BI | | S_RFC | RFC_NAME | RSPC_BACKEND | Process chains BI | | S_RFC | RFC_NAME | SADV | Get Oracle DB info (DBA jobs) | | S_RFC | RFC_NAME | SALC | Read RZ20, cluster environment | | S_RFC | RFC_NAME | SALX | Read RZ20 | | S_RFC | RFC_NAME | SCA5 | DAY_ATTRIBUTES_GET (get working days) | | S_RFC | RFC_NAME | SCSM_COLLECTOR | SWNC_COLLECTOR_GET_AGGREGATES | | | | | DIA response time | | S_RFC | RFC_NAME | SDB6DIAG | For DB2 | | S_RFC | RFC_NAME | SDBADIAG | For Oracle | | S_RFC | RFC_NAME | SDDO | DD_DOMA_GET call to get RFC dest | | S_RFC | RFC_NAME | SDIF | Read RZ20 (previous SAP version) | | S_RFC | RFC_NAME | SDIFRUNTIME | Read RZ20 | | S_RFC | RFC_NAME | SENT | Reports generation | | S_RFC | RFC_NAME | SFMSS_CONFIG | Backend: DB Configuration functions | | S_RFC | RFC_NAME | SFMSS_DBUTIL | MSSQL DB size info | | S_RFC | RFC_NAME | SFMSS_JOBS | MSS_GET_BACKUP_HIST | | S_RFC | RFC_NAME | SLC4 | Read RZ20 | | S_RFC | RFC_NAME | SLO2_ALV | Reports generation | | S_RFC | RFC_NAME | SMSSDATA | Reports generation | | S_RFC | RFC_NAME | SRFC | Read rz20, secure RFC | | S_RFC | RFC_NAME | STD1 | Reports generation on ECC 6 | | S_RFC | RFC_NAME | STD4 | Reports generation on ECC 6 | | S_RFC | RFC_NAME | STOR | Break Down Objects: R3TR Objects | | S_RFC | RFC_NAME | STUB | Read uptime with Function Module | | S_RFC | RFC_NAME | SXMB | Read rz20 | | S_RFC | RFC_NAME | SXMI | Read rz20 | | S_RFC | RFC_NAME | SYST | Read rz20 | | S_RFC | RFC_NAME | SDTX | For RFC_READ_TABLE | | S_RFC | RFC_NAME | SPIAGENTALE | Agents in ALE/IDoc | | S_RFC | RFC_NAME | SXBP | Job status | | S_RFC | RFC_NAME | SYSU | RFC resource administration | | S_RFC | RFC_NAME | THFB | Task handler functions | | S_RFC | RFC_NAME | TMW_CLIENT_INTERFACES | Remote Interfaces for CM Server | | S_RFC | RFC_NAME | TMW_CHANGEABILITY | System Modifiability Control | | S_RFC | RFC_NAME | ZAGLMON | AGENTIL function call | | S_RFC | RFC_NAME | /SDF/RI_ORACLE | /SDF/GET_DB12_INFO | | S_XMI_PROD | EXTCOMPANY | AGENTIL | RFC connection | | S_XMI_PROD | EXTPRODUCT | SAME | RFC connection | | S_XMI_PROD | INTERFACE | XAL | RFC connection | | S_XMI_PROD | INTERFACE | XMB | RFC connection | | S_RFC | RFC_NAME | SCSM_GLOB_SYSTEM | SWNC_GET_WORKLOAD_SNAPSHOT function | | ZSAME_RTBL | ACTVT | 16 | AGENTIL function | | ZSAME_RTBL | OBJNAME | SAMEFUNC | AGENTIL function | | ZSAME_RTBL | TABLE | EDIDC TBTCO | AGENTIL function | | ZSAME_RTBL | TABLE | TEDS3 | AGENTIL function | | S_RFC | RFC_NAME | /SDF/IS_ABAP | Update service | | S_RFC | RFC_NAME | INSTALL | Execute function INST_EXECUTE_REPORT | | S_RFC | RFC_NAME | STUN | Locks on DB objects | | S_RFC | RFC_NAME | TMW_TRACKING | Transports | | S_RFC | RFC_NAME | STPA | Transports | | S_RFC | RFC_NAME | SUNI | Execute function FUNCTION_EXISTS | | S_PROGRAM | P_ACTION | SUBMIT | Reports RSM13001, RSRFCPIN | | S_RFC_ADM | ACTVT | Ext. maint. | For RFC destinations | | S_GUI | ACTVT | 61(Export) | Syslog | | S_ADMI_FCD | S_ADMI_FCD | SM21 | Syslog | | S_RFC | RFC_NAME | RSLG | Syslog ALV style | | S_RFC | RFC_NAME | SCSM_MTES_GET | Load CCMSTreeElements (defined tables) | | S_ADMI_FCD | S_ADMI_FCD | SP01 | Spool data (RSTS0014 ...) | | ZSAME_RTBL | TABLE | TSP01,TSP02 | Tables for spools | | ZSAME_RTBL | TABLE | NRIV | Table for range numbers | | S_CTS_ADMI | CTS_ADMFCT | TABL | Transport monitor | | S_CTS_SADM | CTS_ADMFCT | TABL | Transport monitor | | S_CTS_SADM | DESTSYS | * | Transport monitor | | S_CTS_SADM | DOMAIN | * | Transport monitor | | S_TOOLS_EX | AUTH | S_TOOLS_EX_A | SAP Transaction time monitor | | S_ALV_LAYO | ACTVT | 23 (Maintain) | Reports monitor | | S_RFC | RFC_NAME | SFMSS_SIZE | Execute function MSS_GET_DBSZHIST | | S_RFC | RFC_NAME | SXMB_MONI | Execute SXMB_GET_MESSAGE_LIST | | S_XMB_AUTH | ACTVT | 03 | XI | | S_XMB_MONI | ACTVT | 03 | XI Message | | S_RFC | RFC_NAME | /SDF/CCMS_TOOLS | Get system timezone | | S_ADMI_FCD | S_ADMI_FCD | AUDD | V6.3 SEC, execute RSAU_SELECT_EVENTS | | S_USER_GRP | ACTVT | 03, 08 | V6.3 SEC, needed for report RSUVM015 | | S_RFC | RFC_NAME | SFMSS_PERF | V6.3 Get MSSQL performance statistics | | S_RFC | RFC_NAME | SADE | MAXDB backups | | S_TCODE | TCD | SM04 | SM04 SAP user memory utilization | | S_RFC | RFC_NAME | SUGU | Read installed components | | S_RFC | RFC_NAME | RFC_METADATA | XAL Logon | | S_RFC | RFC_NAME | SYSE | Get Logon group | | S_RFC | RFC_NAME | THFB2 | Get Logon group | | S_RFC | RFC_NAME | /SDF/CCMS_GET_TIME_INFO | System timezone | | S_RFC | RFC_NAME | /SDF/GET_DB12_INFO | Oracle | | S_RFC | RFC_NAME | /SDW/EWA_GET_HARDWARE_INFO | System info | | S_RFC | RFC_NAME | /SDF/SYB_DB_OPTIONS | Sybase | | S_RFC | RFC_NAME | /SDF/SYB_SPACE_UTIL_DB | Sybase | | S_RFC | RFC_NAME | /SDF/SYB_TRANS_BACKUP | Sybase | | S_RFC | RFC_NAME | BAPI_SYSTEM_MON_GETTREE | CCMS Mte | | S_RFC | RFC_NAME | BAPI_SYSTEM_MTE_GETGENPROP | CCMS Mte | | S_RFC | RFC_NAME | BAPI_SYSTEM_MTE_GETPERFCURVAL | CCMS Mte | | S_RFC | RFC_NAME | BAPI_SYSTEM_MTE_GETTXTPROP | CCMS Mte | | S_RFC | RFC_NAME | BAPI_XBP_JOB_JOBLOG_READ | SAP jobs | | S_RFC | RFC_NAME | BAPI_XBP_JOB_SELECT | SAP jobs | | S_RFC | RFC_NAME | BAPI_XMI_LOGON | XMI LOGON | | S_RFC | RFC_NAME | DB_ORA_INSTANCE_INFO | ORACLE | | S_RFC | RFC_NAME | DB02_ORA_FILL_TS | ORACLE | | S_RFC | RFC_NAME | DB6_DIAG_DDIC_CONSISTENCY | DB2 | | S_RFC | RFC_NAME | DB6_PM_BACKUPHISTORY | DB2 | | S_RFC | RFC_NAME | DB6_PM_DBCONFIG | DB2 | | S_RFC | RFC_NAME | DB6_PM_DBSNAP | DB2 | | S_RFC | RFC_NAME | DB6_PM_DBSTOR | DB2 | | S_RFC | RFC_NAME | DB6_PM_TABSPACECONFIG | DB2 | | S_RFC | RFC_NAME | DELIVERY_GET_INSTALLED_COMPS | INSTALLED COMPONENTS | | S_RFC | RFC_NAME | FUNCTION_EXISTS | FUNCTION CHECK | | S_RFC | RFC_NAME | GET_BACKUP_HISTORY_SDB | MSSQL | | S_RFC | RFC_NAME | GET_DBDATA_MSS | MSSQL | | S_RFC | RFC_NAME | ICM_GET_INFO2 | ICM | | S_RFC | RFC_NAME | INST_EXECUTE_REPORT | REPORTS | | S_RFC | RFC_NAME | MSS_GET_BACKUP_HIST | MSSQL | | S_RFC | RFC_NAME | MSS_GET_DB_SIZE_INFO | MSSQL | | S_RFC | RFC_NAME | OCS_CRM | | | S_RFC | RFC_NAME | OCS_GET_INSTALLED_COMPS | INSTALLED COMPONENTS | | S_RFC | RFC_NAME | OCS_GET_INSTALLED_SWPRODUCTS | INSTALLED SW | | S_RFC | RFC_NAME | RFC_GET_FUNCTION_INTERFACE | | | S_RFC | RFC_NAME | RFC_METADATA_GET | System info | | S_RFC | RFC_NAME | RFC_READ_TABLE | Table | | S_RFC | RFC_NAME | RFC_SYSTEM_INFO | System info | | S_RFC | RFC_NAME | RFCPING | ABAP check | | S_RFC | RFC_NAME | RSPC_API_CHAIN_GET_RUNS | Process chains | | S_RFC | RFC_NAME | S_DB_EXCLUSIVE_LOCK_WAITERS | LOCKS | | S_RFC | RFC_NAME | S_PSE_ADM | Get ABAP certificates | | S_RFC | RFC_NAME | S_RZL_ADM | Get ABAP parameters | | S_RFC | RFC_NAME | SAPTUNE_GET_SUMMARY_STATISTIC | Response times | | S_RFC | RFC_NAME | SAPTUNE_SYSTEM_STARTUP | Response times | | S_RFC | RFC_NAME | SL_RFC_TMS_CFG_READ_CONFIG | Landscape domain | | S_RFC | RFC_NAME | SWNC_GET_WORKLOAD_SNAPSHOT | Response times | | S_RFC | RFC_NAME | SXMB_GET_MESSAGE_LIST | PIXI messages | | S_RFC | RFC_NAME | SXMI_LOGON | SXMI logon | | S_RFC | RFC_NAME | SXMI_XMB_APPSERV_LIST_READ | ABAP application server | | S_RFC | RFC_NAME | SXMI_XMB_SYSLOG_READ | System logs | | S_RFC | RFC_NAME | SXMI_XMB_WP_LIST_READ | Work processes | | S_RFC | RFC_NAME | SYSTEM_GET_LOGON_GROUP_INFO | Logon group | | S_RFC | RFC_NAME | SYSTEM_RESET_RFC_SERVER | ABAP connection | | S_RFC | RFC_NAME | TH_REQUEST_QUEUE | Dispatcher queues | | S_RFC | RFC_NAME | TH_SAPREL2 | SAP release | | S_RFC | RFC_NAME | TMW_GET_SAP_CLIENTS | ABAP client config | | S_RFC | RFC_NAME | TMW_GET_SYSTEM_CHANGEABILITY | ABAP system change cfg | | S_RFC | RFC_NAME | TRFC_QIN_OVERVIEW | INBOUND TRFC | | S_RFC | RFC_NAME | TRFC_QOUT_OVERVIEW | OUTBOUND TRFC | | S_PSE_ADM | ACTVT | 03 | Get ABAP certificates | | S_PSE_ADM | PSEAPPLIC | | Get ABAP certificates | | S_PSE_ADM | PSECONTEXT | | Get ABAP certificates | | S_PSE_ADM | PSECONTEXT | PROG | Get ABAP certificates | | S_PSE_ADM | PSECONTEXT | SMIM | Get ABAP certificates | | S_PSE_ADM | PSECONTEXT | SSFA | Get ABAP certificates | | S_PSE_ADM | PSECONTEXT | SSLC | Get ABAP certificates | | S_PSE_ADM | PSECONTEXT | SSLS | Get ABAP certificates | | S_PSE_ADM | PSECONTEXT | WSS | Get ABAP certificates | | S_RFC | RFC_TYPE | FUGR | | | S_RFC | RFC_TYPE | FUNC | | | S_RFC | RFC_TYPE | FUGR FUNC | | | S_RZL_ADM | | | | | S_RZL_ADM | ACTVT | 03 | | | S_SDCC | | | | | S_SDCC | SDCC_DEV | READ | | | S_SDCC | SDCC_RUN | READ | | | S_SDCC_ADD | | | | | S_SDCC_ADD | SDCC_DEV_N | READ | | | S_SDCC_ADD | SDCC_RUN_N | READ | | | S_TABU_NAM | | | | | S_TABU_NAM | ACTVT | 03 | | | S_TABU_NAM | TABLE | ADR6 | User memory | | S_TABU_NAM | TABLE | APQL | Batch inputs | | S_TABU_NAM | TABLE | ARFCRSTATE | TRFC | | S_TABU_NAM | TABLE | ARFCSSTATE | TRFC | | S_TABU_NAM | TABLE | BALHDR | Application logs | | S_TABU_NAM | TABLE | BALOBJT | Application logs | | S_TABU_NAM | TABLE | BALSUBT | Application logs | | S_TABU_NAM | TABLE | EDIDC | IDOC | | S_TABU_NAM | TABLE | NRIV | Number ranges | | S_TABU_NAM | TABLE | RSCRT_RDA_ERROR | Abap real time | | S_TABU_NAM | TABLE | RSCRT_RDA_REQ | Abap real time | | S_TABU_NAM | TABLE | SNAP | Dumps | | S_TABU_NAM | TABLE | SOST | SAP connect | | S_TABU_NAM | TABLE | TBTCO | SAP jobs | | S_TABU_NAM | TABLE | TEDS3 | IDOC | | S_TABU_NAM | TABLE | TPALOG | Transports | | S_TABU_NAM | TABLE | TSP02 | Spools | | S_TABU_NAM | TABLE | TSP03L | Spools | | S_TABU_NAM | TABLE | USR21 | Instance memory | | S_TABU_NAM | TABLE | VBERROR | QRFC | | S_TABU_NAM | TABLE | VBHDR | QRFC | | S_TCODE | TCD | RZ11 | Parameters | | S_TCODE | TCD | SM51 | App server | ===== NetWeaver - SAPControl ===== * Redpeaks uses SAPControl web services to collect information on the system. * The access to these services can be either without authentication or **controlled by using an OS user similar than [SID]adm**, see [[https://launchpad.support.sap.com/#/notes/ 927637|Note 927637]] * Look for the section describing the use of **service/protectedwebmethods**, make sure to allow the access of all **Getter/Reader** services * Methods list : * **Mandatory:** * //GetVersionInfo// * //GetAlertTree// * //GetAlerts// * //J2EEGetComponentList// * //J2EEGetProcessList// * //GetProcessList// * //GetSystemInstanceList// * **Optional:** * //GetEnvironment// * //GetQueueStatistic// * //GetInstanceProperties// * //ListDeveloperTraces// * //ListLogFiles// * //ABAPReadSyslog// * //ABAPReadRawSyslog// * //ABAPGetWPTable// * //J2EEGetThreadList// * //J2EEGetSessionList// * //J2EEGetCacheStatistic// * //J2EEGetApplicationAliasList// * //J2EEGetVMGCHistory// * //J2EEGetVMHeapInfo// * //ReadDeveloperTrace// * //GetStartProfile// * //GetTraceFile// ===== HANA ===== * Redpeaks uses JDBC connexion to connect to HANA database * The user need to be associated with **MONITORING role** ===== BusinessObjects ===== * User access to CMS repository and CMC portal ===== Oracle ===== * Redpeaks uses JDBC connexion to connect to Oracle database * GRANT CREATE SESSION TO YOUR_USER; * Read access to below tables must be granted * ALL_ERRORS * ALL_OBJECTS * DBA_DATA_FILES * DBA_FREE_SPACE * DBA_TABLESPACE_USAGE_METRICS * DBA_TABLESPACES * V$RMAN_BACKUP * V$RMAN_BACKUP_JOB_DETAILS * V$FILESTAT * v$sysstat * V$LIBRARYCACHE * V$RESOURCE_LIMIT * V$LOG_HISTORY ===== MSSQL ===== * Redpeaks uses JDBC connexion to connect to Oracle database * Read access to below tables must be granted * msdb.dbo.backupset * sys.master_files * sys.database_files * sys.dm_os_performance_counters * sys.configurations * sys.dm_os_volume_stats * sys.dm_io_virtual_file_stats ===== Max DB ===== * Redpeaks uses JDBC connexion to connect to Max DB database * Read access to below tables must be granted * SYSDBA.MONITOR_LOCK * SYSINFO.DATAVOLUMES * SYSINFO.DATASTATISTICS * SYSINFO.LOGSTATISTICS * SYSINFO.CACHESTATISTICS * SYSINFO.INSTANCE ===== Sybase ===== * Redpeaks uses JDBC connexion to connect to Max DB database * Read access to below tables must be granted * master..sysusages * master.dbo.monThread * master.dbo.monDeadLock * master.dbo.monErrorLog * master..sysdatabases * master..monDeviceSpaceUsage * Stored procedures access: * sp_dump_history * With granular permissions **enabled**, you must be a user with **manage dump configuration** privilege * With granular permissions **disabled**, you must be a user with **sa_role** or **oper_role** * sp_spaceusage * Any user can execute sp_spaceusage to view space usage. However, you may not be able to view certain information about tables that you do not have permissions to view. * sp_helpdb * Any user can execute sp_helpdb