User Authorization and Client Authentication

This topic describes the user authorization and client authentication information for each of the interfaces described in Technical System Landscape: Security-Relevant Interfaces.

Interface 1: Users Accessing the Solution Manager Diagnostics Using a Web Browser

This is an interface where individual users can access the system.

The main task of Solution Manager Diagnostics users is to access technical information (for example, performance data, configuration data) provided by the monitored systems.

Users of the Solution Manager Diagnostics have to be created in the User Management Engine (UME) of the SAP J2EE Engine manually. The roles SAPSUPPPORT (necessary for the Component Analyzer) and INTROSCOPE (necessary for the Wily Introscope Server) have to be created in the UME as well. They do not need to have any content. Solution Manager Diagnostics users have to be added to these roles.

As the users log on using a Web browser, it is not necessary that they have to be located in the network system where the Solution Manager Diagnostics system resides.

To log in within the SAP Support infrastructure, the remote connection type ‘HTTP Connect URL Access’ has to be configured. The remote connection can be opened by the customer only.

Interface 2: Users Accessing the SAP Web AS ABAP

This is an interface where individual users can access the system.

From the Solution Manager Diagnostics, it is possible to call ABAP transactions for monitoring (for example, OS07 or RZ20) within the ABAP stack of the Solution Manager Diagnostics, For this access, using a manual logon has to be performed and a user/password has to be provided to the end user.

The user needed to logon can be located in any client and needs a role with the following authorization objects/authorizations:

Authorization

Fields with Field Values

S_ADMI_FCD

ACTVT: ST0R

S_RZL_ADM

ACTVT: 01, 03

S_RFC

RFC_TYPE:FUGR

RFC_NAME:RFC1, SYST

ACTVT: 16

S_TCODE

TCD:DB59, DB6COCKPIT, ST04M, ST04_MSS,      OS07, RZ20, ST03G

Interface 3: Solution Manager Diagnostics accessing SAP Web AS ABAP

This interface is used for technical communication only.

The communication between the gateway of the ABAP stack and Solution Manager Diagnostics Java programs is enabled by the Java connect interface (JCo).

Interface 4: Solution Manager Diagnostics Accessing SAP Web AS ABAP

This interface is used for technical communication only.

The systems to be monitored can be:

·        SAP Web AS with both ABAP and Java:
SAP agents (
saposcol, sapccmsr, Component Analyzer) and Introscope agent have to be installed.

·        SAP Web AS ABAP only:
SAP agents (
saposcol, sapccmsr, Component Analyzer) have to be installed.

·        SAP Web AS Java only:
SAP agents (
saposcol, sapccmsr, Component Analyzer) and Introscope agent have to be installed.

·        Others (for example, SAP Web AS < 6.40, TREX, DB systems).
SAP agents (
saposcol, sapccmsr, Component Analyzer) have to be installed.

Interface 5: Solution Manager Diagnostics Accessing a J2EE Engine

This interface is used for technical communication only.

For each 6.40 J2EE Engine in the landscape to be monitored, the Solution Manager Diagnostics calls a Java servlet using HTTP(s). The URL to this servlet has to be entered within the Solution Manager Diagnostics during setup as well as a J2EE user/password to use for authentication to access the remote J2EE Engine. This data is stored within the secure storage of the Solution Manager Diagnostics J2EE Engine.

The connection is used internally to regularly retrieve configuration and performance information of the monitored J2EE Engine and to build up a history of this data to be stored within the Solution Manager Diagnostics.

Technical connection of the monitored component:

·        Web Application Server ABAP user access:

Access to the specific monitoring transaction (for example, RZ20) of the Web AS requires the setup of SAP Internet Transaction Server (ITS). The user of the Solution Manager Diagnostics is prompted for user authentication when logging into the WAS via ITS.  A valid user with the required authorization profile has to be provided by the customer. Alternatively, the logon can be automated via logon tickets (Single Sign-On).

·        Database connection to monitored portal system DB:

For reading and writing information from the database of the monitored system, a DataSource has to be created manually within the JDBC Connector service by using the Visual Administrator.

Therefore, a valid database user/password is required.

·        RFC connection for sapccmsr:

For every monitored system, the CCMS agent (sapccmsr) has to be installed and registered. The Solution Manager Diagnostics communicates with the CCMS agents of the monitored systems. This communication uses the RFC protocol.

To register sapccmsr, a valid RFC user (for data communication) and a valid human user (for administration purposes) for the Solution Manger Diagnostics are required.

·        J2EE user for configuration data retrieval:

For every monitored J2EE Engine (standalone or within an ABAP system), an administrative J2EE user is needed to read the J2EE configuration settings. The Solution Manager Diagnostics calls a Java servlet on the monitored J2EE engine via HTTP (or HTTPS) – this servlet requires authentication. The retrieved configuration data will be stored with change history within the Solution Manager Diagnostics.