sm70 root cause analysis

SAP Solution Manager 7.0 EHP1

End-to-End Root Cause Analysis

Root Cause Analysis

User Administration Guide

Document Version 1.6 – February 2010

Valid for SAP Solution Manager 7.0 EHP1

© Copyright 2008 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted

in any form or for any purpose without the express

permission of SAP AG. The information contained herein

may be changed without prior notice.

Some software products marketed by SAP AG and its

distributors contain proprietary software components of other

software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered

trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex,

MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries,

pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner,

WebSphere, Netfinity, Tivoli, and Informix are trademarks

or registered trademarks of IBM Corporation in the United

States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks

of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame,

VideoFrame, and MultiWin are trademarks or registered

trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or

registered trademarks of W3C®, World Wide Web

Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems,

Inc., used under license for technology invented and

implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP

NetWeaver, and other SAP products and services mentioned

herein as well as their respective logos are trademarks or

registered trademarks of SAP AG in Germany and in several

other countries all over the world. All other product and

service names mentioned are the trademarks of their

respective companies. Data contained in this document

serves informational purposes only. National product

specifications may vary.

These materials are subject to change without notice. These

materials are provided by SAP AG and its affiliated

companies ("SAP Group") for informational purposes

only, without representation or warranty of any kind, and

SAP Group shall not be liable for errors or omissions with

respect to the materials. The only warranties for SAP

Group products and services are those that are set forth in the

express warranty statements accompanying such products

and services, if any. Nothing herein should be construed as

constituting an additional warranty.

Disclaimer

Some components of this product are based on Java™. Any

code change in these components may cause unpredictable

and severe malfunctions and is therefore expressively

prohibited, as is any decompilation of these components.

Any Java™ Source Code delivered with this product is only

to be used by SAP’s Support Services and may not be

modified or altered in any way.

Documentation on SAP Service Marketplace

You can find this documentation at

service.sap.com/instguidesNW04

SAP AG

Neurottstraße 16 69190 Walldorf Germany T +49/18 05/34 34 24 F +49/18 05/34 34 20

www.sap.com

Typ og ra ph ic C on ve nt ions

Type Style Represents

Example Text

Words or characters quoted from the screen.

These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options.

Cross-references to other documentation.

Example text

Emphasized words or phrases in body text,

graphic titles, and table titles.

EXAMPLE TEXT

Technical names of system objects. These include report names, program

names, transaction codes, table names, and key

concepts of a programming language

when they are surrounded by body text, for example,

SELECT and INCLUDE.

Example

text

Output on the screen. This includes file and directory

names and their paths, messages, names of

variables and parameters, source text, and names of installation, upgrade and

database tools.

Example

text

Exact user entry. These are words or characters that you enter in the system

exactly as they appear in the documentation.

<Example

text>

Variable user entry. Angle brackets indicate that you replace these words and

characters with appropriate entries to

make entries in the system.

EXAMPLE

TEXT

Keys on the keyboard, for example, F2 or ENTER.

I cons

Icon Meaning

Caution

Example

Note

Recommendation

Syntax

Contents February 2010

Diagnostics Solution Definition I

1 INTRODUCTION .............................................................................................................................................. 1

1.1 HOW TO USE THIS DOCUMENT ....................................................................................................................... 1 1.2 REQUIRED SOFTWARE COMPONENTS............................................................................................................... 1 1.3 NAMING CONVENTION ................................................................................................................................. 1

1.3.1 Terminology .................................................................................................................................... 1 1.3.2 User Management Tools ................................................................................................................. 2

1.3.2.1 UME..................................................................................................................................................................... 2 1.3.2.2 CUA...................................................................................................................................................................... 2 1.3.2.3 SAP Solution Manager accounts persistence ................................................................................................... 3

2 SMD USER ADMINISTRATION ........................................................................................................................ 3

2.1 DEFINITION OF USERS/ROLES NEEDED BY SMD ................................................................................................. 3 2.2 ROOT CAUSE ANALYSIS USERS OVERVIEW ......................................................................................................... 4 2.3 USERS REFERENCE ..................................................................................................................................... 10

2.3.1 [SOLMAN.DUAL.ADMIN]: SOLMAN Admin user ........................................................................... 10 2.3.2 [SOLMAN.ABAP.INITIALSETUP]: ABAP Administrator ................................................................... 11 2.3.3 [SOLMAN.ABAP.RFCCOM]: Internal RFC System User .................................................................. 12 2.3.4 [SOLMAN.ABAP.S-USER]: CRM S-USER ......................................................................................... 15 2.3.5 [SOLMAN.BI.ADMIN] : BI Administrator ....................................................................................... 16 2.3.6 [SOLMAN.BI.RFC]: BI System User ................................................................................................ 17 2.3.7 [SOLMAN.BI.SAPSUPPORT]: SAP Support ..................................................................................... 17 2.3.8 [SOLMAN.DUAL.AGTCOM]: Diagnostics agent System User ........................................................ 18 2.3.9 [SOLMAN.DUAL.SAPSUPPORT]: SAP Support................................................................................ 19 2.3.10 [SOLMAN.WILY.GUEST]: Wily Guest ............................................................................................. 21 2.3.11 [MANAGED.ABAP.ADMIN]: ABAP Setup Administrator ................................................................ 22 2.3.12 [MANAGED.ABAP.WILYAGT]: ABAP System User for Wily host agent.......................................... 23 2.3.13 [MANAGED.ABAP.RFC]: RFC System User ..................................................................................... 24 2.3.14 [MANAGED.DUAL.AGTCOM]: Agent System User ........................................................................ 27 2.3.15 [MANAGED.DB.USER]: Database System user .............................................................................. 28 2.3.16 [MANAGED.DUAL.SAPSUPPORT]: SAP Support ............................................................................ 29 2.3.17 [MANAGED.J2EE.ADMIN]: J2EE Administrator ............................................................................. 32 2.3.18 [MANAGED.OS.ADMIN]: Administrator OS user ........................................................................... 33 2.3.19 [MANAGED.OS.AGTSIDADMIN]: OS User dedicated to the Diagnostics Agent............................. 33 2.3.20 [MANAGED.OS.SIDADM]: OS Engine user ..................................................................................... 34 2.3.21 [PRODUCTIVESLD.DUAL.CONF]: SLD SMD User ............................................................................ 35

3 ROLE BASED NAVIGATION PERSONALIZATION ........................................................................................... 36

3.1 HOW TO DEFINE USERS WITH RESTRICTED ACCESS TO A SPECIFIC SUB-SET OF SYSTEMS AND TOOLS .............................. 36

4 GLOSSARY ..................................................................................................................................................... 39

4.1 USER ....................................................................................................................................................... 39 4.2 ROLE (ABAP & JAVA) ............................................................................................................................... 39 4.3 COMPOSITE ROLE (ABAP ONLY)................................................................................................................... 39 4.4 PROFILE (ABAP ONLY) ............................................................................................................................... 39 4.5 UME ...................................................................................................................................................... 40 4.6 USER TYPES .............................................................................................................................................. 40

4.6.1 Dialog Users (ABAP & JAVA) ......................................................................................................... 40 4.6.2 Service Users (ABAP & JAVA) ........................................................................................................ 40 4.6.3 System Users (ABAP only) ............................................................................................................. 40

4.6.3.1 Internal System Users ...................................................................................................................................... 40 4.6.3.2 Message Exchange Users................................................................................................................................. 41

4.7 SYSTEM USERS (ABAP ONLY) ...................................................................................................................... 41 4.8 USER ADMINISTRATOR................................................................................................................................ 41 4.9 CENTRAL USER .......................................................................................................................................... 41

Contents February 2010

Diagnostics Solution Definition II

4.10 CENTRAL USER ADMINISTRATION (CUA)........................................................................................................ 41

5 APPENDIX ..................................................................................................................................................... 42

5.1 PASSWORD ADMINISTRATION ....................................................................................................................... 42 5.1.1 Changing password within UME ................................................................................................... 42 5.1.2 Changing password within ABAP .................................................................................................. 42

5.2 ADDITIONAL USERS..................................................................................................................................... 43 5.2.1 SDM User ...................................................................................................................................... 43 5.2.2 Wily Administrator ........................................................................................................................ 43

6 RELEVANT LINKS........................................................................................................................................... 45

Introduction February 2010

How to Use this Document

Root Cause Analysis – User Administration Guide 1

1 Introduction

1.1 How to Use this Document

The purpose of this document is to describe the user administrations procedures within Solution Manager Diagnostics, also called E2E Root Cause Analysis. It describes exhaustively all users, roles and profiles involved within the Diagnostics System and all related maintenance procedures. However, for a better understanding of this document, it is we strongly recommend to read first the Root Cause Analysis Installation and Update Guide available on the SAP Service MarketPlace within the Diagnostics part (http://service.sap.com/diagnostics).

1.2 Required Software Components

The required Software Components are mentioned in the SAP note entry point 1010428.

This note references several SAP Notes which are all related to a Service Pack version, like for example the 'Prerequisites for Managed systems for SP15' with all required Support Packages and SAP notes that have to be applied for this version. If those prerequisites are not fulfilled completely, the E2E application will not work properly.

1.3 Naming Convention

In this documentation, the following naming conventions apply:

1.3.1 Terminology

The term SM designates Solution Manager.

The term SMD is the same as Solution Manager Diagnostics.

The term SOLMAN designates the Managing System with Solution Manager Diagnostics.

The term SLD is the same as Solution Landscape Directory.

The term CUA is the same as Central User Administration. However, because CUA is a too vast topic, the term CUA used in this document will only refer to the “Central User Administration” within ABAP and Java stacks.

The term Managing System is a general term for the central entry point for system analysis and

monitoring. In a SMD scenario, the Managing System represents the SMD system.

The term Managed System is a general term for a satellite system connected to SMD (it could be

for example an Enterprise Portal system, a Business Intelligence system, etc.).

In order to improve the clarity of this document, all users follow a naming convention like [SYSTEM.SOURCE.USERNAME]. For example, [SOLMAN.DUAL.SETUP] describe:

SOLMAN is the Managing System

J2EE is the source, which here is the Managing System Java stack

ADMIN is the user name, which in this case is the administrator of the Java stack

Introduction February 2010

Naming Convention


1.3.2 User Management Tools

Throughout this document, several user management tools related to Root Cause Analysis are mentioned (SAP system & third-party system).

The table below provides an overview and a short description of these User Management tools:

Tool Usage

SAP User Management Engine for ABAP Engine (transaction SU01)

Central User Administration (CUA) for SAP WebAS

Profile Generator (transaction PFCG) Tool for Web AS role administration. Important for authorization administration, among other things

SAP User Management Engine (UME) Administration Platform

Tool for administration of portal users and roles

SAP J2EE Engine user management using the Visual Administrator

Tool for administration of J2EE users and roles

1.3.2.1 UME

The User Management Engine (UME) is delivered with the Java stack and enables you to reconcile user data with the backend system. For further information, see the SAP help Portal under

http://help.sap.com → SAP NetWeaver → Release „04 → Select Language English → SAP NetWeaver → People Integration → Portal → Enterprise Portal Architecture → Security and User Management → User Management Engine (UME).

1.3.2.2 CUA

Central User Administration (CUA) enables central administration of the user data for all backend systems, like a Solution Manager, a managed PI system, etc. For further information, see the SAP help Portal under help.sap.com → SAP NetWeaver → Release „04 → Select Language English → SAP NetWeaver → Security → Identity Management → Central User Administration.

CUA environment considerations

In a non CUA environment, the assignment of roles to users is executed by the Diagnostics Setup Wizard. In some cases it is possible that, for security reasons, the customer policy requires to change all password users (Dialog User / Standard user)

after a certain timeframe (e.g. 30 days or 90 days).

For that reason, the Diagnostics users dedicated to the system used need to be created as System Users. In the context of a CUA these System User creations and

the roles / profiles assignment have to be done by hand.

The experience of troubleshooting on several diagnostics implementations on customer side as well as a lot of problems have their root cause within some missing

authorizations in the roles assignment. Therefore this will be described here as well.

SMD User Administration February 2010

Definition of Users/Roles needed by SMD


1.3.2.3 SAP Solution Manager accounts persistence

ABAP / UME

ABAP CUA is the central user administration for users / roles / profiles which are fetched on the Java UME storage. However, in some cases, some full Java users have to be stored and maintained within the Java stack. This is for example the case for the SLD users (SLD is a full Java application)

External User Management Solution

Externalization of the user management by using technologies like LDAP, Active Directory (Microsoft OS only) or NIS (Linux). This scenario is the most used due to the easiness offered by those solutions.

For further information regarding any external User Management solutions like the LDAP scenario, please check the official documentations available on the SAP Service Market Place.

2 SMD User Administration The purpose of this guide is to describe the setup of users, roles and profiles for Diagnostics in the following cases:

in case of common installation procedure which allows to perform the Diagnostics wizards for automating the user creation;

when customer landscape is a Central User Administration (CUA) driven;

when a set of security restrictions are put in place, which prevents the Diagnostics wizards from automating the user creation.

This document will present the minimum set of users required in the scope of SMD. It is of course possible to create a different set of System Users for the various RFC destinations. Nevertheless the roles as described here must be assigned to each of these additional users.

2.1 Definition of Users/Roles needed by SMD

Root Cause Analysis requires several users with some predefined Profiles or Roles for the installation step, the setup step and also to perform some Root Cause Analysis operations.

Within the Solution Manager landscape we make a distinction between:

The Managing System (SMD itself)

The Managed Systems


Root Cause Analysis users overview


2.2 Root Cause Analysis users overview

The purpose of this topic is to provide a quick overview of the Root Cause Analysis user‟s landscape.

Please note that on a CUA environment the account users created automatically become prerequisite users, which involves creating them beforehand. The tables hereafter offer an overview of the Diagnostics users according to the following categories:

Managing System

o Installation

o Setup

Managed System

o Installation

o Setup

The table below regroups the user accounts prerequisite and created for the SMD installer itself but also for the Wily Introscope Enterprise Manager. Therefore, please do not confuse with the Wily user accounts created by the Wily Introscope EM itself even if they are fully part of the SMD installation procedure.

MANAGING SYSTEM

INSTALLATION

Users REF ID

User store

Pre

req

uis

ite

for

the

Insta

llatio

n

Cre

ate

d

by

Insta

llatio

n

OS

3rd

-Pa

rty

AB

AP

JA

VA

Wily Guest user [SOLMAN.WILY.GUEST] X X




The table below describes in detail the user accounts involved within the Managing System Setup Wizard. The user sources are specified as well as whether the user accounts are prerequisite or created to perform the Setup Wizard. However, as previously described, please pay attention that in case of CUA environment, all users created by the Setup Wizard may fail and therefore, it could be necessary to created them beforehand.

MANAGING SYSTEM SETUP

Users REF ID

User store

Pre

req

uis

ite fo

r th

e S

etu

p

Cre

ate

d b

y

Se

tup

OS

3rd

-Pa

rty

AB

AP

JA

VA

ABAP Administrator [SOLMAN.DUAL.ADMIN] X X

Setup user (ABAP) [SOLMAN.ABAP.INITIALSETUP] X X

Wily Guest user [SOLMAN.WILY.GUEST] X X

Diagnostics System User

[SOLMAN.ABAP.RFCCOM] X X

Agent System User [SOLMAN.DUAL.AGTCOM] X X

SAP Support

[SOLMAN.DUAL.SAPSUPPORT] X X

[SOLMAN.BI.SAPSUPPORT] X X

BI RFC Destination User

[SOLMAN.BI.RFC] X X

CRM S-USER [SOLMAN.ABAP.S-USER] X X




The table below regroups the user accounts prerequisite and created for the Diagnostics agent installation using agent installer or managed system installer (Java systems 7.01 or CE PI 7.11). The user sources are specified as well as whether the user accounts are prerequisite or created to perform the installation procedure. However, as previously described, please pay attention that in case of CUA environment, all users created by the Setup Wizard may fail and therefore, it could be necessary to created them beforehand.

MANAGED SYSTEM INSTALLATION

Users REF ID

User store

Pre

req

uis

ite fo

r

the In

sta

llation

Cre

ate

d b

y

Insta

llatio

n

OS

3rd

-Pa

rty

AB

AP

JA

VA

OS Root / Admin user [MANAGED.OS.ADMIN] X X

OS User dedicated to the Diagnostics Agent

[MANAGED.OS.AGTSIDADM] X X

Agent System User [SOLMAN.DUAL.AGTCOM] X X

SLD Data supplier

User [PRODUCTIVESLD.DUAL.CONF] X

1 X

2

(1) In case of a dual-stack system, the user has to be maintained on both stacks.

(2) Only required in case of SLD




The table below describes in detail the user accounts involved within the Managed System Setup. The user sources are specified as well as whether the user accounts are prerequisite or created to perform the Setup Wizard. However, as previously described, please pay attention that in case of CUA environment, all users created by the Setup Wizard may fail and therefore, it could be necessary to created them beforehand.

MANAGED SYSTEM SETUP

Users REF ID

User store

Pre

req

uis

ite

for

the S

etu

p

Cre

ate

d b

y

Se

tup

OS

3rd

-Pa

rty

AB

AP

JA

VA

ABAP Administrator [MANAGED.ABAP.ADMIN] X X

J2EE Administrator [MANAGED.J2EE.ADMIN] X1 X

Agent System User [MANAGED.DUAL.AGTCOM] X1 X

RFC Destination User [MANAGED.ABAP.RFC] X X

Database User [MANAGED.DB.USER] X X

OS Engine User [MANAGED.OS.SIDADM] X X

SMD Agent [MANAGED.ABAP.WILYAGT] X X

SAP Support [MANAGED.DUAL.SAPSUPPORT] X1 X

(1) In case of a dual-stack system, the user has to be maintained on both stacks.




The purpose of the table below is to describe the Diagnostics users involved for the system run-time communications. Please pay attention that all of these users are mandatory for the Diagnostics operations.

DIAGNOSTICS RUN-TIME USERS

Users REF ID

Wily Guest user [SOLMAN.WILY.GUEST]

Diagnostics System User [SOLMAN.ABAP.RFCCOM]

BI RFC Destination User [SOLMAN.BI.RFC]

Agent System User [SOLMAN.DUAL.AGTCOM]

SAP Support [SOLMAN.BI.SAPSUPPORT]

SAP Support [SOLMAN.DUAL.SAPSUPPORT]

SLD Data Supplier User [PRODUCTIVESLD.DUAL.CONF]

Agent System User [MANAGED.DUAL.AGTCOM]

RFC Destination User [MANAGED.ABAP.RFC]

Database User [MANAGED.DB.USER]

SMD Agent [MANAGED.ABAP.WILYAGT]

SAP Support [MANAGED.DUAL.SAPSUPPORT]




The purpose of the table below is to describe the Diagnostics users involved throughout RFC connections.

DIAGNOSTICS SYSTEM USERS

Users REF ID Type Description

Diagnostics System User

[SOLMAN.ABAP.RFCCOM] RFC

J2EE RFC listener: WEBADMIN (Login as Setup User. Transaction solman_workcenter -> Common Task -> Diagnostics setup -> Diagnostics system -> Advanced setup)

Agent System User

[SOLMAN.DUAL.AGTCOM] P4

Dynamic P4 established by Diagnostics Agent (Login as Setup User. Transaction solman_workcenter -> Common Task -> Agent Administration -> Agent credentials)

Agent System User

[MANAGED.DUAL.AGTCOM] P4

Dynamic P4 established by Diagnostics Agent (Login as Setup User. Transaction solman_setup -> Managed System Configuration)

RFC Destination User

[MANAGED.ABAP.RFC] RFC

RFC destination: SM_<SIDCLNT><INSTANCESID> _READ (SM59 or Login as Setup User. Transaction solman_setup -> Managed System Configuration)

SMD Agent [MANAGED.ABAP.WILYAGT] JCo Dynamic JCo established by the Wily Host Application (running in Diagnostics Agent)

BI RFC Destination User

[SOLMAN.BI.RFC] RFC RFC destination BI_CLNT<BI Client> (maintained on SAP Solution Manager)


Users Reference


2.3 Users Reference

The purpose of this topic is to describe in detail the Monitoring System users necessary during the installation step as well as during the Setup procedure.

2.3.1 [SOLMAN.DUAL.ADMIN]: SOLMAN Admin user

This Dialog User account is normally automatically created during the “SAP Solution Manager Basic Configuration Assistant” sequence (Step “Initial Configuration”) and has the administrator authorizations on both stacks (ABAP / Java). It gets involved during the Diagnostics System Setup Wizard at the “Definition of Setup Parameters” step to create the following users:

[SOLMAN.ABAP.RFCCOM]

[SOLMAN.DUAL.SAPSUPPORT]

[SOLMAN.DUAL.AGTCOM]

This user is an ABAP user stored and maintained within the ABAP stack.

Description Recommended

value User store

ABAP role

Pre

req

uis

ite

Cre

ate

d

Ru

n-T

ime

ABAP administrator

SOLMAN_ADMIN ABAP / Java

SAP_J2EE_ADMIN

X

ZSAP_SM_CONF_SEC (generated)

ZSAP_SOLMAN_ADMIN (generated)

SAP_SMWORK_DIAG

SAP_SMWORK_ *

User details for ABAP administrator

Choose SAP_SMWORK role(s) corresponding to the Workcenter(s) that you would like to work in.

Please note that in some scenarios the system role creation ZSAP_SOLMAN_ADMIN can failed and it needs to be created by hand. In such case please refer to the SAP

note 1305622.

Changing password

To maintain this password user please proceed as follow:

1. Update the user password according to the standard procedure for ABAP


Users Reference


2.3.2 [SOLMAN.ABAP.INITIALSETUP]: ABAP Administrator

The DDIC is the standard ABAP System Administrator user with special privileges in installation, software logistics, and the ABAP Dictionary. The user master record is created in clients 000 and 001 when you install your R/3 System.

User DDIC is required for certain installation and setup tasks in the system, so you should not delete it. This user account is mandatory E2E RCA setup step in order to create the user account:

SOLMAN.DUAL.ADMIN


value User store Role/Profile

Pre

req

uis

ite

Cre

ate

d

Ru

n-T

ime

ABAP Administrator DDIC ABAP SAP_ALL X

User details for ABAP Administrator

Changing password

1. This user account can be updated with the following procedure:

2. Update the user account by using Standard ABAP maintenance procedure


Users Reference


2.3.3 [SOLMAN.ABAP.RFCCOM]: Internal RFC System User

This System User account is created automatically by the Diagnostics system Setup Wizard (since Solution Manager SP15). This user is used for communication between Diagnostics/Java and SAP Solution Manager/ABAP at run-time. This user is also used to run the Job Extractor Ressource Manager Framework.


value Default

password User store

ABAP Role / Profile

Pre

req

uis

ite

Cre

ate

d

Ru

n-T

ime

System User for dialogs

between both SAP Solution

Manager stacks (ABAP / Java)

SMD_RFC Init1234 ABAP

SAP_BW_CCMS_SETUP (Role)

2

X1 X

SAP_SOLMANDIAG_E2E (Role)

S_SMDIAG_E2E (Profile)

SAP_BI_E2E (Role)

S_SMDIAG_BI (Profile)

Roles or profiles related to the SMD_RFC user

(1) In case of a CUA environment, this user has to be created beforehand.

(2) In case the BW system is activated in the Solution Manager productive client, check out whether the SMD_RFC user has the Role SAP_BW_CCMS_SETUP (used for CCMS scenario). If this is not the case, please generate / update the profile for this SAP role and finally assign this role to the SMD_RFC user.

Changing password

From Solution Manager SP15, this System User is created by the Setup Wizards and maintained within ABAP side (transaction: su01). The way to update this user password is the following:

1. Update the user account by using the standard ABAP procedure.

2. Go to the Diagnostics Setup > Diagnostics System > Advanced Setup Wizard > in the ABAP Connectivity tab, update the user password accordingly.

3. Open the Visual Administrator tool > Cluster tab > JCo RFC Provider > Runtime tab (Available RFC listeners) > WEBADMIN > Bundles > Specific Application Server > update your password, set it and click on the save button.


Users Reference


4. Open WebDynpro Content Administrator > click on Maintain JCo Destinations > Browse tab > expand Deployed Content tree > select E2E_SMD_SM_DATA (Edit) > “Security” part (number 3) > update your password.

5. Like the previous step do the same process to update the E2E_SMD_SM_METADATA password.


Users Reference



Users Reference


2.3.4 [SOLMAN.ABAP.S-USER]: CRM S-USER

The S-USER is a customer user stored within SAP office. It is used by the SAP customer in the following scenarios:

The SAP Solution Manager Basic Configuration Assitantneed it at the Basic Configuration step.

Exchange problem messages with SAP (Scenario: Service Desk); Synchronize System Data with Support Portal and send data about satellite systems (SMSY); Transfer of Solution; Issue data transfer feedback to SAP (Scenario: Service Delivery); Service Connection

Retrieve information about which messages have been changed at SAP (Scenario: Service Desk)

To send an up-to-date version of the component ST-SER for delivery of Services by SAP Active Global Support (Scenario: Service Delivery)

Get some User documentation from SAP MarketPlace used by the HelpCenter within Diagnostics.

Changing password

3. This user account can be updated with the following procedure:

4. Update the user account by using Standard ABAP maintenance procedure


Users Reference


2.3.5 [SOLMAN.BI.ADMIN] : BI Administrator

This Dialog User is mandatory in the scenario when BI is activated a different client (different from productive client) or in different system. This user is a prerequisite user requested by the Managing System Setup Wizard to perform the BI setup (cf. user creation, services activation, etc.) In the scenario where BI is installed on the same system as SM, this user account will be automatically created though SAP Solution Manager Basic Configuration Assistant during the Initial Configuration” step.

Please pay attention that if BI is installed on a different system (physical or logical), this user account has to be manually created before running the Managing System

Setup Wizard.

Description

Recommended value

Default password

User store

ABAP Role

Pre

req

uis

ite

Cre

ate

d

Ru

n-T

ime

Dialog User for the BI

setup

SOLMAN_ADMIN

(if BI is installed on the same

System)

N/A ABAP SAP_SM_BASIC_SETTINGS X1 X


Changing password

1. Run the transaction “solman_setup”

2. Navigate to “Basic Configuration”

3. Change credentials in the dedicated User step

4. Run again the "Diagnostics Configuration" activity.


Users Reference


2.3.6 [SOLMAN.BI.RFC]: BI System User

This System User is mandatory in the scenario when BI is activated a different client (different from productive client) or in different system. For the time being, this user has to be manually created USING THE TRANSACTION “sm59” and it is used throughout an RFC connection (BI_CLNT<BI CLIENT>) between SAP Solution Manager and the BI System. Please note that if BI is installed on the same logical system, this user account is useless and therefore it will not be created.

Description

Recommended value

Default password

User store

ABAP Role

Pre

req

uis

ite

Cre

ate

d

Ru

n-T

ime

System User for the

connection to the BI client

SMD_BI_RFC N/A ABAP

SAP_BI_E2E (Role)

X1 X SAP_BW_CCMS_SETUP

(Role)

S_SMDIAG_BI (Profile)


Changing password

This user can be updated with the following procedure:

1. Update the user account with the standard ABAP procedure

2. On SAP Solution Manager, the RFC destination using this user account (transaction “sm59”) has to be changed as well accordingly.

2.3.7 [SOLMAN.BI.SAPSUPPORT]: SAP Support

The SAP Support user is a Dialog User created during the Managing System Setup Wizards procedure on BI system. By default, the Setup Wizards proposes the user ID SAPSUPPORT, which is the recommended user name, and also the password “init1234”, which has to be changed once the installation of Diagnostics is done.

Description Recommended value User store

Role / Profile / Group

Pre

req

uis

ite

Cre

ate

d

Ru

n-T

ime

Diagnostics Support user

SAPSUPPORT (Default password : “init1234”)

ABAP

SAP_BI_E2E (Role)

X1 X S_SMDIAG_BI

(profile)

Roles, profiles and group related to the SAP Support user


One of the main uses of this user is to ensure a Read-Only access with SAP support office to the customer site.

Changing password


Users Reference


This user account has to be maintained by using the standard ABAP maintenance procedure.

2.3.8 [SOLMAN.DUAL.AGTCOM]: Diagnostics agent System User

This user is a System User mandatory to register the SMD Agent during startup of the Agent with the Netweaver Java Stack via P4 connection. It is created in ABAP Client during the Managing Setup Wizards procedure. It has by default the password “init1234” which is proposed by the Setup Wizard but it can be freely customized during the setup or within the Advanced Setup of Diagnostics.

This user account is required during the Agent installation step.

Please note that all communications between the SMD Agent and the Root Cause

Analysis are transferred through this single connection.

Description

Recommended value

Default password

User store

ABAP Role / J2EE security role

Pre

req

uis

ite

Cre

ate

d

Ru

n-T

ime

System User for the SMD Agents

connection to SAP Solution Manager

SMD_ADMIN Init1234 ABAP SAP_J2EE_ADMIN X1 X

User details for SMD_ADMIN


Any changes on this user account will imply additional actions on the Managing

System.

Overview of the Managing Setup Wizards creating the Diagnostics agent communication

Changing password

This user can be updated with the following procedure:

1. Update the user account with the standard ABAP procedure

2. On SOLMAN, > Diagnostics Administration > Agent Administration > Agent Credentials > update the user password accordingly > Press button “Update All Agents”.


Users Reference


Please be aware that if some agents are not connected during the password maintenance, those agents will not be updated and therefore they will not be able to connect anymore. In that case a manual update operation is mandatory as described within the “Diagnostics Agent Setup Guide” available on the SAP Service MarketPlace

(/Diagnostics alias).

2.3.9 [SOLMAN.DUAL.SAPSUPPORT]: SAP Support

The SAP Support user is a Dialog User created by SAP Solution Manager Basic Configuration Assistant. It is the main user to logon on Diagnostics (Read only access).

The SAP Support user may be involved in one of the following scenarios:

1. Solution Manager and BI share the same productive client. In this scenario ABAP and BI are installed on the same physical host like a Solution Manager system with a productive client which also runs BI.

In this particular case there is only one SAP Support user with all rights required for Solution Manager (ABAP + Java) and BI.

2. Solution Manager and BI use different clients, whether they share or not the same physical host. In this scenario please refer to the SAP Support user for BI System.


value User store


Pre

req

uis

ite

Cre

ate

d

Ru

n-T

ime

Diagnostics Support user

SAPSUPPORT

(Default password : “init1234”)

ABAP

Z_SAP_SMSY_ALL (Manully created Role – see below)

X2 X

S_RCA_EXE (Profile)

X1 X

S_RCA_DISP (Profile)

S_SMWC_BA (Profile)

S_DBA_DISP (Profile)

SAP_SOLMAN_ONSITE_ALL_COMP (Role)



(2) This role must be created manually and assigned to the SAPSUPPORT user, in order to be able to see all setup systems in transaction solman_workcenter.

Note that his user ensures a Read-Only access for SAP support office to the customer systems.

This user [SOLMAN.DUAL.SAPSUPPORT] has access to all Systems, in order to perform Root Cause Analysis, etc. on those satellite systems.

http://service.sap.com/diagnostics


Users Reference


Please do not forget to manually extend the authorizations provided – by default – in

the composilte role „SAP_SOLMAN_ONSITE_ALL_COMP‟.

This composite role contains the role „SAP_SMSY_ALL‟, which needs to be adapted.

In order to perform this authorization adjustement, it is necessary to make a role copy (into the customer namespace, for example Z_SAP_SMSY_ALL) of the role „SAP_SMSY_ALL‟ (using transaction PFCG).

Within this copied role, please provide a „*‟ in the fields „System Name‟ and the „System Component Type‟ for the authorization object: S_SMSYSYST.


Users Reference


Additional information could also be found in the SAP Solution Manager 7.0 EhP1 Security Guide.

In case of BI is installed on the same logical client, the ASP Support user account must also have the corresponding BI role and profile. Please refer to the

SOLMAN.BI.SUPPORT account.

Finally, please be aware that the SAPSUPPORT user is dedicated to Diagnostics! Therefore, in case this user SAPSUPPORT (not SAP_SUPPORT) already exists on the customer systems (Managing and/or Managed), you must propose to the operator to remove it before starting the Diagnostics setup wizards. Indeed, in case the SAPSUPPORT has (ABAP / UME / J2EE) roles other than those listed within the table above, the Diagnostics "read-only central access" paradigm might be broken!

Changing password

As described above, this user account may be present several times on the customer system landscape like ABAP, Java or BI and would have to be maintained by using the standard ABAP maintenance procedure.

2.3.10 [SOLMAN.WILY.GUEST]: Wily Guest

This application user 'Guest' is a built-in user of the Introscope Enterprise Manager (EM). By default it is used to open the proprietary JDBC Connection between Solution Manager and the Introscope Enterprise Manager to extract the collected performance data.

The users and passwords are maintained in two places:

Within Root Cause Analysis

Within the Introscope Enterprise Manager user store (XML file).

For further details regarding the Introscope user management please refer to the Wily Documentation available on the Service Marketplace (/diagnostics).

Description Recommended value

Password User store Access Rights

Pre

req

uis

ite

Cre

ate

d

Ru

n-T

ime

Wily Introscope EM user

Guest N/A Introscope files

(users.xml, domains.xml)

Read X1 X

Details of the user and credentials related to Wily EM

(1) In case of an existing Wily EM server with full license already installed, the Wily users become prerequisite users.

This user is required during the “Definition of Setup Parameters” of the Managing System Setup Wizard.

Changing password

Same procedure as described on the Wily Admin user (topic above).


Users Reference


2.3.11 [MANAGED.ABAP.ADMIN]: ABAP Setup Administrator

Commonly named according to the local user convention, this System User requires administrator authorizations. It gets involved on simple ABAP stack as well as dual-stack system during the Managed System Setup Wizard at the "Setup Parameters" step to create the following users:

[MANAGED.ABAP.WILYAGT]

[MANAGED.ABAP.RFC]

[MANAGED.DUAL.SAPSUPPORT]

Additionally this user credentials are taken to run some Diagnostics selfcheck activities. Therefore please double check that this Administrator user is of type "System user".

This user is an ABAP user stored and maintained within the ABAP stack.


value User store

ABAP role

Pre

req

uis

ite

Cre

ate

d

Ru

n-T

ime

ABAP Setup Administrator

N/A ABAP SAP_RCA_CONF_ADMIN

X

SAP_SM_USER_ADMIN

User details for ABAP administrator

To configure Root Cause Analysis for a Managed System you require authorization to create users (transaction SU01) and assign roles (transaction PFCG) in the managed system. The role SAP_SM_USER_ADMIN has the necessary authorizations to perform these operations but, for security reasons this role is not delivered. Therefore, this role must has to be created manually and assigned to the ABAP Setup Administrator user (on the Managed System). To create this role, please follow the instruction as describe within the SAP Note number 1305622.

Changing password

This user account can be maintained by using the standard ABAP maintenance procedure.


Users Reference


2.3.12 [MANAGED.ABAP.WILYAGT]: ABAP System User for Wily host agent

This is an ABAP System User which is used by the Wily Host agent.

Created throughout the Managed Setup Wizard with the default password “init1234”, the dedicated ABAP user SMDAGENT_<SOLMANSID> is needed to run dedicated extractors on the Managed Systems which are delivered with the ABAP Add-On ST/A-PI. For self monitoring purposes, this user should also exist on the SAP Solution Manager, and the actual ST/A-PI should be installed there as well.

The name of the user is fixed and must not be changed. This user is created with the Managed System Diagnostics Setup Wizard.

The Wily Host Application running within the Diagnostics Agent uses this user, for managed ABAP systems, to open a JCo Connection and collect application specific performance data.


value Default

password User store

Role & Profile

Pre

req

uis

ite

Cre

ate

d

Ru

n-T

ime

System User used by the Wily Host

agent to connect to SAP Solution

Manager

SMDAGENT_ <SOLMANSID>

Init1234 ABAP

SAP_IS_ MONITOR (Role)

X1 X

S_IS_MONITOR (Profile)

Roles or profiles related to the SMDAGENT_<SOLMANSID> user


Changing password

[Without CUA]

This user can be updated but it needs a particular procedure to be changed in case of there is NO CUA used in the Solution Manager landscape. This procedure is the following:

1. Delete the user account within the ABAP stack by using the transaction SU01.

2. Run again the Managed System Setup Wizard and fill-in in the corresponding user fields with the new password.

[With CUA]

In case of CUA, the procedure to apply is the following:

1. Change the user password for the CUA using the transaction SU01

2. Run the Managed Systems Setup Wizard. In step "Setup Parameters", expand the "Initial Passwords (Optional)" tray on the lower left, and specify again the password of the user SMDAGENT_<SOLMANSID> there. Run the setup, at least the "WilyHost" setup task, so that it starts using the new password value.

For further details regarding Wily Introscope user administration please read the Introscope Installation for SAP Introscope® Version 8.0 Installation Guide for SAP.


Users Reference


2.3.13 [MANAGED.ABAP.RFC]: RFC System User

This System User is needed to perform an RFC connection from the Solution Manager System (ABAP stack) to the Managed System ABAP stack (if applies). It is also used to run a set of extractors and enable the E2E tracing in the Managed Systems. Note that the creation of the associated "RFC Read user” is performed by the SMSY RFC wizard orSAP Solution Manager Basic Configuration Assistant and its password can be freely chosen.

The user and password of this user are stored in two different locations: in Solution Manager in the SM59 logon & security tab of the RFC destination, and on the Managed System in the ABAP user store. This user is used for the following operations:

To perform initial E2E checks on the Managed System ABAP Stack during System Setup in Diagnostics

To run the data extractors delivered with ST-PI and ST/A-PI components on the managed systems

To enable and disable traces in the ABAP Stack of the Managed system for E2E Trace

Depending of the scenario this user account can be created and enriched by SAP Solution Manager Basic Configuration Assistant or by the SMSY RFC Setup Wizard.

SAP Solution Manager Basic Configuration Assistant

In the scenario where SAP Solution Manager Basic Configuration Assistant is run first (new installation using SPs18) this user account is created and enriched with a single profile containing all required authorizations. This profile is the following:

Z_SOLMAN_READ

SMSY RFC Setup Wizard

For any prior SPs18 installation the procedure to create this user account involves to use the SMSY RFC Setup Wizard which create and assign the following role and profiles:

SAP_SATELLITE_E2E (role)

S_AI_SMD_E2E (Profile)

S_BDLSM_READ (profile – SMSY Wizard)

S_CSMREG (profile – SMSY Wizard)

S_CUS_CMP (profile – SMSY Wizard)

Please note that the profile generated and assigned by SAP Solution Manager Basic Configuration Assistant (Z_SOLMAN_READ) came up to apply the list of role and profiles from SMSY RFC Setup Wizard.

Managed System Setup Wizard

SAP_SATELLITE_E2E (role) / S_AI_SMD_E2E (Profile)


Users Reference


The following table contains Roles and Profiles which are required for the RFC System user account. Since 7.0 EhP1 the roles and profiles can be assigned by the SMSY Wizard procedure but also by using SAP Solution Manager Basic Configuration Assistant. Thus, the SAP_SATELLITE_E2E role and the S_AI_SMD_E2E profile are assigned by the Setup Wizard even though the role Z_SOLMAN_READ is generated by SAP Solution Manager Basic Configuration Assistant. Please note that the role Z_SOLMAN_READ is equivalent to all the profiles within this table. For that reason, if a system is upgraded from SPs17 to SPs18 for example, the system will contain all the profiles plus the additional role Z_SOLMAN_READ.

Description Recommended value User store Role & Profile

Pre

req

uis

ite

Cre

ate

d

Ru

n-T

ime

System User used for an RFC

connection between SAP

Solution Manager and the Managed

System

SM_<SID> (SAP Solution Manager

Basic Configuration Assistant)

or SOLMAN<SID><CLIENT>

(SMSY Wizard) (Password defined

throughout the RFC wizard)

ABAP Z_SOLMAN_READ X1 X

Roles and profiles related to the SM_<SID><CLIENT> user



Users Reference


Changing password

Updating this user account will require the steps below:

1. The user account has to be updated on the Managed System by using the standard ABAP maintenance procedure.

2. On SAP Solution Manager, the RFC destination using this user account (transaction sm59) has to be changed as well accordingly, as shown in the following screenshot.

Overview of the transaction SM59 for the scenario where

the Setup Wizard has been used


Users Reference


2.3.14 [MANAGED.DUAL.AGTCOM]: Agent System User

On a dual stack system (ABAP & Java), this user account is a System User which has to be created

manually before running the Managed System Setup Wizards. It is required first to perform the setup step and later at run-time to allow the Diagnostics agent connection to the Managed System for all Root Cause Analysis functionalities.

It could be eventually used to run Visual Admin to create J2EE roles (cf. SAPSUPPORT user)

However, in the scenario where the Managed System is a full Java System this user account must be declared within UME as Technical User and full-fill the requirement described in the table below:


value User store

Role/Profile

Pre

req

uis

ite

Cre

ate

d

Ru

n-T

ime

Agent Technical User (Java stack only)

SMD_AGT_ADM UME Administrator X X

In the scenario where the Managed System is a dual-stack system this user account must full-fill

the requirement described in the table below:


value User store

Role/Profile

Pre

req

uis

ite

Cre

ate

d

Ru

n-T

ime

Agent System User (ABAP & Java stacks)

SMD_AGT_ADM

ABAP SAP_J2EE_ADMIN

X X

UME Administrator

Please note that when applying the SAP_J2EE_ADMIN Role on the ABAP stack the

user account automatically become administrator user within the Java stack.

Changing password

This user account has to be maintained by using the following procedure:

1. On the Managed System, update the user password by using the corresponding standard procedure regarding the system landscape which may be:

Standard maintenance procedure for ABAP

Standard maintenance procedure for UME

2. On SAP Solution Manager, update the user password accordingly by running again the Managed System Setup Wizards.


Users Reference


2.3.15 [MANAGED.DB.USER]: Database System user

This Application User is created during the Engine installation and it will be just the owner of the database schema created for the System needs. This user is required during the SAP Engine installation and also for some Diagnostics tools like:

DBA Cookpit

In case of JDBC connection problems, you will be able to retrieve the full JDBC configuration by using the Diagnostics Config Tool available by running the following script:

/usr/sap/<SID>/Shortcuts/configtool

Overview of a database setting with the Config Tool

Description Recommended value User store Group

Pre

req

uis

ite

Cre

ate

d

Ru

n-T

ime

Database administrator user

SAP<SID>DB Database

server Database

Administrators X X

Please note that in the scenario where a customer requires a dedicated user for Diagnostics with the corresponding credentials, it is possible to create a user with read

access to the database schema, which is enough for the Diagnostics needs.

Changing password

It is strongly recommended not to update this user. If necessary, this user password can be updated in the Database administration tool and the change has to be applied accordingly within the configtool in the secStore part.


Users Reference


2.3.16 [MANAGED.DUAL.SAPSUPPORT]: SAP Support

The SAP Support user is a Dialog User automatically created during the Managed System Setup Wizards procedure (using the SMD_AGT_ADM user which has administrator authorizations). By default, the Setup Wizards proposes the user ID SAPSUPPORT, which is the SAP recommended

user name.

This user allows to the Managed System to perform some tasks like:

Display the System Info Page of the Managed System

Run the E2E Trace Analysis on the Managed System


value User store


Pre

req

uis

ite

Cre

ate

d

Ru

n-T

ime

Diagnostics Support

user

SAPSUPPORT (Default

password : “init1234”)

UME

SAP_JAVA_NWADMIN_CENTRAL_

READONLY (Group)

X1 X

<Specific roles for XI apps> (SAP note 1042450)

J2EE

SAP_JAVA_SUPPORT

<Specific roles for SystemInfo and SQL*Trace> (SAP note 1042450)

ABAP

SAP_RCA_SAT_DISP (Role) - jump-ins transactions: SM21_E2E, etc.

S_RCASAT_DIS (Profile)



Please note that it is possible to restrict access to a specific sub-set of systems or tools for the SAP Support user account. For doing this please follow the “Based navigation personalization” procedure.

Please note that during the setup of Diagnostics, an account with a login ID SAP_SUPPORT can already exist which could give more permission than necessary. Therefore, in order to ensure the Read-Only access, we strongly recommend to create

a new one instead of using the existing one.

Changing password

This user account may be maintained by using two potential procedures, which are:

On the Managed System, update the user password by using the corresponding standard procedure regarding the system landscape which may be:

o Standard maintenance procedure for ABAP


Users Reference


o Standard maintenance procedure for UME

From SP15 it is also possible to update this user account from SAP Solution Manager itself:

1. Open the Managed System Setup >Advanced Setup

2. Update the user password

3. Run again the Managed System Setup Wizard.

SAP Support user manual creation

The manual creation of the SAP Support user on the Managed System needs the following procedure:

On dual-stack system the Dialog User SAP Support has to be created on the ABAP stack with the transaction su01, but maintained in both stacks (Java/ABAP).

ABAP

Within the ABAP stack, create your user and assign it the following existing ABAP roles and profile:

o SAP_RCA_SAT_DISP (role)

o S_RCASAT_DIS (profile)

J2EE

Within the UME tool on the Java stack, you must be able to see your new user previously created in ABAP and assign it the J2EE security Roles via the Visual Administrator as described below:

o SAP_JAVA_SUPPORT (J2EE Role, set in Visual Administrator)

1. Within Visual Administrator > expand the tree named > Server > Services > Security Provider > Runtime tab > Policy Configurations > Components > “SAP-J2EE-Engine” > Security Roles > Add the SAPSUPPORT user to the J2EE security role SAP_JAVA_SUPPORT

2. Save your changes by clicking on the button.

o SAP_JAVA_NWADMIN_CENTRAL_READONLY (UME Role, set in UME UI)


Users Reference


Java (XI Managed System only)

In addition, if the Managed System is an XI system, it is necessary to add the following Roles:

o SAP_XI_DISPLAY_USER (UME Role, set in UME UI)

o SAP_XI_MONITOR (UME Role, set in UME UI)

o SAP_SLD_GUEST (UME Role, set in UME UI)

And set the J2EE roles shown in the table below by going to Visual Administrator > Services > Security Provider.

Component name Value

sap.cm/cm.sap.xi.repsitry*rep display

sap.cm/cm.sap.xi.directry*dir display

Simple Java stack

On a simple Java stack the procedure is the following:

1. Go to the UME by opening the following URL:

http://<J2EE engine>:5NN00/useradmin

2. Create a new SAP Support user and assign it the type “Standard User”

3. Assign to your user the UME roles as described in the dual-stack system in the Java part.

Simple ABAP stack

Create and assign the mandatory roles as described in the dual-stack ion the ABAP part.


Users Reference


2.3.17 [MANAGED.J2EE.ADMIN]: J2EE Administrator

Managed System with dual-stack environment

This user exist on any SAP dual stack System however SAP recommends to provide the [MANAGED.DUAL.AGTCOM] user credential during RCA setup.

This user account can be useful for administration like manual user creation or UME role / J2EE security role assignment. It could be also used for SLD configuration and validation procedures.

In this scenario the J2EE Administrator has to full-fill the requirements as described in the following table:


value User store Role/Profile

Pre

req

uis

ite

Cre

ate

d

Ru

n-T

ime

J2EE administrator J2EE_ADMIN

ABAP SAP_J2EE_ADMIN

X

UME Administrator

Managed System Java stack only

This user only needs to be an administrator within the Java stack as described in the following table:

Description Recommended value User store Role/Profile P

rere

qu

isit

e

Cre

ate

d

Ru

n-T

ime

J2EE administrator J2EE_ADMIN UME Administrator X

For the above two scenarios the Managed System Setup Wizard will require this user to perform the P4 Connection between the SMD Agent and the Managed system. In addition, this user allows the creation of the SAP Support user.

Changing password

Standard Root Cause Analysis configuration should not reference this user account. Instead the [MANAGED.DUAL.AGTCOM] is dedicated to Agent to Managed System communication. Therefore, any maintenance on J2EE administrator user should not impact the Root Cause Analysis operation.


Users Reference


2.3.18 [MANAGED.OS.ADMIN]: Administrator OS user

An OS User with administrator permissions is mandatory to perform the Root Cause Analysis Agent installation. This administrator user is mandatory to perform some tasks like:

Creating OS User dedicated to the Diagnostics

Restarting Java processes


value OS Group

Pre

req

uis

ite

Cre

ate

d

Ru

n-T

ime

Administrator OS user N/A Unix root

X Windows Administrators

Changing password

This user password can be upgraded according to the local user policy.

2.3.19 [MANAGED.OS.AGTSIDADMIN]: OS User dedicated to the Diagnostics Agent

This OS User is created during the Diagnostics Agent installation with by default the user name <sid>admin. Therefore, for the UNIX System, this user has to have the required credentials to read data from the Managed System and to write them to the Agent directory.

The following platform families may be considered:

Managed System based on a Microsoft Windows Server

Using Microsoft OS which involves having a user part of the Administrators group OS.

Managed System based on an UNIX OS

On UNIX system, this user must be member of the sapsys group.

The Diagnostics Agent temp directory must have the read, write and execute permissions for the group. This allows users belonging to sapsys group to have full access to it.

The permission must be equal to the result of the command „chmod g+rwx‟ on the Diagnostics agent temp directory.

This user must have the mask equal to 027 (umask).

Note that this user is mandatory to perform some tasks like:

Restarting Diagnostics Agent


Users Reference


Please note that if your system owns a daemon task to check and restore automatically your default permissions access, you may have to adapt this daemon to remain compliant with the requirements described above.


value OS Group

Pre

req

uis

ite

Cre

ate

d

Ru

n-T

ime

OS User <Agent sid>adm Unix sapsys

X X Windows Administrators

User details for Managed System OS User

Changing password


2.3.20 [MANAGED.OS.SIDADM]: OS Engine user

This OS User is created with the installation of the SAP Engine on the Windows platform. This user is required to restart the Managed System to take into account the Java parameter updates perform by Diagnostics.

Please note that on UNIX system the user “<SID>adm” must have an umask like 027 as well as make sure that the group sapsys have at least a read access to the Managed System Engine files.

Description Recommended value OS Group P

rere

qu

isit

e

Cre

ate

d

Ru

n-T

ime

OS User

SAPService<SID> <SID>adm

Windows Administrators X

<SID>adm Unix sapsys X

Changing password



Users Reference


2.3.21 [PRODUCTIVESLD.DUAL.CONF]: SLD SMD User

This Dialog User is created by default during an SLD installation. It is required during the Agent installation step to create some associations between a given agent and the Root Cause Analysis system (Java stack). In this context the SLDSMDUSER user is stored within the Productive SLD.


value User store

Java Group

Pre

req

uis

ite

Cre

ate

d

Ru

n-T

ime

SLD Data Supplier User

SLDSMDUSER UME SAP_SLD_CONFIGURATOR X X

User details for SLD DATA SUPPLIER USER user

Changing password

This user account can be updated by using the following procedure:

1. On SAP Solution Manager, navigate to Managed System Setup > Agent Administration

2. Click on Agent candidate > Custom SLD

3. Update the user password

4. Go to SMD view

5. Select relevant Agent

6. Click on Push SLD Settings

For further details regarding the SLD SMD User account please read the SAP note

number 1148028.

February 2010

How to define users with restricted access to a specific sub-set of systems and tools


3 Role based navigation personalization

3.1 How to define users with restricted access to a specific sub-set of systems and tools

The purpose of this topic is to describe how to restrict access to a specific sub-set of systems or tools by user accounts.

This procedure requires the following steps:

1. Create new role in the customer name space and add the authorization object “AI_DIAGAPP” (transaction PFCG). The authorization object must be set has as Display within the Activity part.

The role “SAP_RCA_EXE” assigned to the user account SAPSUPPORT can be checked as reference role for more details.

2. Below “Activity” line, a second pen allows to get access to a table where the authorized applications can be set up.

The screenshot below displays the role “SAP_RCA_EXE” based on the user account SAPSUPPORT as well as the way to define the authorized applications. As shown on this screenshot, it is possible to define authorizations by simply adding the applications one by one, or a pattern like “DB*” could also be used, which authorizes all applications beg inning with DB.

Role based navigation personalization February 2010



Role based navigation personalization February 2010



The second step is to eventually adapt the permissions in the user role Z_SAP_SMSY_ALL, which is a copy of the role SAP_SMSY_ALL, in case you followed the explanations in the previous chapter describing the [SOLMAN.DUAL.SAPSUPPORT] user. Specifically, adapt the authorization object S_SMSYSYST to restrict the access to a list of Systems (as defined in SMSY).

Glossary February 2010

User


4 Glossary

4.1 User

A user in a computing context refers to one who uses a computer system. Users may need to identify themselves for the purposes of accounting, security, logging and resource management.

Users must be created and roles assigned to user master records before you can use the SAP System.

A user can only log on to the system if he or she has a user master record. A user menu and authorizations are also assigned to the user master record via one or more roles

It contains generally user data such as e-mail address, language and password. It can be changed by an administrator or the user.

4.2 Role (ABAP & JAVA)

Roles are collections of activities which allow a user to use one or more business scenarios of an organization. This is basically an enumeration of credential which can be applied on one or several within an SAP System.

After a system administrator assigns a role to a user, the SAP system displays a specialized user menu for that user. In addition, the user role also assigns the authorizations the user requires for these activities. The standard SAP system contains a large number of pre-defined user roles (activity groups). You can use these as is, or copy them and change them.

The integrity of business data is also ensured by the assignment of roles. Authorization profiles are generated which restrict the activities of users in the SAP System, depending on the activities in the roles.

The Role are defines and maintains by the SAP security group and cannot be upgraded by the SAP System administrator itself.

4.3 Composite Role (ABAP only)

Composite roles can simplify the user administration within an ABAP SAP system. They consist of single roles. Users who are assigned a composite role are automatically assigned the associated single roles during the compare. Composite roles do not themselves contain authorization data.

Settings up composite roles are useful for example if some of your staff need authorization for several roles. You can create a composite role and assign it to the users instead of putting each user in each required single role.

4.4 Profile (ABAP only)

A profile is very similar to Role. The only difference between a “Role” and a profile itself is that unlike a Role, a Profile cannot be composed by several Profiles.


UME


4.5 UME

User Management Engine (UME) is a Java-based user management component that features centralized user management, Single Sign-On (SSO), and secure access to distributed applications.

4.6 User Types

4.6.1 Dialog Users (ABAP & JAVA)

Dialog Users represent human users (as opposed to service users), who log on through the various UIs of the Integration Builder, System Landscape Directory, and Runtime Workbench. Dialog Users are generally maintained in SAP NetWeaver usage type Application Server ABAP. A session-based single sign-on is supported.

The roles for the different dialog users displayed in the following table are predefined and shipped. Each role includes at least display authorizations for all PI components.

Each role is a composite role consisting of an ABAP role (with suffix _ABAP) that is only relevant when the dialog user executes an ABAP application, and a J2EE role (with suffix _J2EE) relevant for J2EE applications such as the Integration Repository or the Integration Directory. The roles are propagated to user groups of the user management engine (UME), which are then assigned to security roles for Java applications by using the Security Provider service of the Visual Administrator.

4.6.2 Service Users (ABAP & JAVA)

Service user do not log on interactively. A service user is used, for example, to connect to a remote system with certain rights. Although a service user does not log on interactively, it is authenticated and the attributes contain a valid ticket. User mapping can be defined for a service users as well as assigning a role and general attributes to a service user.

Service users are defined as regular users with their own namespace.

4.6.3 System Users (ABAP only)

4.6.3.1 Internal System Users

These service users are used for internal communication between PI components, which is usually triggered by interaction of dialog users. The service users provide dialog-free access to the involved PI components. They have SAP user roles in SAP NetWeaver Application Server ABAP (AS-ABAP) that are available as user groups in SAP NetWeaver Application Server Java (AS-Java). For an overview of the internal communication within a PI landscape, see Communication.

The following general principles apply for internal communication:

● Each PI component that communicates with other PI components identifies itself by means of a dedicated service user. Therefore, each required service user must be created in each target component.

● The name, password and language of all the service users are defined in the exchange profile.

● This service user has all the necessary authorizations to access the required services on the addressed PI components.


System Users (ABAP only)


The Integration Repository is associated with service user PIREPUSER. Since the Integration Repository needs to communicate with the Integration Directory (for the cache refresh mechanism) and the System Landscape Directory (to obtain physical channel data), the user PIREPUSER needs to be known by each of these components.

For each component, service users representing the respective components are created with the appropriate roles in the target components during installation. The passwords of the service users have to be defined during the installation process.

4.6.3.2 Message Exchange Users

Each messaging communication is executed under a messaging service user that must be authenticated for each individual communication path and that must have the appropriate authorizations in the respective messaging target component.

(For further information please read the SAP NetWeaver Process Integration Security Guide)

4.7 System Users (ABAP only)

User type for dialog-free communication between systems. System users are used, for example, for setting up RFC destinations.

4.8 User Administrator

Person authorized to create and maintain users.

A user administrator can be authorized to create or modify only user master records that belong to a particular user group or set of groups, or users that have not been assigned to any user group.

For security reasons, the user administrator should not be authorized to maintain or activate authorization profiles and authorizations. With these authorizations, the user could single-handedly define, activate, and assign system access authorizations.

User Management Engine (UME) is a Java-based user management component that features centralized user management, Single Sign-On (SSO), and secure access to distributed applications.

4.9 Central User

Maintenance of users in a central system. A system group includes several SAP systems with several clients. The same users are often created and the same roles assigned in each client. Central User Administration is designed to perform these tasks in a central system and distribute the data to the systems in the system group.

4.10 Central User Administration (CUA)

Central User Administration (CUA) system. You administer users for all systems of the Central User Administration and their authorizations in the central system. With active Central User Administration, you can only create and delete users in the central system and not in the connected child systems. You can also lock and unlock users, assign roles to users, and so on from the central system, in accordance with the settings that you have chosen in transaction SCUM for the distribution of the data.

http://help.sap.com/saphelp_nw04s/helpdata/en/58/d22940cbf2195de10000000a1550b0/frameset.htm

Appendix February 2010

Password administration


5 Appendix

5.1 Password administration

5.1.1 Changing password within UME

Prerequisites

The J2EE Engine is running.

You have a user ID with administrator rights, for example, Administrator.

Procedure ...

1. Start the UME user administration management console. http://localhost:50000/useradmin

2. Log on as your administrator user. The User Management screen appears.

3. Under Users, choose Create User. 4. Enter the data for the user.

5.1.2 Changing password within ABAP

Prerequisites

The ABAP system is running.

You have a user ID with administrator rights, for example, DDIC.

Procedure ...

1. Start the transaction su01 to have access to the ABAP user account maintenance. 2. Log on as your administrator user. 3. The Maintain User screen appears. 4. On the first screen, fill-in the user name and choose Create User. 5. Under Role data, define the required Role. 6. Perform the user comparison to generate the Profile based on Roles. 7. Save your new user.


Additional users


5.2 Additional users

5.2.1 SDM User

The Software Deployment Manager (SDM) User is a special user which is dedicated to SDM. This user has a fix user ID which is not customizable although its password could be changed according to the local policy requirements.

Please note that the SDM user needs to have the same password as the J2EE Administrator to keep access to the Engine. For any password changes on the J2EE

Administrator please update the SDM user password accordingly.

5.2.2 Wily Administrator

This application user is necessary to have access to the Wily Introscope Enterprise Manager (EM). It is created during the Introscope Enterprise Manager setup with a default user name and password described in the table hereafter. This user password could be adapted (refer to the changing password section for further details).

The users and passwords are maintained in two places:

Within Root Cause Analysis

Within the Introscope Enterprise Manager user store (XML file)

This user is only required during the administration task on Wily Introscope EM and it is not required for any the Diagnostics scenarios.


value Password User store

Access Rights

Pre

req

uis

ite

Cre

ate

d

Ru

n-T

ime

Wily Introscope EM

user Admin N/A

Introscope files (users.xml,

domains.xml)

Read, run_tracer

X1 X

Details of the user and credentials related to Wily EM

(1) In case of an existing Wily EM server with full license already installed, the Wily users become prerequisite users.

Changing password

This user account must be maintained in the file users.xml, located in the subdirectory config/ of the Enterprise Manager (which is by default /usr/sap/ccms/wilyintroscope) as well as in Diagnostics throughout the Wily setup part. Permissions are controlled by the file domains.xml in the same directory. To create a new user X with password Y, proceed as follows:

1. Generate the MD5-encoded password by the script MD5Encoder:


Additional users


MD5Encoder Y

Y:57cec4137b614c87cb4e24a3d03a3e0

2. Add a new line to users.xml before the final </users> line, using the generated password string (without “Y:”) as password:

<user name="X" password="57cec4137b614c87cb4e24a3d03a3e0" />

3. Add permissions for the user to the Superdomain in the domains.xml file:

<grant user="X" permission="read" />

<grant user="X" permission="run_tracer" />

Note: If you do not have a full license for Introscope, you cannot use permission=”full”.

Relevant links February 2010

Additional users


6 Relevant links

Java UME

http://help.sap.com/saphelp_nw04/helpdata/en/6a/d39b3e09cdf313e10000000a114084/frameset.htm

ABAP CUA

http://help.sap.com/saphelp_nw04/helpdata/en/08/ed591f9ff00343952f11a7b707f28a/frameset.htm

SAP Solution Manager

http://service.sap.com/solutionmanager

SAP Solution Manager Diagnostics


http://help.sap.com/saphelp_nw04/helpdata/en/6a/d39b3e09cdf313e10000000a114084/frameset.htm

http://help.sap.com/saphelp_nw04/helpdata/en/08/ed591f9ff00343952f11a7b707f28a/frameset.htm

http://service.sap.com/solutionmanager


sm70 root cause analysis

Documents