On this page:

SNP CrystalBridge® Monitoring Authorizations

To authorize a user to start the SNP CrystalBridge® Monitoring tool, add the user to the /DVD/MON_ADMIN role. The role is part of the SNP CrystalBridge® Monitoring transport request.

ABAP Agent Authorizations

To authorize a SAP user to administer the ABAP agent, add the user to the /DVD/APPD_ADMIN role. 

Legacy role /DVD/APPD_USER exists as a subset of the Admin role and allows execution of certain ABAP agent and SAP components (start, stop, collect SQL trace, call Cisco AppDynamics RFC Function Modules from external systems, etc.). The User role is meant for users to be monitored and technical users utilized during RFC calls. The roles are part of the  Cisco AppDynamics ABAP agent transport requests.

New elementary and composite authorization roles are available since ABAP Agent version 4.5.1911. The composite roles consist of all relevant elementary roles and are intended to replace user role /DVD/APPD_USER:

  • /DVD/APPD_JAVA
    • Intended for all SAP users and technical users utilized during RFC calls from JAVA (via JCo)
    • Contains all elementary roles listed below
  • /DVD/APPD_ABAP
    • Intended for all other users (non-technical and technical) that are not involved during any RFC calls from JAVA (via JCo) 
    • Contains all elementary roles except /DVD/APPD_RFC_JAVA

Elementary roles exist to provide necessary authorizations for a specific area. When one of the composite roles cannot be used, it is possible to choose specific elementary roles instead, but this limits the ABAP Agent functionality in certain ways. The impact of omitting an elementary role is explained under Not assigned bullet points. 

  • /DVD/APPD_RFC_ABAP
    • Authorization object: Authorization Check for RFC Access (S_RFC)
      • Authorization object: Authorization Check for RFC Access (S_RFC)
      • Activity: Execute (16), Perform (88)
      • Name of RFC to be protected: /DVD/*
      • Type of RFC object to be protected: Function Group (FUGR)
    • Purpose: allows assigned users to call RFC function modules from /DVD/* function groups
    • Needed for: RFC correlation between ABAP Agents
    • User groups: Users utilized during RFC calls or assigned to RFC destinations; all users when RFC destinations with trust relation are used
    • Not assigned: RFC exit calls from ABAP Agent business transactions generate run-time errors, but do not affect the end-user
    • Fallback: This role is necessary for smooth ABAP Agent operation, but the impact of the missing role is mitigated by automatic temporary RFC destination blacklisting
  • /DVD/APPD_RFC_JAVA
    • Authorization object: Authorization Check for RFC Access (S_RFC)
      • Activity: Execute (16)
      • Name of RFC to be protected: SRFC, SUNI, SYST
      • Type of RFC object to be protected: Function Group (FUGR)
    • Purpose: Allows assigned users to call RFC function modules from function groups SRFC, SUNI, SYST
    • Needed for: RFC correlation between Java Agent with JCo plugin and ABAP Agent
    • User groups: Users utilized during RFC calls or assigned to RFC destinations called from Java systems using JCo
    • Not assigned: RFC exit calls from Java Agent business transactions generate run-time errors, but do not affect the end-user
    • Fallback: This role is necessary for smooth JCo plugin and ABAP Agent operation, but the impact of the missing role is mitigated by automatic temporary RFC destination blacklisting
  • /DVD/APPD_TRACE_SQL
    • Authorization object: System Authorizations (S_ADMI_FCD)
      • System administration function: Change trace switches (ST0M), Analyze traces (ST0R)
    • Purpose: Allows assigned users to start, stop, and process SQL trace (ST05)
    • Needed for: Top 5 SQL statements in business transaction snapshots
    • User groups: All users
    • Not assigned: Full business transaction snapshots may not contain Top 5 SQL statements, application log error messages will be written
    • Fallback: Uncheck Include SQL trace into snapshots checkbox in Snapshot Settings. If the primary database is HANA, Include SQL trace into snapshots and Always use HANA expensive statements can both be checked to omit ST05 trace completely
  • /DVD/APPD_TRACE_ABAP_AUTO
    • Authorization object: Authorization for file access (S_DATASET)
      • Activity: All activities
      • Physical file name: *
      • Program Name with Search Help: CL_ATRA_TRACE_FILE============CP

    • Authorization object: ABAP Workbench (S_DEVELOP)

      • Activity: Display (03)

      • Package: S_ATRA_API

      • Object name: *

      • Object Type: *

      • Authorization group ABAP/4 program: *

    • Purpose: Allows assigned users to delete ABAP trace (SAT) files generated by ABAP Agent
    • Needed for: Housekeeping after collecting Top 5 ABAP statements or call graphs in business transaction snapshots
    • User groups: All users
    • Not assigned: ABAP trace files generated by ABAP Agent will not be deleted at the end of the business transaction
    • Fallback: When /DVD/APPD_TRACE_AUTO cannot be used, use role /DVD/APPD_TRACE_ABAP_MANUAL and carry out necessary manual steps described in the role long text
  • /DVD/APPD_TRACE_ABAP_MANUAL
    • Authorization object: File system access via ABAP/4 (S_PATH)
      • Activity: Change (02), Display (03), Delete (06), Read (33), Write (34)
      • Authorization group for ABAP/4: <to be defined by customer, see guide in role description>
    • Purpose: Allows assigned users to delete ABAP trace (SAT) files generated by ABAP Agent
    • Needed for: Housekeeping after collecting top 5 ABAP statements or call graphs in business transaction snapshots
    • User groups: All users
    • Not assigned: ABAP trace files generated by ABAP Agent not deleted at the end of the business transaction

    • Fallback: When /DVD/APPD_TRACE_ABAP_MANUAL cannot be used, trace files generated by the ABAP Agent are automatically deleted by ABAP Agent housekeeping job on a daily basis

      Big SAP systems and ABAP trace files

      SAP systems with hundreds of active users can generate substantial volumes of traffic that result in the generation of many ABAP trace files, and the daily housekeeping job may not be sufficient. In this case, it is not recommended to rely on this fallback solution for large SAP systems. Use either authorization role /DVD/APPD_TRACE_ABAP_AUTO or /DVD/APPD_TRACE_MANUAL. If none of these requirements can be met, it is recommended not to use the ABAP trace functionality.

Role profiles

Make sure that all /DVD/APPD* authorization roles have an active generated profile for the current role version. This can be checked and adjusted via t-code PFCG on the Authorizations tab.

Custom Authorization Enhancement Spots

Enhancement spots for custom authorization checks are available since ABAP Agent version 21.2.0. The spots are available in the following areas of ABAP Agent:

  • SXPG/SM49 OS command authorization check for all ZDVD_APPD commands
  • File access services used for local HTTP SDK installation and access to local log files
  • NetWeaver Gateway Instrumentation, see Instrument NetWeaver Gateway.

The individual enhancement spots are grouped under enhancement spot /DVD/APPD_EH_BADI_CHECKS. Implement the enhancement spots to fine-tune authorization checks in the listed areas.

Example Implementation

To implement custom authorization enhancement spot:

  1. Navigate to package /DVD/APPD_API
  2. Expand Enhancements and Enhancement Spots folders. 
  3. Double-click /DVD/APPD_EH_BADI_CHECKS.
  4. Right-click one of the BAdI Definitions and select Create BAdI implementation. You can also click the BAdI Documentation button for more details.
  5. Enter the name of your custom Enhancement Implementation, a short description and confirm the pop-up. Select package and transport request where this development will be stored.
  6. Enter the name of your custom BAdI Implementation, custom Implementing Class name and a short description. Select package and transport request where this development will be stored.
  7.  Expand your custom BAdI Implementation node and double-click Implementing Class
  8. Double-click a method that you want to implement (...~COMMAND_CHECK) and confirm the method implementation pop-up. This opens the class builder UI where custom code can be entered.

    This opens the class builder UI where custom code can be entered:

Custom command check example code

METHOD /dvd/appd_if_badi_cmd_check~command_check.

*  Importing parameters:
*    IV_PROGRAMNAME  TYPE  SXPGCOLIST-OPCOMMAND
*    IV_PARAMETERS   TYPE  SXPGCOLIST-PARAMETERS
*    IV_LONG_PARAMS  TYPE  CHAR1024
*  Exception objects:
*    /DVD/CX_APPD_AUTH_CHECK

* Restrict access to shell command execution
  IF      iv_programname = 'sh'
      OR  iv_programname = 'chmod'
      OR  iv_programname = 'mkdir'.

*   Allow HTTP SDK start / stop / status commands
    IF iv_parameters CS '/opt/appdynamics/appdhttpsdk/runAppdHttpSDK'.
      RETURN.
*   Path to HTTP SDK start-up script is not in parameters -> check failed
    ELSE.
      RAISE EXCEPTION TYPE /dvd/cx_appd_auth_check
        EXPORTING
          textid = /dvd/cx_appd_auth_check=>auth_check_failed.
    ENDIF.

* Prevent execution of any other command
  ELSE.
    RAISE EXCEPTION TYPE /dvd/cx_appd_auth_check
      EXPORTING
        textid = /dvd/cx_appd_auth_check=>auth_check_failed.
  ENDIF.

ENDMETHOD.
TEXT

Example code for specific action handling

METHOD /dvd/appd_if_badi_gen_check~action_check.

*  Importing parameters:
*    IV_ACTION  TYPE CLIKE
*    IV_OBJECT  TYPE CLIKE
*  Exception objects:
*    /DVD/CX_APPD_AUTH_CHECK

* Option to check users
* - functionality guarded by this check is intended for admin users.
  IF sy-uname <> 'ADMIN_USER'. "This is an example user name
    RAISE EXCEPTION TYPE /dvd/cx_appd_auth_check
      EXPORTING
        textid = /dvd/cx_appd_auth_check=>auth_check_failed.
  ENDIF.

* Check based on action
  CASE iv_action.
*   Insterting / removing custom RFC exit-call snippets to program <IV_OBJECT>
    WHEN 'INSTRUMENT_PROGRAM'
      OR 'UNINSTRUMENT_PROGRAM'.

*     Option to restrict this functionality to certain namespaces
      IF iv_object CP 'ZIWFND_*'. "This is an example namespace prefix pattern
        RETURN.
      ENDIF.

*   Read content of directory <IV_OBJECT>
    WHEN 'LIST_FILES'.

*     Option to restrict access to certain directories
      IF    iv_object CS 'appdhttpsdk'. "Example directory name
*        OR iv_object = 'logs' ...
        RETURN.
      ENDIF.

*   Write to file <IV_OBJECT>
    WHEN 'WRITE_FILE'.

*     Option to restrict write access to certain files
      IF iv_object CP '/opt/appdynamics/appdhttpsdk*'. "Example file location
        RETURN.
      ENDIF.

*   Read file <IV_OBJECT>
    WHEN 'READ_FILE'.

*     Option to restrict read access to certain files
      IF iv_object CP '/opt/appdynamics/appdhttpsdk*'. "Example file location
        RETURN.
      ENDIF.

*   Create directory <IV_OBJECT>
    WHEN 'DIR_CREATE'.

*     Option to restrict directory creation
      IF      iv_object CP '/opt/appdynamics/appdhttpsdk*'. "Example file location
*         AND ( iv_object CS 'logs' OR iv_object CS ... )   "specific allowed directory names
        RETURN.
      ENDIF.

*   Unsupported action
*   WHEN OTHERS.

  ENDCASE.

* Auth check failed
  RAISE EXCEPTION TYPE /dvd/cx_appd_auth_check
    EXPORTING
      textid = /dvd/cx_appd_auth_check=>auth_check_failed.

ENDMETHOD.
TEXT

Troubleshooting

  • User has no permission to do action “X” even though it has the /DVD/APPD_ADMIN role

    • Make sure role /DVD/APPD_ADMIN has generated a profile

      1. Go to transaction PFCG

      2. Enter role /DVD/APPD_ADMIN and confirm

      3. Go to Authorizations tab

      4. Click on Display Authorization Data

      5. In top menu click on Generate