Users and authorizations required by the SAP agent
To safeguard against unauthorized access to the SAP system, you can assign authorizations to a user who logs in to the SAP system. These authorizations define the access levels for a user in the SAP system.
After you import the ABAP transport, the SAP agent creates the default user ID as IBMMON_AGENT in
the SAP system with the default password as ITMMYSAP. This user is a system user and the
/IBMMON/AUTH authorization profile is associated with the user. The /IBMMON/AUTH profile and the
IBMMON_AGENT user are created after ABAP transport is imported. With the /IBMMON/AUTH profile, the
IBMMON_AGENT user can access transactions that are required to read performance data from the SAP
system. Some examples of transactions that are used are as follows:
- CCMS alerts and administration
- Authorization for PI/XI message monitoring
- Solution Manager authorizations
You can create any other system type user for the agent. The user must be assigned the /IBMMON/AUTH profile.
To view and access data of SAP components, ensure that the user that is created for the agent has
all the authorizations that are specified in the following table:
| Components | Authorization objects | Authorization description |
|---|---|---|
General system authorizations that include the following components:
|
S_ADMI_FCD | To access the SAP system |
| S_BDS_DS -BC-SRV-KPR-BDS | To access the document set | |
| S_BTCH_JOB | To run operations on the background jobs | |
| S_CCM_RECV | To transfer the central system repository data | |
| S_C_FUNCT | To make C kernel function calls in the ABAP programs | |
| S_DATASET | To access files | |
| S_RFC | To check RFC access. The S_RFC authorization object contains the following
two sub-authorizations:
|
|
| S_RFCACL | To check authorization for RFC users | |
| S_RZL_ADM | To access Computing Center Management System (CCMS) for R/3 System administration | |
| S_TCODE | To check authorizations for starting the transactions that are defined for an application | |
| S_TOOLS_EX | To display external statistics records in monitoring tools | |
| Authorizations for PI that include the SAP Process Integration | S_XMB_MONI | To access XI message monitoring |
| Authorizations for MAI that include the SAP Solution Manager | AI_DIAGE2E | To restrict E2E Diagnostics functions |
| AI_LMDB_OB | To access Landscape Management Database (LMDB) objects | |
| SM_MOAL_TC | To control the access to the alerting and monitoring functionality in SAP Solution Manager | |
| SM_WC_VIEW | To restrict access to specific UI elements in work centers of the Solution Manager | |
| S_RFC_ADM | To control rights for administering RFC destinations | |
| S_RS_AUTH | To specify analysis authorizations within a role | |
| SM_APPTYPE | To access Solution Manager app type | |
| SM_APP_ID | To access applications provided in work centers |