ABAP Trace and Authorizations in examples
Traces explanation in detailed scenarios.
Setup/Story so far:
Let's say Mr. Charles Dexter Ward (fictional) has username CDWARD in SAP system PP1 (ECC Production). SAP system is monitored with ABAP Agent, using OOTB configuration with the following Match rules:
· SAP GUI transactions matched to BT on the SAP Components level
· HTTP match rule
Scenario #1: SAP GUI transaction (No Traces are collected)
0. Mr. Ward logs on as CDWARD to PP1 using SAP GUI
1. Mr. Ward goes to Transaction VA01 to create new Sales Order
2. Mr. Ward creates a new Sales order
Now, since ABAP Agent is not instrumenting SAP GUI transactions, the above activities are being monitored in an asynchronous mode by a regular background job (can be found in SM37 under the name APPD_STAD_COL) that checks Workload statistics (STAD) and reconstructs this information as a Business Transaction with response times and other statistical information. This info is then sent to AppDynamics Controller and is visible there as a Business transaction "SD-SLS - Sales". This scenario does not have any needs for any additional authorizations for user CDWARD whatsoever. If SQL trace is active for any SAP GUI transaction, it will be collected by regular background job APPD_STAD_COL. ABAP trace is currently not supported for SAP GUI transactions.
Scenario #2: ABAP Agent Instrumentation – HTTP, WebDynpro, BSP…
Mr. Ward logs on to WebDynpro on PP1 via a web browser using user CDWARD
Mr. Ward works with WebDynpro Application that directly interacts with data from ECC system PP1 via calls to HTTP server of PP1
a) HTTP server instrumentation captures the request, asks Controller if a snapshot should be taken [Instrumentation]
b) PP1 processes the request and fetches the requested data
c) HTTP server instrumentation calculates the request-response time and attaches additional info. [Instrumentation]
PP1 HTTP server answers with data
Mr. Ward sees and works with the data in the WebDynpro frontend
ABAP Agent has ABAP enhancement (instrumentation) in ERP's HTTP server, which means there is a piece of injected code that reports statistical info to the Controller in real-time in the beginning and at the end of HTTP request processing (bullet points 1.a and 1.c). This happens within the same session and under the same SAP user as the actual Mr. Ward's Business transaction happens (user CDWARD). This means the injected monitoring code has the same authorizations as Mr. Ward's user CDWARD on ERP.
Now if the snapshotting was ON (decided by the Controller), in 1.a, instrumentation code tries to turn ON the Traces. Snapshotting must be ON from the start of the instrumentation point 1.a (full snapshot); when snapshotting is turned ON after the instrumentation starting point 1.a (partial snapshot) or is not turned ON at all, SQL and ABAP traces will not be started at all due to technical limitations of the SAP/ABAP environment. Again, this happens under user CDWARD so if this user is not authorized to turn on the Traces, this attempt fails. Otherwise, if successful, the Business transaction reported to Controller in 1.c is able to produce Top ABAP Statements and Top SQL statements that are visible in Controller. Needless to say that in the step 1.c, instrumentation code tries to turn the traces OFF and read the results. This is where the need for Trace access is coming from.
A sequence diagram for scenario #2:
Important parts:
- HTTP BTs (including HTTP resources, BSP, WebDynpro, Web Services, OData) are tracked and recorded in real-time
- BT is recorded under an SAP user that is requesting the HTTP resources (i.e., CDWARD from the example scenarios)
- ABAP and SQL trace is started and collected
- Under SAP system version 740 or newer
- Only for HTTP BTs (HTTP, BPS, OData, WebDynpro, Web Services, etc.)
- Only when BT starts with snapshotting turned ON (full snapshot)
- Only when the user (i.e., CDWARD from the example scenarios) has the appropriate authorizations included in authorization role /DVD/APPD_USER