(DI-2211) Users and Authorization roles

Owned by DVD ROBOT
Nov 08, 2022
2 min read

CrystalBridge® Monitoring provides some predefined authorization roles which have to be assigned to relevant users based on their responsibility and activities. More detailed overview of all authorizations included in default authorization roles can be found on the page Overview of authorizations contained in default authorization roles.

In this section:

Custom authorization roles

If some of the predefined authorizations cannot be assigned to the user(s) due to the company’s security or compliance rules, you have the possibility to create your own custom authorization role in your system in transaction PFCG. When creating a new custom authorization role, it is always recommended to create a copy of the default authorization role and then remove the restricted authorizations from copied authorization role to don't miss any other required authorizations.

Please be aware that if custom authorization roles are created and some of the predefined authorizations from default roles were removed, it could have an impact on the existing functionality (e.g., some parts might be not working as expected due to the missing authorizations).

Administration user role

The technical name of this authorization role is /DVD/MON_ADMIN. This authorization role should be assigned to the administration user after installation or to the system user used for the execution of CrystalBridge® Monitoring collector jobs. This role gives users the possibility to:

  • Add/Remove systems in CrystalBridge® Monitoring

  • Start/Stop the monitoring

  • Maintain the CrystalBridge® Monitoring customizing (creation of custom KPIs, Monitoring profiles, etc.)

Viewer role

The technical name of this authorization role is /DVD/MON_VIEWER. This authorization role should be assigned to the users who are not allowed to change the CrystalBridge® Monitoring settings but only view the collected data.

Remote user role

The technical name of this authorization role is /DVD/MON_SATELLITE. This authorization role should be assigned to the system user on the remote system and this system user needs to be set in a defined RFC Destination. It defines all authorizations needed for RFC communication between central and satellite systems.

Information for S/4 HANA remote systems

Authorization role /DVD/MON_SATELLITE must be regenerated manually on the remote SAP system if this remote system is an S/4 HANA system. SAP has added new checks to the standard functionality when getting a list of application servers remotely. If this role is not regenerated on the S/4 HANA system manually, you might experience authorization issues while detecting the list of application servers from the central SAP system during monitoring.