(DI-2308) Function "TH_SERVER_LIST" failed due the missing authorizations
This function mainly fails if the RFC user set in the configured ABAP connection is missing the required authorization (object “S_TCODE” and transaction code “SM51”) to call function “TH_SERVER_LIST” on the remote S/4 HANA system. Typical scenario is when user adds a new SAP system in the CrystalBridge Monitoring and the standard function “TH_SERVER_LIST” is executed on the remote system to retrieve the list of its available servers. If the RFC user is missing the required authorization, the call of this function fails and the following message is raised in CrystalBridge Monitoring:
Executed FM ‘TH_SERVER_LIST’ on RFC ‘<RFC_NAME>’ failed with error (RC=<RC>) Missing authorization S_TCODE for t-code ‘SM51’.
On the S/4 HANA system, there was added a new authorization check for object “S_TCODE” and transaction code “SM51” to be able to execute the standard SAP function “TH_SERVER_LIST”.
Default authorization roles (Administration and Remote user role) already contain this authorization and the RFC user must have one of these two authorization roles assigned. More details about these roles can be found on the page Users and Authorization roles.
Troubleshooting steps
This chapter provides an overview of steps that can be executed by end users to check if all requirements were met before next processing.
1. Check the SAP system information
At first, check which SAP_BASIS version is installed on the SAP system and if this system fulfills the SAP System prerequisites. If it is supported, additionally check if the remote SAP system is S/4 HANA system as the mentioned issue here is related only for S/4 HANA systems.
If the affected system is not S/4 HANA system, please raise an incident to the product support with the following information:
SAP_BASIS version and all SAP components installed on the affected SAP system
Which version of CrystalBridge Monitoring is installed on the central and remote SAP system(s)
List of authorizations assigned for the RFC user on the remote system
All available details about the function failure (system logs, runtime errors, etc.)
2. Check the configured ABAP connection
Go to the transaction SM59 and find the configured ABAP connection used for the remote SAP system. Check if the RFC user defined in this ABAP connection is valid (for example, if exists on the system or is not locked).
3. Check the authorizations of the RFC user defined in the ABAP connection
The quickies way how to detect the missing authorization for the RFC user is to execute the transaction SU53 and check the missing authorizations for the RFC user on the remote system.
By default, transaction SU53 displays the missing authorizations for the current dialog user who executed this transaction, so you need to display the missing authorizations by specifying the name of the RFC user.
If no relevant information found in transaction SU53, you can additionally check the user authorizations by following these steps:
Check if the RFC user has Administration or Remote user role assigned as previously mentioned
If required role is not assigned (neither any copied custom role), check manually if the user has an authorization for object “S_TCODE” and transaction code “SM51”
If user does not have the required authorization, assign required authorization role to this user or add authorization for this object manually
Check if assigned authorization roles containing the required object and transaction code (either default or custom role) is generated on the remote SAP system
If the authorization profile of the assigned role is not generated, this user does not have any authorizations included in this role
As this authorization profile must be generated, request your basis team to generate this profile to assign all authorizations to the RFC user
If all previous steps were resolved as expected, the RFC user has all authorization now to be able to call function “TH_SERVER_LIST” on the remote SAP system without any authorization issues.