(DI-2311) Function "TH_SERVER_LIST" failed due the missing authorizations
- SNP
This function mainly fails if the RFC user defined in the configured ABAP connection is missing the required authorization (object S_TCODE and transaction SM51) to call the function TH_SERVER_LIST on the remote S/4 HANA system. A typical scenario is when you add a new SAP system in CrystalBridge Monitoring and the standard function TH_SERVER_LIST is executed on the remote system to retrieve the list of its available servers. If the RFC user is missing the required authorization, the call of this function fails, and the following message is raised in CrystalBridge Monitoring:
Executed FM ‘TH_SERVER_LIST’ on RFC ‘<RFC_NAME>’ failed with error (RC=<RC>) Missing authorization S_TCODE for t-code ‘SM51’.
On the S/4 HANA system, there was added a new authorization check for object “S_TCODE” and transaction code “SM51” to be able to execute the standard SAP function “TH_SERVER_LIST”.
Default authorization roles (Administration and Remote user role) already contain this authorization and the RFC user must have one of these two authorization roles assigned. More details about these roles can be found on the page Users and Authorization roles.
Troubleshooting steps
This chapter provides an overview of steps that can be executed by end users to check if all requirements were met before next processing.
1. Check the SAP system information
First, check which SAP_BASIS version is installed on the SAP system and if this system fulfills the SAP System prerequisites. If it is supported, additionally check if the remote SAP system is an S/4 HANA system as the mentioned issue here is related only to S/4 HANA systems.
If the affected system is not S/4 HANA system, please raise an incident to the product support with the following information:
SAP_BASIS version and all SAP components installed on the affected SAP system
Which version of CrystalBridge Monitoring is installed on the central and remote SAP system(s)
List of authorizations assigned for the RFC user on the remote system
All available details about the function failure (system logs, runtime errors, etc.)
2. Check the configured ABAP connection
Go to the transaction SM59 and find the configured ABAP connection used for the remote SAP system. Check if the RFC user defined in this ABAP connection is valid (for example, if exists on the system or is not locked).
3. Check the authorizations of the RFC user defined in the ABAP connection
The quickest way to detect the missing authorization for the RFC user is to execute the transaction SU53 and check the missing authorizations for the RFC user on the remote system.
By default, transaction SU53 displays the missing authorizations for the current dialog user who executed this transaction, so you need to display the missing authorizations by specifying the name of the RFC user.
If no relevant information is found in transaction SU53, you can additionally check the user authorizations by following these steps:
Check if the RFC user has an Administration or Remote user role assigned as previously mentioned
If the required role is not assigned (neither is any copied custom role), check manually if the user has authorization for object “S_TCODE” and transaction code “SM51”
If the user does not have the required authorization, assign the required authorization role to this user or add authorization for this object manually
Check if assigned authorization roles containing the required object and transaction code (either default or custom role) are generated on the remote SAP system
If the authorization profile of the assigned role is not generated, this user does not have any authorizations included in this role
As this authorization profile must be generated, request your basis team to generate this profile to assign all authorizations to the RFC user
If all previous steps were resolved as expected, the RFC user has all authorization now to be able to call the function “TH_SERVER_LIST” on the remote SAP system without any authorization issues.