SAP System - Custom Checks

In order to find the appropriate values for this field, log into your SAP System and proceed to transaction RZ20.

If this flag is set the Avantra Agent automatically confirms the CCMS Alerts corresponding to the Monitoring Tree Element and imports them into Avantra where they can be viewed using Avantra WebUI.

Choose the check status Avantra is to display in case the SAP status is either unknown or invalid.

Define the name of the Monitoring Set containing the Monitor you want to integrate into Avantra.

Define the name of the Monitor in Monitor Name. Avantra includes all MTE objects attributes (i.e. the leaves of the CCMS monitor tree) of the given monitor.

If this flag is set the Avantra Agent automatically confirms the CCMS Alerts corresponding to the Monitoring Tree Elements and imports them into Avantra where they can be viewed using the Avantra WebUI.

Choose the check status Avantra is to display in case the SAP status is either unknown or invalid.

Specify the file systems to be included. Wildcards * and ? are supported.

Specify the thresholds, see as well FSUsageWarn and FSUsageWarn. For Unix, you can as well define thresholds for the inodes, see FSNodeWarn and FSNodeCrit.

Specify the thresholds for monitoring the inodes on Unix, see as well FSNodeWarn and FSNodeCrit.

Define the absolute path name of the file monitored in this field. File name substitution is provided in case wildcard characters (like * or ?) are used.

Define a Critical threshold.

Define the absolute path name of the file monitored in this field. File name substitution is provided in case wildcard characters (like * or ?) are used.

Define the check status to be returned if the file exists.

Define the check status to be returned if the file does not exist.

Define the absolute path name of the file monitored in this field. File name substitution is provided in case wildcard characters (like * or ?) are used.

Define the Warning threshold.

Define a Critical threshold.

Performs an HTTP HEAD request, i.e. only the header of the response will be retrieved.

Performs an HTTP GET request. Basic Authentication is supported as well

Performs an HTTP POST request. HTML Form data can be provided URL-encoded

The URL of the site you want to verify.

Set this flag if you want to interpret JavaScript eventually returned with the response.

If you need to define a proxy server in order to access the site defined in the URL field you may fill in this value.

By default, the Avantra Agent uses the string agent/[version] in order to identify as a user agent. Some web servers may restrict access to certain browsers, like the Microsoft Internet Explorer or Mozilla Firefox, or they behave differently using one of these browsers.

Choose HEAD or GET or POST.

In case you have chosen GET in the Method field you may fill in a user name and a password in this field if Basic Authentication is required by the requested URL.

In case you have chosen POST in the Method field, you have to fill in the form data in URL-encoded format.

You may define a value for the connection timeout. The default is 10 seconds. Please note: This is a timeout for the sub-process spawned to perform the connection attempt. The timeout for the HTTP request itself will always be 80% of the defined value.

If filled with a value > 1, all consecutive failed connection attempts will return a Warning check status until the threshold is exceeded. The Check turns to Critical afterwards.

You can filter the response for one or multiple strings by filling in data in this field.

If there is a value defined in the Content must contain string and the string is not found in the response, this check status is returned.

If there is a value defined in the Content must contain string and the string is found in the response, this check status is returned.

Fill in a Warning threshold for the response time.

Fill in a Critical threshold for the response time.

Fill in a Warning threshold if the check shall verify SSL certificate expiry time.

Fill in a Critical threshold if the check shall verify SSL certificate expiry time.

Select the check status to return in case an SSL certificate is invalid.

The JavaScript program providing the check data retrieval and evaluation logic. See section API Documentation.

If this option is enabled, the time to run the script is appended to the check result text. This might be useful to check if the performance of a script is good.

Starting with Avantra Version 21.11, you can run tests for newly created RUN_JS checks on the selected Agent directly from the Avantra WebUI. This feature does not require saving or activating the check, i.e. it can be tested before affecting the execution of the check on other systems.

The type of a Log Adapter.

Select your desired Log Adapter. As soon as you have selected a Log Adapter, the available Macros are loaded and the Expression Editors in various fields are initialized.

If you have selected File Adapter in Log Adapter Type you have to fill in this value, which indicates the path and file name of the target log files.

See Log File Path Pattern.

This setting defines which entries of the log files are to be processed. Log entries written since last check cycle processes all log entries that have been added after the last read of the file. Log entries written in last x minutes reads all entries that have been added during the past Log Entry Timespan minutes.

Fill in the period of time the {avantra-agent} should look back while processing the log file if Log entries written in last x minutes is selected in _Log Adapter Processing>.

Define a conditional expression that indicates log entries considered as Warning.

Define a conditional expression that indicates log entries considered as Critical.

In the Warning Trigger section, this value defines how many entries must be matched to the condition before the check status will be set as Warning. I.e. if there are only 2 entries matching and this value is set to 3, then the check status will be OK. If there are 3 or more entries matching, then the check status will be set as Warning.

Define a conditional expression that indicates log entries that resolve issues found using Warning Condition or Critical Condition.

You can specify the format of the check message shown in RealTime Monitoring or used in Notifications.

Define the display of a matched log entry in the check message. You may enter arbitrary text tokens in the field, and you may use all Macros available for the selected Log Adapter (using the icon) to build a meaningful description text.

Fill in the host name or the IP address of the remote host.

Define a Warning threshold for packet loss.

Define a Critical threshold for packet loss.

Define a Warning threshold for the average round-trip time.

Define a Critical threshold for the average round-trip time.

Define a time out for the Check. The check status will be Critical if the time out is exceeded.

Define the number of ICMP packets to send per Check

Define the size of ICMP echo request packets

The type of system configuration to be verified, either Profile Parameter for parameters found in an SAP instance profile, or Java Service Property for parameters of Services and Managers found in the section Java System Properties of the SAP NetWeaver Administrator.

The name of the profile parameter, you want to verify the value of. Examples in the security area of an ABAP instance are login/no_automatic_user_sapstar or in the compliance area rec/client.

The operator used to compare the actual value against the given value. You can choose from a variety of text and numerical operators, a between operator, and regular expressions. If you use numerical operators, the given value and the actual value will be checked if they look like a number. A wide range of numerical notations is supported, integers, floating point, scientific. The between operator will evaluate to true, when the actual value is inclusively between the two given values.

The given value of the profile parameter, i.e. the value the monitoring parameter should have. This value will be compared against the actual value. The actual value is retrieved by RFC using a kernel function, so no matter if it is defined in the default or instance profile, the actual effective value will be used.

Free text field to add a custom reference which will appear in the check output. This might be useful in Service Level Reports to document a certain paragraph or the like.

Select the status, in case the parameter actual value does not match the given value, either Warning or Critical.

Select the status, in case the parameter actual value does not exist, either Ok, Warning or Critical.

Select the status, in case the parameter actual value is the null value, either Ok, Warning, or Critical.

Enter the name of the process you want to monitor.

If the number of running processes falls below this threshold, a Critical check status is returned.

If the number of running processes falls below this value, but does not exceed the value defined in Critical alert if number of processes is lower than, a Warning check status is returned.

If the number of running processes exceeds this threshold, but is still below the value defined in Critical alert if number of processes is higher than, a Warning check status is returned.

If the number of running processes exceeds this threshold, a Critical check status is returned. If the field is left blank, no Critical Check Results will be returned.

Define the full command line call to be executed by the Avantra Agent. It is recommended to use absolute path names whenever possible.

/bin/sh "%%PROG_DIR%%/proggy.sh" -param 1 -param 2

"C:\Program Files\system32\cmd.exe" "%%PROG_DIR%%\proggy.cmd" /param 1 /param 2

Define a working directory of the executed script or program.

Define environment variables for the executed script or program. Please note that multiple entries must be separated by commas or semicolons. The format is name ‘=' value { (';' | ',’) name '=’ value}

Define a timeout for the executed script or program.

Use this field to define the exit code of your program that shall indicate an Unknown check status.

If you want the {custom-check} to collect performance data (which must be written to console output by the program), check _Select Performance Resource Type and choose a previously defined custom performance resource type from the list. See Configuring Custom Performance Data Resource Types on how to define custom performance resource types.

Determine whether to return the check status as Ok, Warning, Critical, Unknown if the timeout specified in the Time out setting is exceeded.

Check the box to not display the command line in the check result.

Use the Upload Program button in order to select a script or program to deploy.

Read-only field containing the name of the script or program once it is deployed. The name is displayed as a link that allows you to download the script or program.

Read-only field containing the MD5http://en.wikipedia.org/wiki/Checksum[checksum] of the script or program once it is deployed. This value is used to detect whether the file copied to the target System's filesystem has not been modified.

Read-only field containing the date the script or program was uploaded.

You may define where the script/program is supposed to reside in the target System's filesystem by filling in the appropriate directory.

If you set this flag, the Avantra Agent will take care to remove the script/program once the Custom Check is deleted. The Program Directory is also removed if it is empty.

If you enter a value, the Custom Check will record the Service Availability for use in e.g. Service Level Reports.

If Service Availability is recorded, a Warning check status is usually considered Down. Set this flag if you want the Warning check status to be considered Up instead.

Read-only application log entries from the clients defined here. Multiple clients are supported. If you leave it empty, the client defined for the SAP RFC user will be used.

Read-only log entries written within the last configured minutes.

Read-only logs from this object. Wildcard * is allowed. Use a comma to separate multiple values.

Read-only logs from this subobject. Wildcard * is allowed. Use a comma to separate multiple values.

Read-only logs from this External ID. Wildcard * is allowed. Use a comma to separate multiple values.

Read-only logs from this User. Wildcard * is allowed. Use a comma to separate multiple values.

Read-only logs from this Transaction Code. Wildcard * is allowed. Use a comma to separate multiple values.

Read-only logs from this Program. Wildcard * is allowed. Use a comma to separate multiple values.

Define the log class to which the log entry must belong.

Define the log creation process type to filter log entries from. You may filter by multiple process types.

Define the log message filter to filter log entries from. You may filter by multiple message filters.

The check becomes a WARNING if your SAP application log selection criteria select more log entries than the defined threshold.

The check becomes CRITICAL if your SAP application log selection criteria select more log entries than the defined threshold.

Check this box if you want to include all application log messages in the check result. If this box is not checked, only the first message is included in the check result. This option has no effect on log entry selection. It is only used to display more detailed information in the check result.

If this field is left empty, the client specified for SAP RFC is used

Limit the examined chains to the ones started within the last specified minutes

Define the Warning threshold value in minutes for the process chain run time. The default value is 120 min.

Define the Critical threshold value in minutes for the process chain run time. The default value is 240 min.

Select the status for cancelled chains from the drop-down menu: OK, WARNING, CRITICAL, UNKNOWN

Tick the check box to recalculate the chain status at each execution

Select options for the Process Chain ID, i.e., I EQ 0TCT_C0_FULL_P01 for equals, 0TCT_C0_FULL_P01 or E CP 0TCT_AVANTRA* for excluding any chain ID based on 0TCT_AVANTRA*

Select options for the Variant Chain ID, i.e., I EQ VARIANT1 for equals, VARIANT1 or E CP AVANTRA* for excluding any variant based on AVANTRA*

Define an upload target (e.g. an InfoCube or ODS). Wildcard * is supported.

Define a Warning threshold for the upload time.

Define a Critical threshold for the upload time.

Defines a comma or space-separated list of clients the given rule shall be checked on. You may use wilcard * to define multiple clients, i.e. 1* to define all 1xx clients. Use * to apply a rule to all clients found.

Optionally exclude clients (separated by commas) from include rule before. For example, you may want to apply a rule to all clients using * but want to exclude client 000 and 066.

Define the rule you want to check on the set of clients defined using the Clients field.

Define the arguments, i.e. the given value of this rule. The list or field depends on the argument Rule defined before. For example, if you choose Changes and transports must be as a rule, select one of the following arguments as given value:

Add an optional Tag that appears in the check output. This might be useful in Service Level Reports to document a certain paragraph or the like.

Define the status if the rule is violated, either Warning or Critical. The overall Check status will be the worst of all rules.

Defines selection criteria to query for Idocs. All criteria are used with an AND clause, i.e. an Idoc must match all criteria specified to be found.

Defines a comma or space-separated list of clients to be used as selection criteria. You may use wildcard * to define multiple clients, i.e. 1* to define all 1xx clients. Leave the field blank to select from all clients.

Specify one or many status numbers of the Idoc to be used as selection criteria. Use comma-separated list to define multiple values. It is also possible to select ranges, e.g. 03-10. Use ! to exclude a status, and please make sure to always use a leading 0 for the status.

Define the time and date specifications of the Idocs to be selected. You can choose amongst creation time, last modification time, max age, etc. Field IDOC max age in days is a required field and initialized to one day.

Define the Idoc’s message type, variant, or function. Each field supports comma-separated list to define multiple values. Wildcard * is supported as well.

Define the Idoc’s direction, which is either Inbox or Outbox. The setting affects which fields to use for further selection, i.e. the setting defines if either Receiver or Sender specs needs to be used.

Define the Idoc’s following criteria for either Receiver or Sender: Port, Number, Type, or, Partner Function. Each field supports comma-separated list to define multiple values. Wildcard * is supported as well.

Define the maximum number of Idoc’s to retrieve. It is recommended to use this setting. Default: 500.

Fill in the number of Idocs for the Critical and Warning thresholds. Obviously, the Critical should be above the Warning value. You can leave one of each blank, then the check result will either be only Critical or Warning.

Include the message status text with the check result.

Include the list of field names from the IDoc that will be added to the check result

Fill in the name of the job. The wildcard * is supported in order to monitor multiple jobs using the same Custom Check definition. Each SAP job matching the pattern given as job name is considered on its own and reported as a sub check within the given check.

Specify the client of the job as either a deny or allow list. If you use a denylist, jobs must not run in the given list of clients, otherwise, they will not be selected. If you use an allowlist, jobs must run in the given list of clients. The list of clients can be separated by spaces, commas, or semicolons, and a client must be a three-digit number. When selecting jobs, the client is determined from SAP jobs overview table field TBTCO.AUTHCKMAN.

Per default, SAP_JOB Custom Check searches globally for jobs in all clients (or allowlisted or denylisted if this option is used) and sorts them by date/time to check the most recent. You can change this behavior by enabling Check in each client. SAP_JOB Custom Check will then group all job query results by client and run the same checks for each client separately. You may, for instance, want to check, if a job with the same name finished successfully in several clients, etc. Before this option appeared, you would need to create several SAP_JOB Custom Check for each client. Now using Check in each client this can now be done in one Custom Check.

Specify the user of the job as either a deny or allow list. If you use a denylist, jobs must not be scheduled by users in the provided list, otherwise, they will not be selected. If you use a whitelist, jobs must be scheduled by one of the users on the list. The list of users can be separated by spaces, commas, or semicolons. If you want to use one of these characters in the user name, you must escape it with a backslash (\). Please note that the custom check will select the field TBTCO.SDLUNAME of SAP jobs overview table TBTCO and thus query the user who scheduled the job.

Set this time to select only jobs which are started after this time. Set a time between 00:00 and 23:59.

Set this time to select only jobs which are started before this time. Set a time between 00:00 and 23:59.

This checkbox is only relevant if Select Jobs started after and Select Jobs started before are set. If both are set, the check is by default not executed when the current agent time is in the selection interval! If you want to execute the check also when the current agent time is in the selection window, then mark this checkbox.

Choose a check status to return in case the watched Job is cancelled.

By default, a canceled job will no longer be reported, if a more recent and successfully finished job with the same name has been found. You can change this behavior by enabling this option.

Choose a check status to return in case the watched Job is not found as a released job. If you do not want to have this feature enabled, you simply leave the field blank, which is the default.

WARNING - Multiple jobs with different names found for target name <yourjob*>: <list>
Please turn 'Status If Job Not Found' option off or do not use wildcards for job name.

You may define a time span after which the check status is set back to Ok in this field.

You may define Warning and/or Critical thresholds for the number of simultaneously running Jobs with the same name.

You may define Warning and/or Critical thresholds for the delay of Job start.

You may define Warning and/or Critical thresholds for the maximum Job run time.

You may define Warning and/or Critical thresholds for the minimum Job run time.

You may define Warning and/or Critical thresholds for the maximum elapsed time since the last start of the Job.

Check this flag if you want to display the jobs finished properly in the check message.

Define a filter expression for the party attribute of a communication channel; use the wildcard character (*) to define a pattern and/or a comma-separated list of patterns to match multiple channels.

Define a filter expression for the service attribute of a communication channel; use the wildcard character (*) to define a pattern and/or a comma-separated list of patterns to match multiple channels.

Define a filter expression for the channel name attribute of a communication channel; use the wildcard character (*) to define a pattern and/or a comma-separated list of patterns to match multiple channels.

Define a filter expression for the message attribute of a communication channel; use the wildcard character (*) to define a pattern and/or a comma-separated list of patterns to match multiple channels.

Define a filter expression for the activation state attribute of a communication channel; use the wildcard character (*) to define a pattern and/or a comma-separated list of patterns to match multiple channels.

Define a filter expression for the channel state attribute of a communication channel; use the wildcard character (*) to define a pattern and/or a comma-separated list of patterns to match multiple channels.

Define one or a set of qRFC queues which are to be monitored. Multiple queues can be entered separated by comma (,). You can use spaces before or after a separating comma since they are ignored. In case your queue name contains a comma, you need to escape it with \. Wildcard * is supported.

Define one or a set of qRFC queues which are to be excluded from the include set above. For multiple queues, the same applies as for Include Queue Names. In the upper example, all queues MYQUEUE2* are included. Using MYQUEUE2EX1, MYQUEUE2EX2, you can exclude two queues from the set.

Limit upper defined queue names to a list of specified clients. Leave this field blank to get qRFC queues from all clients. Multiple clients can be entered separated by a comma. You can use spaces before or after a separating comma since they are ignored. Wildcard * is supported.

Define one or a set of clients which are to be excluded from the include set above. For multiple clients, the same applies as for Include Clients. In the upper example, all queues 9* are included. Using 910, 911, you can exclude two clients from the set.

Define if all conditions provided must match a queue to be reported or if any of the conditions is enough.

Condition is matched if the status of the queue is marked as erroneous or hanging by the SAP system. Examples: CPICERR, SYSFAIL, and others.

Using this option you can exactly define which status a queue must have to match the condition. You can specify a list of status strings either separated by comma or spaces.

As before but the other way round: you might for example want to have all status reported except one which is the OK status.

Condition matches if the number of queued entries is equal to or above the given threshold.

Condition matches if the age of the oldest (i.e. the first) queued entry is equal to or above the given threshold. The format is days/hours/minutes, with the digit followed by the one-letter abbreviation of the unit, i.e. d/h/m. You use more than one unit, e.g. 1d 12h or 1h 30m.

Fill in the name of the report

Define optionally the variant of the report.

Enter the technical name of the software component you want to apply a rule for. You can define multiple entries separated by a comma. Any blank spaces before or after the comma will be ignored. Wildcard * is supported as well.

Enter the technical ID of the namespace you want to apply a rule for. You can define multiple entries separated by a comma. Any blank spaces before of after the comma will be ignored. Wildcard * is supported as well.

Optionally exclude software components or namespaces from include rule before. For example, you may want to apply the Not modifiable rule to all software components using * but want to exclude components LOCAL and HOME.

Define the rule you want to check on the set of software components/namespaces defined. Select either:

Define the Modifiable given value for this rule. As in transaction SE06, for software change options, you have the choice between 4 options. For namespaces, there are only two, modifiable or not.

Free text field to add a custom reference which will appear in the check output. This might be useful in Service Level Reports to document a certain paragraph or the like.

Define the status if the rule is violated, either Warning or Critical. The overall Check status will be the worst of all rules.

Processing status group; refer to your SAP system for the existing status group IDs.

The maximum number of messages to be selected.

Number of minutes from now to check for errors in the web service message monitor. If zero (0), this will default to 60 minutes.

Filter for including sender interface(s). The format is comma-separated without spaces, i.e., AttachmentFolderReplicationRequest_Out, Customer*

Filter for including receiver interface(s). The format is comma-separated without spaces, i.e., AttachmentFolderReplicationRequest_In, Business*

Configures warning threshold for SAP_WEB_SERVICE_MONITOR check based on the number of records returned.

Configures critical threshold for SAP_WEB_SERVICE_MONITOR check based on the number of records returned.

Specify the SAP clients where to collect workflow errors from. If empty, the client defined for the SAP RFC user is used. Multiple clients are supported.

Specify the number of days from today to check for workflow errors. If blank, then all errors are selected without date limitation.

Set the filter for SAP_WORKFLOW_ERRORS check. The format is comma-separated without spaces, i.e., TS90000017,TS90000018,TS90000017.

Configure the warning threshold for SAP_WORKFLOW_ERRORS check based on the number of records returned.

Configure the critical threshold for SAP_WORKFLOW_ERRORS check based on the number of records returned.

Number of days from today to check for event queue errors. If blank, then it defaults to 7 days.

Filter for including object type(s). The format is comma-separated without spaces, i.e., ADDRESS, BUS20* Default is all object types.

Add systems to monitor. Wildcard * is supported, use comma for multiple values

Select the work process type, e.g., BTS (Background), DIA (Dialog), SPO (Spool), etc.

Define a Warning threshold for processing time

Define a Critical threshold for processing time

Configure the percentage threshold value for used work process types (i.e., DIA, BTC, etc.) that should be returned as a Warning if the “used” percentage of the selected work process [type] goes above the specified value

Configure the percentage threshold value for used work process types (i.e., DIA, BTC, etc.) that should be returned as a Critical if the “used” percentage of the selected work process [type] goes above the specified value

The time to search back in the audit log from the point in time the check is evaluated. This time configures as well how long entries are displayed. If you set up the check for RealTime Monitoring, reasonable values would be 60 or 120 minutes. In case you may want to run it as Daily Checks, e. g. to document additionally on a daily basis, you might want to enter 1440 minutes, for one day.

Define the clients to filter the audio log records. If you specify *, all clients in the system are checked, except the ones on the exclude list.

Exclude clients from being checked. This makes sense if * is used as the client list above.

Define the users you want to check, again wildcard * might be useful to specify a certain selection. If you don’t want to filter on users, you can as well leave this field blank.

Exclude users from being checked. This makes sense if you want to check all users except those for whom it is well known that records exist.

Directly define 3 characters audit message IDs to query for. You can use wildcard * to use to specify selections for example use AU* to query for all message IDs stat start with AU. You can leave this field as well blank and filter on whole audit classes. If used together with audit classes, both selections are linked by and OR operation.

Exclude message IDs from being checked. This makes sense if a range with * is used as the message IDs and you want to exclude individual message IDs.

Filter for the selected audit classes. If you do not specify anything, this is the same as select for all. If used together with message ID selection, both criteria are linked by an OR operation.

Filter on the type of event, choose either All, Severe and Critical, or Only Critical.

Specifies the number of records that are to be found to turn the check result status to the corresponding check status. For example, if you want to check to be Critical starting from one found record, enter 1 into the Crit Count field.

SAP ABAP systems provide two transactions to configure security audit log configuration: SM19 and RSAU_CONFIG. While SM19 provides only basic selection criteria, the newer RSAU_CONFIG provides much more detailed configuration settings.

Define the clients for which you want to check the security audit log configuration. If you specify *, the security audit log configuration must be set on all clients.

Define the users for which you want to check the security audit log configuration. If you specify *, the security audit log configuration must be set for all users.

Define the event priority which must be set for the defined client(s) and users(s). Choose either All, Severe and Critical, or Only Critical.

Mark the audit class which must be selected for the defined client(s) and users(s). You cannot deselect the System Events checkbox, this is always enabled from SAP by default.

Setting the security audit log for specific message IDs can be configured in RSAU_CONFIG and only in Detail event selection. Directly define the 3 characters audit message IDs to check for. Wildcards * are supported.

Report this status if your SAP system does not have the required security audit log configuration for the defined client(s) and users(s).

Use this optional tag to show a specific message for this check in the check result. Free text field to add a custom reference which will appear in the check output. This might be useful in Service Level Reports to document a certain paragraph or the like.

Define the SQL SELECT statement to perform on the Database. Update, delete, and other queries which could modify data will not be executed for security reasons.

Define a JavaScript code snippet to provide the evaluation logic. See API Documentation below on how to use the provided API.

the status of the actual row. The values must be 2 for CRITICAL, 1 for WARNING, 0 for OK, -1 for UNKNOWN

the check message of the actual row

Define the clients the user profiles and roles are to be checked. If you specify *, all clients in the system are checked, except the ones on the exclude list.

Exclude clients from being checked. This makes sense if * is used as the client list above.

Define the users you want to check. If you want to check all users, you can simply leave this field blank or enter *.

Exclude users from being checked. This makes sense if all users are to be checked * is used in the user list above. For example, you might want to exclude certain system users, like SAP* or DDIC.

The check will search for users which have all profiles and all roles listed assigned. In the real world, it makes sense to check for profiles and roles separately, for example, to run a check which checks for SAP_ALL and SAP_NEW profiles.

The check will search for users which have any of the profiles or roles listed assigned. This would be the right choice to check for users which have SAP_ALL or SAP_NEW profiles assigned.

List of profiles to search for separated by ,. Trailing or leading spaces are ignored.

List of roles to search for separated by ,. Trailing or leading spaces are ignored.

Select the severity of the check result if users are found. Possibly only Critical and Warning make sense here.

Define the display name or the technical service name in this field. You can find the technical Service Name in the field Service Name of the General tab in the Properties of the respective service.

Select the check status in case the service is running.

Select the check status in case the service exists but is not running.

Select the check status in case the service does not exist.

Define the clients the user authorizations are to be checked. If you specify *, all clients in the system are checked, except the ones on the exclude list.

Exclude clients from being checked. This makes sense if * is used as the client list above.

Define the users you want to check, again wildcard * might be useful to check all users.

Exclude users from being checked. This makes sense if * is used in the user list above. For example, you might want to exclude certain system users, like SAP* or DDIC.

The check will search for users which match all of the authorization objects specifications listed below.

The check will search for users which at least one of the authorization objects specifications listed below. This is especially useful to check that important authorizations are not given to any user, except some users.

This specific condition is intended for segregation scenarios. If a user matches the first row, all the following rows starting from 2 to n are checked, and if a least one of 2-n matches, the whole condition is true.

Choose a check status, mostly Critical or Warning cause usually you would search for unwanted authorizations.

This is the authorization object to be checked. For example, to check for permission to maintain users, you would enter S_USER_GRP. See the corresponding SAP transaction.

This corresponds to the authorization object. In the case of the example with S_USER_GRP the field would be ACTVT, i. e. an authorizations activity.

The value of the corresponding field to check. In the case of activities ACTVT, these are numbers, but it could as well be transaction codes, i. e. text strings. Multiple values are separated by spaces or commas.

Either Select users having all listed values, or Select users having at least one of the listed values. This way you could for example, select for forbidden activities of a certain authorization object in one line.