SAP System - Custom Checks
Here you will find detailed information about Custom Checks for SAP System monitored objects.
Custom checks are chosen, adapted and deployed by you for one or more monitored objects and they are designed to allow quick and easy fulfilling of business monitoring requirements. Avantra custom checks are a mix of no-code, low-code and pro-code extensions to the Avantra AIOps platform. Each monitored object type has a number of custom check capabilities.
All custom checks within Avantra have a number of standard or common attributes. For more information please review our page on Custom Checks. |
Starting from Avantra 20.2.0, no enhancements have been made to the checks for SAP Releases lower than 7.30 SP5. It means that if you are running SAP Releases lower than 7.30 SP5, some of the checks below will not be supported and, therefore, will either not be displayed or be shown with an UNKNOWN status and a message highlighting that the check requires a higher SAP release |
CCMS
Get the results from a CCMS MTE
(Monitor Tree Element).
You can use this Custom Check to integrate Avantra with the SAP CCMS.
Managed Object |
Dynamic Group or Static Group of SAP Instances, SAP Systems |
Depends on |
- Monitor Tree Element
-
In order to find the appropriate values for this field, log into your SAP System and proceed to transaction
RZ20
.You will see a list of CCMS monitor sets. Select SAP CCMS Monitor Templates, and double-click on one of the templates. Proceed to the Monitoring Tree you want to have checked and choose Properties.
Copy the value of the Properties of field in the SAP GUI and paste it into the Monitor Tree Element field in the Avantra WebUI.
Finally, replace every occurrence of Real SAP SID and the SAP Instance name in the string with the keywords
<SID>
and<INSTANCE>
. - Report CCMS alerts of this MTE to Avantra
-
If this flag is set the Avantra Agent automatically confirms the CCMS Alerts corresponding to the Monitoring Tree Element and imports them into Avantra where they can be viewed using Avantra WebUI.
- Avantra status is
-
Choose the check status Avantra is to display in case the SAP status is either
unknown
orinvalid
.
CCMS_MONSET
Get the results from a CCMS Monitor Tree.
You can use this Custom Check to integrate Avantra with the SAP CCMS. You may use this Custom Check if you want to integrate a whole Monitor Tree instead of only a Monitoring Tree Element (as in the CCMS Custom Check).
Please be aware that defining a CCMS_MONSET Custom Check actually may create a very large number of single Checks, depending on the number of MTEs comprising the corresponding Monitor. Defining such a Custom Check on many Systems might decrease the overall performance and stability of the Avantra monitoring environment. You may set monitoring parameter CCMSMonsetMTEMaxCount if you want to limit the number of checks being read from a Monitor tree. |
Managed Object |
Dynamic Group or Static Group of SAP Systems |
Depends on |
- Monitor Set Name
-
Define the name of the Monitoring Set containing the Monitor you want to integrate into Avantra.
- Monitor Tree
-
Define the name of the Monitor in Monitor Name. Avantra includes all MTE objects attributes (i.e. the leaves of the CCMS monitor tree) of the given monitor.
- Report CCMS alerts of MTEs to Avantra
-
If this flag is set the Avantra Agent automatically confirms the CCMS Alerts corresponding to the Monitoring Tree Elements and imports them into Avantra where they can be viewed using the Avantra WebUI.
- Avantra status is
-
Choose the check status Avantra is to display in case the SAP status is either
unknown
orinvalid
.
FILESYSTEMS
Monitor individual file systems on a host.
This custom check works exactly the same as the built-in Check FILESYSTEMS but checks only customer-specified file systems. This custom check is intended for users, who want to check certain file systems independently from others, e.gto provide individual notifications to owners of a particular file system. This custom check type is not intended to replace the native FILESYSTEMS check. However, differently from the native check, it can be applied to all types of monitored objects, e.g. SAP Instances and SAP Systems.
Managed Object |
Dynamic Group or Static Group of Servers, SAP Instances, SAP Systems, stand-alone Databases |
Depends on |
- File System
-
Specify the file systems to be included. Wildcards
*
and?
are supported. - Usage
-
Specify the thresholds, see as well FSUsageWarn and FSUsageWarn. For Unix, you can as well define thresholds for the inodes, see FSNodeWarn and FSNodeCrit.
- Nodes
-
Specify the thresholds for monitoring the inodes on Unix, see as well FSNodeWarn and FSNodeCrit.
FILE_CONTENT
Use the content of a text file as Check Result.
The FILE_CONTENT custom check uses the Avantra Agent to check if a given file exists, is up to date and confirms the contents of the file. If it does not exist, the check status is set to Critical. If it exists the file’s last modification time is verified and can define a Critical threshold. If the file is reasonably new, the content of the file is read. The first line must contain the keywords UNKNOWN
, OK
, WARNING
, CRITICAL
, or the corresponding numerical values -1
, 0
, 1
, 2
and this value is returned as check status. The remaining lines of the file form the check message.
Managed Object |
Dynamic Group or Static Group of Servers, SAP Instances, SAP Systems, stand-alone Databases |
Depends on |
- Check File
-
Define the absolute path name of the file monitored in this field. File name substitution is provided in case wildcard characters (like
*
or?
) are used.For the sake of stability and sanity of the monitoring process wildcards are only allowed to be used in the file name part of the Check File Definition, but not in the directory part. If you want to check for the existence of multiple files in separate directories, you may use the RUN_PROG Custom Check and tools like
find
(on Unix-like operating systems) ordir /s
(on Microsoft Windows operating systems).This field features Custom Check Macros and Custom Monitoring Parameters. - Critical Alert if File is older than
-
Define a Critical threshold.
FILE_EXISTS
Check if a certain file exists.
The Avantra Agent checks if a given file exists. You can define the check status to report in case the file does or does not exist, e.g. an Ok if the file exists and a Critical otherwise.
Managed Object |
Dynamic Group or Static Group of Servers, SAP Instances, SAP Systems, stand-alone Databases |
Depends on |
- Check File
-
Define the absolute path name of the file monitored in this field. File name substitution is provided in case wildcard characters (like
*
or?
) are used.For the sake of stability and sanity of the monitoring process wildcards are only allowed to be used in the file name part of the Check File Definition, but not in the directory part. If you want to check for the existence of multiple files in separate directories, you may use the RUN_PROG Custom Check and tools like
find
(on Unix-like operating systems) ordir /s
(on Microsoft Windows operating systems).This field features Custom Check Macros and Custom Monitoring Parameters. - Check Status if File Exists
-
Define the check status to be returned if the file exists.
- Else
-
Define the check status to be returned if the file does not exist.
FILE_UPTODATE
Check if a certain file is reasonably new.
The FILE_UPTODATE custom check uses the Avantra Agent to check if a given file both exists and verifies the last modification date. If the file does not exist, the check status is set to Critical. If it exists the file’s last modification time is verified. You can define Warning and Critical thresholds.
Managed Object |
Dynamic Group or Static Group of Servers, SAP Instances, SAP Systems, stand-alone Databases |
Depends on |
- Check File
-
Define the absolute path name of the file monitored in this field. File name substitution is provided in case wildcard characters (like
*
or?
) are used.For the sake of stability and sanity of the monitoring process wildcards are only allowed to be used in the file name part of the Check File Definition, but not in the directory part. If you want to check for the existence of multiple files in separate directories, you may use the RUN_PROG Custom Check and tools like
find
(on Unix-like operating systems) ordir /s
(on Microsoft Windows operating systems).This field features Custom Check Macros and Custom Monitoring Parameters. - Warning Alert if File is older than
-
Define the Warning threshold.
- Critical Alert if File is older than
-
Define a Critical threshold.
HTTP_RESPONSE
Verify if websites can be accessed.
The HTTP_RESPONSE Custom Check allows you to:
-
verify if a certain website is reachable (i.e. if a certain URL can be accessed and an HTTP 200 OK response is returned),
-
measure web page response times against Warning and Critical thresholds,
-
verify if the retrieved web page contains a certain content.
The HTTP_RESPONSE Custom Check supports the following HTTP/1.1 methods:
- HEAD
-
Performs an HTTP HEAD request, i.e. only the header of the response will be retrieved.
This is usually sufficient if you only want to know if there is any response for a given URL
- GET
-
Performs an HTTP GET request. Basic Authentication is supported as well
- POST
-
Performs an HTTP POST request. HTML Form data can be provided URL-encoded
The HTTP_RESPONSE Custom Check also supports the HTTPS protocol scheme (more exactly: HTTP over TLS).
In case the {avantra-agent} cannot connect to the site, or the site returns a status code different from the 200 OK response, the Check turns to Warning until the number of failed consecutive connection attempts reaches the value defined in _Status turns to CRITICAL after n successive connection failures. Afterwards, the Check turns to Critical.
If the site returns a 200 OK response and there is a value defined in Content must contain string, the {avantra-agent} verifies if the defined string is contained in the HTTP response. If so, the Check returns the check status defined in _Check status if the string is found otherwise the {Check} turns to the value defined in _Check status if the string is not found.
If there are response time thresholds defined in the fields Warning alert if response time exceeds and Critical alert if response time exceeds, the response time of the site is compared to these values and the Check returns a corresponding Ok, Warning, or Critical check status.
You can also check if the SSL certificate for the server is valid and generate a {Warning} or Critical check status if it is about to expire. Of course, this works only if you use HTTPS in the _URL.
Managed Object |
Dynamic Group or Static Group of Servers, SAP Instances, SAP Systems, stand-alone Databases |
Depends on |
- URL
-
The URL of the site you want to verify.
This field features Custom Check Macros and Custom Monitoring Parameters. - Evaluate JavaScript
-
Set this flag if you want to interpret JavaScript eventually returned with the response.
Only set this flag if you really require JavaScript evaluation. It may be expensive in terms of execution time and memory usage. - Proxy URL
-
If you need to define a proxy server in order to access the site defined in the URL field you may fill in this value.
This field features Custom Check Macros and Custom Monitoring Parameters.
- User Agent String
-
By default, the Avantra Agent uses the string
agent/[version]
in order to identify as a user agent. Some web servers may restrict access to certain browsers, like the Microsoft Internet Explorer or Mozilla Firefox, or they behave differently using one of these browsers.If you experience problems with pages you can open with your browser, but an HTTP_RESPONSE Custom Check returns e.g. an HTTP Server Error 5xx code, you may try to set a different value for the user agent in this field. For more information about user agent strings, visit this site: http://user-agent-string.info/.
- Method
- Basic Authentication Credentials
-
In case you have chosen
GET
in the Method field you may fill in a user name and a password in this field if Basic Authentication is required by the requested URL.This field features Custom Check Macros and Custom Monitoring Parameters. - Post Form Data
-
In case you have chosen
POST
in the Method field, you have to fill in the form data in URL-encoded format.This field features Custom Check Macros and Custom Monitoring Parameters. - Time Out
-
You may define a value for the connection timeout. The default is 10 seconds. Please note: This is a timeout for the sub-process spawned to perform the connection attempt. The timeout for the HTTP request itself will always be 80% of the defined value.
- Status turns to CRITICAL after n successive connection failures
-
If filled with a value > 1, all consecutive failed connection attempts will return a Warning check status until the threshold is exceeded. The Check turns to Critical afterwards.
- Content must contain string
-
You can filter the response for one or multiple strings by filling in data in this field.
If you fill in multiple strings (separated by blanks), they are treated like combined by a Logical OR, i.e. it is sufficient if one of the strings is found in the result. Therefore, in order to search for a string containing blanks, use the wildcard
*
instead of the blank. The same must be used to require multiple strings (in that order) to be contained in the result.The HTTP header is also considered part of the result, so this option is also available for the HEAD method, although of limited use.
You can define the {check-status} returned in case the string is or is not found using the fields _Check status if the string is found and Check status if the string is not found.
This field features Custom Check Macros and Custom Monitoring Parameters. - Check status if the string is not found
-
If there is a value defined in the Content must contain string and the string is not found in the response, this check status is returned.
- Check status if the string is found
-
If there is a value defined in the Content must contain string and the string is found in the response, this check status is returned.
- Warning alert if response time exceeds
-
Fill in a Warning threshold for the response time.
- Critical alert if response time exceeds
-
Fill in a Critical threshold for the response time.
- Warning Status if SSL certificate expires within
-
Fill in a Warning threshold if the check shall verify SSL certificate expiry time.
- Warning Status if SSL certificate expires within
-
Fill in a Critical threshold if the check shall verify SSL certificate expiry time.
- Status if SSL certificate is invalid
-
Select the check status to return in case an SSL certificate is invalid.
RUN_JS
Run a script and evaluate SAP RFC functions, database queries, OS commands, or Cloud Services.
RUN_JS is a very powerful Custom Check type, which combines several different ways to retrieve data and evaluate the results using JavaScript. RUN_JS can easily access ready-to-use objects, for example, established RFC connections to SAP ABAP systems, established database connections, an OS object to run commands, or make HTTP requests to Cloud Services. This custom check type can be used to generate comprehensive check results, including sortable tables, that can even combine different sources of data retrieval.
The RUN_JS custom check is a very powerful tool. Data retrieval by RFC, SQL, OS, or HTTP is executed using the permissions you have provided for the corresponding user. You can gain access to sensitive data if RFC, database, or OS user permissions are not restricted. Use this custom check at your own risk. Avantra shall not be liable for any direct, indirect, special, incidental, or consequential damages arising from the use of this custom check. Nor can we provide any support for designing data retrieval and writing evaluation scripts. |
The RUN_JS custom check supports ECMAScript 2019 for Avantra Agents 20.11 and higher and ECMAScript 5.1 for older versions. Starting with Avantra 20.11.5, this custom check type depends on the global Avantra server setting Security.EnableOSCodeExec. |
The check evaluation logic is provided by a (usually small) JavaScript program. This script can access objects which are provided by the Avantra Agent, so the programmer can focus on the check logic and not worry about establishing connections, etc.
To script the evaluation logic, users of this check type need to be familiar with the built-in variables and API to use them, as described in section API Documentation below.
The RUN_JS custom check can be created for any monitored object type, however, certain built-in variables are only available in the context of the corresponding system type, i. e. an RFC connection to an ABAP system is only available in the context of SAP systems and SAP instances.
Apart from the examples provided in the API Documentation below, see also solution document RUN_JS Custom Check Examples, which contains ready-to-use examples for download.
You need a Java Virtual Machine 1.8.0_65 or higher in order to make use of all functions of this Check. |
Managed Object |
Dynamic Group or Static Group of Servers, SAP Instances, SAP Systems, stand-alone Databases |
Depends on | |
Monitoring Parameter |
- Script
-
The JavaScript program providing the check data retrieval and evaluation logic. See section API Documentation.
- Report Execution Time
-
If this option is enabled, the time to run the script is appended to the check result text. This might be useful to check if the performance of a script is good.
- Execute Test Run
-
Starting with Avantra Version 21.11, you can run tests for newly created RUN_JS checks on the selected Agent directly from the Avantra WebUI. This feature does not require saving or activating the check, i.e. it can be tested before affecting the execution of the check on other systems.
To test your check code:
After modifying your script in the Script field, click the Execute test run button under the check name at the top of the dialogue box. Select one or multiple system to test the check on and click the Test button to run your script directly on those selected systems.
Although this is a testing tool, the script will execute on the systems in the same way it does in a real check execution. If the check has any side effects then these will also happen in test mode.
This feature can be disabled by the
Security.RUNJSEnableTestExecution
setting in your Avantra Server.
LOG_ADAPTER
Monitor textual log files and the Microsoft Windows EventLog.
The LOG_ADAPTER Custom Check allows you to monitor textual log files as well as Microsoft Windows EventLogs. It is based on pre-defined or self-defined Log Adapters, which provide log entries of arbitrary log sources as an array of standardized sets of key-value pairs. Using those key-value pairs as Macros in conditional Expressions, the LOG_ADAPTER Custom Check allows you to define conditions to trigger Check Results. The LOG_ADAPTER Custom Check supports logs spread over multiple log files as well as cyclic log files.
Managed Object |
Dynamic Group or Static Group of Servers, SAP Instances, SAP Systems, stand-alone Databases |
Depends on |
- Log Adapter Type
-
The type of a Log Adapter.
- Log Adapter
-
Select your desired Log Adapter. As soon as you have selected a Log Adapter, the available Macros are loaded and the Expression Editors in various fields are initialized.
A click on the icon provides additional data about the Macros provided by the selected Log Adapter.
Avantra automatically detects the encoding of the file. If it fails, use the Log File Encoding setting to specify the file encoding manually. |
- Log File Path Pattern
-
If you have selected File Adapter in Log Adapter Type you have to fill in this value, which indicates the path and file name of the target log files.
This field features Custom Check Macros and Custom Monitoring Parameters. The LOG_ADAPTER Custom Check supports logs spread over multiple log files as well as cyclic log files. In order to identify the log files belonging to a scenario, the LOG_ADAPTER Custom Check features a flexible log file path pattern interpreter.
In order to best use the log adapter, you must understand how log files are written by your application.
Typical applications write log files until a specific size is reached and then start writing to a new log file. What happens to the old log file depends on your application and is not standardized. Most applications write log files with one of the following procedures. Use the corresponding values for the Log File Path Pattern.
The current log file where the application writes into it has always the same and unique name. When this file reaches the size limit, the log file is renamed (or moved) and gets a new name. The new name typically contains an ascending number or a timestamp to uniquely identify this file. After that, a new file is created with the same name again and the application writes into the new log file.
Define the Log File Path with the exact name of the log file. Do not use wildcards. Do NOT define the Archived Log File Path. Avantra finds old (or rotated) files with the unique file id (inode).
The current log file where the application writes into has a unique name. When the log file reaches the size limit, a new log file is created with a new unique name and the application writes into the new log file. The old log file is not touched anymore. With this approach, each log file has a unique name which is typically an ascending number or a timestamp. Since the file name is not known in advance, you must use wildcards to identify this file (see below).
Define the Log File Path using wildcards to identify the file. Define the path as exact as possible. If old files have a different name pattern, define also the Archived Log File Path (with wildcards).
Similar to the first. but the log file is not renamed (or moved) but copied to a new file (or new location). A new file is created with the same name and the application starts to write into the new file. When a file is copied it gets a new name and a new file id (inodes).
Define the Log File Path with the name of the file. You can use wildcards if necessary. You must also define Archived Log File Path to find the old file. Use wildcards if necessary. Please make sure that the path defined in Log File Path does not match rotated files and the path defined in Archived Log File Path does not match the current file.
Your application does not have a limit to the log file size. It always writes to the same log file. (If the log file is getting too big, this is another issue that is not covered in LOG_ADAPTER).
Define the Log File Path with the exact name of the log file. You can use wildcards if necessary.
If you do not know exactly how your application writes log files, perform the following:
-
Define the Log File Path with the name of the file. You can use wildcards if necessary.
-
Also, define the Archived Log File Path with the name of the archived file. You can use wildcards if necessary.
You may use the following utilities and shortcuts to define general file patterns:
-
Use the to view and insert available Custom Check Macros to generalize your path pattern for different system environments.
-
Use wildcard characters for single (
?
) and multiple (\*
) characters to match multiple log file names. These wildcard characters are only supported in the file names, not in the directory parts. -
If you use wildcards, the LOG_ADAPTER Custom Check will determine the latest file matching the wildcards in every read operation. It will only monitor this single file. If your wildcard definition matches multiple files that are not written in chronological order, the LOG_ADAPTER Custom Check may read data from different files over time, depending on which file was updated last. The result is most likely not what you expect, and the check will return a Warning`Context lost`Check Result from time to time.
-
Use the slash key (/) instead of backslash (\) as file separator on Microsoft Windows and Unix operating systems for platform-independent path definitions.
-
- Archived Log File Path
-
See Log File Path Pattern.
- Log Adapter Processing
-
This setting defines which entries of the log files are to be processed. Log entries written since last check cycle processes all log entries that have been added after the last read of the file. Log entries written in last x minutes reads all entries that have been added during the past Log Entry Timespan minutes.
Using Log entries written in last x minutes requires that you have defined a Log Adapter that contains timestamps in a way that the Avantra Agent is able to read and understand. If your log file does not provide reasonable timestamp information, choose Log entries written since last check cycle instead.
This parameter, together with the execution cycle, has a direct impact on the duration a LOG_ADAPTER Custom Check alert is visible in the RealTime Monitoring. The time you indicate in Check Result is visible in the RealTime Monitoring.
When you select Log entries written since last check cycle, the alert will be visible for Log entries written since last check cycle * execution cycle minutes.
- Log Entry Timespan
-
Fill in the period of time the {avantra-agent} should look back while processing the log file if Log entries written in last x minutes is selected in _Log Adapter Processing>.
- Warning Condition
-
Define a conditional expression that indicates log entries considered as Warning.
- Critical Condition
-
Define a conditional expression that indicates log entries considered as Critical.
A Critical match will override Warning matches in terms of the check status. The check message will also be overridden unless you select All matching log entries in Create Message For.
- Match Counter Threshold
-
In the Warning Trigger section, this value defines how many entries must be matched to the condition before the check status will be set as Warning. I.e. if there are only 2 entries matching and this value is set to 3, then the check status will be OK. If there are 3 or more entries matching, then the check status will be set as Warning.
In the Critical Trigger section, this value defines how many entries must be matched to the condition before the check status will be set as Critical. I.e. if there are only 2 entries matching and this value is set to 3, then the check status will be OK. If there are 3 or more entries matching, then the check status will be set as Critical.
- Resolution Condition
-
Define a conditional expression that indicates log entries that resolve issues found using Warning Condition or Critical Condition.
- Create Message For
-
You can specify the format of the check message shown in RealTime Monitoring or used in Notifications.
The message format has a static header that indicates which and how many of the trigger conditions have matched, followed by optional information on the matching log entries.
You may choose between the listed formats. For the detailed layout of the display of log entries, see also Message Format.
No log entry No details of matched log entries are shown.
First matching log entry Details of the first matching log entry are shown.
Last matching log entry Details of the last matching log entry are shown.
All matching log entries Details of all matching log entries are shown.
- Message Format
-
Define the display of a matched log entry in the check message. You may enter arbitrary text tokens in the field, and you may use all Macros available for the selected Log Adapter (using the icon) to build a meaningful description text.
NW_RESPONSE
Monitor availability and response time of remote hosts.
The NW_RESPONSE Custom Check is designed to monitor the availability and response time of a remote host. It sends a configurable number of ICMP echo request packets to a given host, receives the ICMP echo replies, and calculates packet loss as well as packet round-trip-time, i.e. the check virtually does what the ping
operating system command does.
You have the option to define packet loss thresholds; if there is no packet loss, the network round-trip-time can be compared to corresponding response time thresholds in order to generate Warning or Critical Check Results.
It is characteristic of the ICMP protocol to require administrative permissions in order to generate ICMP echo requests. On Microsoft Windows operating systems the permissions the Avantra Agent runs with (as a service) are usually sufficient. On Unix-like operating systems the Avantra Agent would need to run as user root to execute the NW_RESPONSE Custom Check. This is generally not recommended. If you want to use this feature, it is recommended to run it on a Microsoft Windows host. |
Managed Object |
Dynamic Group or Static Group of Servers, SAP Instances, SAP Systems, stand-alone Databases |
Depends on |
- Host Name or IP Address
-
Fill in the host name or the IP address of the remote host.
This field features Custom Check Macros and Custom Monitoring Parameters. - Packet Loss Warning Threshold
-
Define a Warning threshold for packet loss.
- Packet Loss Critical Threshold
-
Define a Critical threshold for packet loss.
- Average RTT Warning Threshold
-
Define a Warning threshold for the average round-trip time.
- Average RTT Warning Threshold
-
Define a Critical threshold for the average round-trip time.
- Timeout
-
Define a time out for the Check. The check status will be Critical if the time out is exceeded.
- Number of Packets
-
Define the number of ICMP packets to send per Check
- Packet Size
-
Define the size of ICMP echo request packets
PARAMETER_VALUES
Verify SAP instance profile parameters, Java system property values, or database parameters.
The PARAMETER_VALUES Custom Check allows you to verify the actual value of an SAP instance profile parameter, a Java system property (properties of Services and Managers), or a database parameter against a given value. For example, it might be required that some parameters have a certain setting for security or compliance reasons, so you might want to monitor this.
To be able to check profile parameters of non-ABAP SAP Instances, the SAPControl user must be maintained. See Defining the SAPControl User on how to do this. |
To check SAP profile parameters, you must select SAP Instances.
For database parameters, you can choose between Database for standalone database or SAP Systems for underlying database.
The check result depends on the setting of If value does not match alert as. If multiple parameters are checked, the worst status of all will be the total status of the check.
Managed Object |
Dynamic Group or Static Group of SAP Instances, SAP Systems, Databases |
Depends on |
RFCConnect, J2EECONNECT, or DBCONNECT (depends on Custom Check scope) |
- Type of System Configuration
-
The type of system configuration to be verified, either Profile Parameter for parameters found in an SAP instance profile, or Java Service Property for parameters of Services and Managers found in the section Java System Properties of the SAP NetWeaver Administrator.
For SAP Systems or Databases, there is only one option Database Parameter.
- Parameter Name
-
The name of the profile parameter, you want to verify the value of. Examples in the security area of an ABAP instance are
login/no_automatic_user_sapstar
or in the compliance arearec/client
.Java system properties are also specified in one string and follow the syntax Service Component Name/Property. For properties of Managers, you simply replace the Service Component Name with the name of the manager. Examples in the security area of a Java instance are
com.sap.security.core.ume.service/ume.logon.security_policy.password_min_length
orSessionManager/session.invalidation.timeout
.For database parameters of a DB2 database, you must prepend
DBM.
for the parameters of the database manager, andSID.
for parameters of the database itself.To specify the database parameters of a HANA database, parameter names are combined using the scheme
section.key
, e.g.persistance.trace
. Furthermore, you can query for parameters of a certain host by using thehost
keyword, e.g.host=thehanahost;persistance.trace
. You can also query the parameters by the file, the layer or by the tenant. Examples:file=global.ini;persistance.trace
,layer=SYSTEM;persistance.trace
ortenant=xy;persistance.trace
. - Operator
-
The operator used to compare the actual value against the given value. You can choose from a variety of text and numerical operators, a between operator, and regular expressions. If you use numerical operators, the given value and the actual value will be checked if they look like a number. A wide range of numerical notations is supported, integers, floating point, scientific. The between operator will evaluate to true, when the actual value is inclusively between the two given values.
Example 1. Example forrsau/enable
The parameter
rsau/enable
may have the following values:TRUE
,FALSE
,0
,1
,ON
,OFF
,YES
,NO
, which are not case-sensitive.In order to verify if Security Audit is enabled, you would configure:
Parameter Name rsau/enable
Operator =~ (regex)
Parameter Value |^TRUE$|^1$|^ON$|^YES$/i
- Parameter Value
-
The given value of the profile parameter, i.e. the value the monitoring parameter should have. This value will be compared against the actual value. The actual value is retrieved by RFC using a kernel function, so no matter if it is defined in the default or instance profile, the actual effective value will be used.
You can specify SAP profile-specific placeholders, e.g.
$(SAPGLOBALHOST)
. The agent will replace them with the actual value prior to the comparison with the actual value of the Parameter Name. This way the scope of one custom check definition can be used for more than one system. - Tag
-
Free text field to add a custom reference which will appear in the check output. This might be useful in Service Level Reports to document a certain paragraph or the like.
- If value does not match alert as
-
Select the status, in case the parameter actual value does not match the given value, either Warning or Critical.
- If parameter does not exist alert as
-
Select the status, in case the parameter actual value does not exist, either Ok, Warning or Critical.
- If values is null alert as
-
Select the status, in case the parameter actual value is the null value, either Ok, Warning, or Critical.
PROCESS
Watch if processes are running.
This Custom Check can monitor whether or not a configurable number of processes sharing the same process name are running.
The Check is available on Unix-like operating systems and on Microsoft Windows operating systems. However, it might more useful on a Unix host.
You can define minimum and maximum Warning and Critical thresholds for the number of instances of the process in question.
Managed Object |
Dynamic Group or Static Group of Servers, SAP Instances, SAP Systems, stand-alone Databases |
Depends on |
- Process Name
-
Enter the name of the process you want to monitor.
-
On Unix-like operating systems, fill in the process’ simple command name, i.e. the process’ executable name without any arguments. The simple command name is the value displayed by the
-o comm
option in the POSIX version of theps
command. See alsoman ps
on your system. -
Also, on Unix-like operating systems, if a simple command name is not sufficient (like in Java applications), you can also define a name to match (a substring of) the process’ command line call. The command line call is the value displayed by the
-o args
option in the POSIX version of theps
command. See alsoman ps
on your system. Please note that this value may be limited to 256 characters on some systems.If you prefer this option, make sure you set the flag Match process name in process table….
-
On Microsoft Windows operating systems enter the process name (as shown in the Processes tab of the
Task Manager
), but without the trailing.exe
.This field features Custom Check Macros and Custom Monitoring Parameters.
-
- Critical alert if number of processes is lower than
-
If the number of running processes falls below this threshold, a Critical check status is returned.
- Warning alert if number of processes is lower than
-
If the number of running processes falls below this value, but does not exceed the value defined in Critical alert if number of processes is lower than, a Warning check status is returned.
If the field is left blank, no Warning check status is returned at all.
If the value in this field is less than the one defined in Critical alert if number of processes is lower than, the latter value will be ignored. This method can be used to receive only Warning but no Critical Check Results.
- Warning alert if number of processes is higher than
-
If the number of running processes exceeds this threshold, but is still below the value defined in Critical alert if number of processes is higher than, a Warning check status is returned.
If the field is left blank, no Warning Check Results are returned at all.
If the value in this field is higher than the one defined in Critical alert if number of processes is higher than, the latter value will be ignored. This method can be used to receive only Warning but no Critical Check Results.
- Critical alert if number of processes is higher than
-
If the number of running processes exceeds this threshold, a Critical check status is returned. If the field is left blank, no Critical Check Results will be returned.
RUN_PROG
Integrate your own monitoring scripts or programs into Avantra
The RUN_PROG Custom Check allows you to integrate your own monitoring scripts or programs into Avantra. When you define a RUN_PROG Custom Check, you can upload your script or program to the Avantra Database. It is transferred to the Avantra Agent together with the agent configuration. The Avantra Agent executes the program during the Basic Check Cycle, the exit state of the program is considered as check status, while the program output is used as the check message. You can also configure the RUN_PROG Custom Check to find and collect performance data in the program output.
There are two options for this Custom Check: you can either simply execute a script or program that is already installed on the target System (more exactly: on the hosting Server), such as an operating system command. Or, what you probably want in most cases, is to store the script/program in the Avantra Database and deploy and run it on the target Systems. In the latter case, the program is transferred to the Avantra Agent, saved to the local filesystem, and executed from there. It is also verified prior to each execution that the script/program on the local filesystem has not been altered. Otherwise, it will be replaced by the version stored in the Avantra Database.
Starting with Avantra 20.11.5, this custom check type depends on the global Avantra server setting Security.EnableOSCodeExec. |
Once the Custom Check is deleted, the program is removed from the filesystem (if Delete program after check deletion is set). Before we start describing how to set up and use the RUN_PROG Custom Check, we would like to highlight some important facts:
-
Scripts/programs must not be too large. 50 to 60 KB (compressed size) will be ok (which in fact can be a very comprehensive script).
-
Only single scripts/programs can be transferred, there is no pack/unpack mechanism for multiple scripts/programs. You may work around this in the same way as described in the previous item.
-
It is recommended to avoid blanks in the Custom Check name as well as in the script/program name. While the Avantra Agent does its best to cope with blanks, you need to provide proper quoting in the command line definition. Avoiding blanks makes the definition easier and more robust. (The Custom Check name by default will be used as the name of the directory the script/program is stored into.)
-
The script/program is executed in the security context of the Avantra Agent, i.e. on Unix-like operating systems, it is running with the permissions of the user running the Avantra Agent, on Microsoft Windows operating systems it is running as
LocalSystem
user, unless you have changed the service’s Log on properties. -
Please observe the following coding guidelines for scripts/programs:
-
Keep the output message short. One or two lines (80 characters each) shall suffice.
-
Return a proper exit state:
0
will create an Ok Check Result,1
a Warning, and2
or higher a Critical Check Result.If you want the Check to return an Unknown check status, use the same exit code you define in Exit code for Unknown check status. You may use the Unknown return code if the program has not been called properly, or if your program is not able to determine the check result.
-
If you execute system commands, always use the full path, or use an internal
PATH
variable in your scripts in order to be sure all commands can be executed! This is especially important if scripts are deployed on several different platforms. -
If you use temporary files, make sure you clean them up properly!
-
The script/program typically should not run longer than 10 seconds. It is recommended that the script/program itself takes care to exit properly if a runtime threshold is exceeded. Otherwise, Avantra Agent will stop the program after the number of seconds defined in the Timeout field. Using timeouts is important especially when the script/program accesses network resources.
-
Keep your scripts/programs small! Small programs are transferred faster to the Avantra Agent and probably execute more quickly! If you need to execute longer running programs, consider using the FILE_CONTENT Custom Check.
-
Once you have deployed the script or program you have also the option to remove it again. Use the Delete Program From Database button.
Managed Object |
Dynamic Group or Static Group of Servers, SAP Instances, SAP Systems, stand-alone Databases |
Depends on |
- Command line call
-
Define the full command line call to be executed by the Avantra Agent. It is recommended to use absolute path names whenever possible.
Example 2. Example for Run Program Custom Check Command Line Call Definition/bin/sh "%%PROG_DIR%%/proggy.sh" -param 1 -param 2
on Unix-like operating systems or
"C:\Program Files\system32\cmd.exe" "%%PROG_DIR%%\proggy.cmd" /param 1 /param 2
on Microsoft Windows operating systems.
This field features Custom Check Macros and Custom Monitoring Parameters. You have to use quotes whenever a blank is contained in the program or directory name. Please note that also the resolved macros may contain blanks, so it is recommended to use quotes around macros as well.
You may use newlines in this field for ease of reading and writing. Note that they are stripped (not replaced by blanks) prior to execution.
- Working directory
-
Define a working directory of the executed script or program.
This field features Custom Check Macros and Custom Monitoring Parameters. - Environment variables
-
Define environment variables for the executed script or program. Please note that multiple entries must be separated by commas or semicolons. The format is
name ‘=' value { (';' | ',’) name '=’ value}
Example 1:
timeout=300;mode=test
Example 2:
file=/path/to/your/file;url=http://host/path
This field features Custom Check Macros and Custom Monitoring Parameters. |
- Time out
-
Define a timeout for the executed script or program.
There is a hard limit for this value defined by the CheckCycleTime Monitoring Parameter. In other words, the effective time out is the minimum of the value defined in this field and the CheckCycleTime Monitoring Parameter.
- Exit code for unknown check status
-
Use this field to define the exit code of your program that shall indicate an Unknown check status.
The default value, which is
-1
for historical reasons, is not supported on Unix-like operating systems, so you may want to adapt this value accordingly if you plan to operate with Unknown check status.
- Collect Performance Values
-
If you want the {custom-check} to collect performance data (which must be written to console output by the program), check _Select Performance Resource Type and choose a previously defined custom performance resource type from the list. See Configuring Custom Performance Data Resource Types on how to define custom performance resource types.
The syntax supported follows the plugin output specification of a common open source monitoring product.
If the program does not return or returns erroneous performance data the Custom Check will report a Warning status, with a message e. g. 'Result is supposed to return performance data but nothing was found' or 'Missing or invalid performance data'.
- Return Timeout as
-
Determine whether to return the check status as Ok, Warning, Critical, Unknown if the timeout specified in the Time out setting is exceeded.
- Omit the command line in check result
-
Check the box to not display the command line in the check result.
- Program
-
Use the Upload Program button in order to select a script or program to deploy.
- Original File Name
-
Read-only field containing the name of the script or program once it is deployed. The name is displayed as a link that allows you to download the script or program.
This field is only available if a script or program has been uploaded.
- Checksum
-
Read-only field containing the MD5http://en.wikipedia.org/wiki/Checksum[checksum] of the script or program once it is deployed. This value is used to detect whether the file copied to the target System's filesystem has not been modified.
This field is only available if a script or program has been uploaded.
- Upload Date
-
Read-only field containing the date the script or program was uploaded.
This field is only available if a script or program has been uploaded.
- Program Directory
-
You may define where the script/program is supposed to reside in the target System's filesystem by filling in the appropriate directory.
If you fill in this value, please note that the user running the Avantra Agent needs read, write, and execute permissions on this directory! This field is only available if a script or program has been uploaded.
- Delete program after check deletion
-
If you set this flag, the Avantra Agent will take care to remove the script/program once the Custom Check is deleted. The Program Directory is also removed if it is empty.
This field is only available if a script or program has been uploaded.
- Service Name to record Availabilities
-
If you enter a value, the Custom Check will record the Service Availability for use in e.g. Service Level Reports.
- Report Warning as Available
-
If Service Availability is recorded, a Warning check status is usually considered Down. Set this flag if you want the Warning check status to be considered Up instead.
SAP_ApplicationLog
Verify SAP ApplicationLog entries.
The SAP_ApplicationLog custom check reads the SAP Application Log entries and reports a WARNING or CRITICAL check status when specific entries are found. Please refer to SAP transaction slg1
. Use can use configuration filters to select specific logs.
Managed Object |
Dynamic Group or Static Group of SAP Systems |
Depends on |
- Client
-
Read-only application log entries from the clients defined here. Multiple clients are supported. If you leave it empty, the client defined for the SAP RFC user will be used.
- Time interval
-
Read-only log entries written within the last configured minutes.
- Object
-
Read-only logs from this object. Wildcard * is allowed. Use a comma to separate multiple values.
- Subobject
-
Read-only logs from this subobject. Wildcard * is allowed. Use a comma to separate multiple values.
- External ID
-
Read-only logs from this External ID. Wildcard * is allowed. Use a comma to separate multiple values.
- User
-
Read-only logs from this User. Wildcard * is allowed. Use a comma to separate multiple values.
- Transaction Code
-
Read-only logs from this Transaction Code. Wildcard * is allowed. Use a comma to separate multiple values.
- Program
-
Read-only logs from this Program. Wildcard * is allowed. Use a comma to separate multiple values.
- Log Class
-
Define the log class to which the log entry must belong.
- Log Creation
-
Define the log creation process type to filter log entries from. You may filter by multiple process types.
- Message Filter
-
Define the log message filter to filter log entries from. You may filter by multiple message filters.
- Warning Threshold
-
The check becomes a WARNING if your SAP application log selection criteria select more log entries than the defined threshold.
- Critical Threshold
-
The check becomes CRITICAL if your SAP application log selection criteria select more log entries than the defined threshold.
- Include all log messages in check result
-
Check this box if you want to include all application log messages in the check result. If this box is not checked, only the first message is included in the check result. This option has no effect on log entry selection. It is only used to display more detailed information in the check result.
SAP_BW_PROCESSCHAINS
Monitor process chains in the SAP System
The SAP_BW_PROCESSCHAINS check retrieves the status and runtime of all Process Chain runs during the last day and acts as an RTM check.
Managed Object |
Dynamic Group or Static Group of SAP Systems |
Depends on |
- Client
-
If this field is left empty, the client specified for SAP RFC is used
- Check Time Window
-
Limit the examined chains to the ones started within the last specified minutes
- Runtime Warn Threshold
-
Define the Warning threshold value in minutes for the process chain run time. The default value is 120 min.
- Runtime Crit Threshold
-
Define the Critical threshold value in minutes for the process chain run time. The default value is 240 min.
- Status For Cancelled Chains
-
Select the status for cancelled chains from the drop-down menu:
OK
,WARNING
,CRITICAL
,UNKNOWN
- Recalculate
-
Tick the check box to recalculate the chain status at each execution
—- Choosing this option will increase performance —- |
- Chain ID Select Options
-
Select options for the Process Chain ID, i.e.,
I EQ 0TCT_C0_FULL_P01
for equals,0TCT_C0_FULL_P01
orE CP 0TCT_AVANTRA*
for excluding any chain ID based on 0TCT_AVANTRA* - Variant Select Options
-
Select options for the Variant Chain ID, i.e.,
I EQ VARIANT1
for equals,VARIANT1
orE CP AVANTRA*
for excluding any variant based on AVANTRA*
SAP_BW_UPLOAD
Monitor upload times in SAP BI Systems.
The SAP_BW_UPLOAD check monitors upload times in SAP BI Systems. It is available for SAP Business Information Warehouses only. It checks whether running uploads (i.e. Data Transfer Processes, `DTP`s) are taking longer than configurable thresholds. Once a DTP is in a non-running state, it will not be subject to this Check.
Managed Object |
Dynamic Group or Static Group of SAP Systems |
Depends on |
SAP_CLIENTS
Monitors SAP client settings against user-configured given values.
The SAP_CLIENTS Custom Check is available for SAP ABAP systems and monitors SAP client settings against user-configured given values. For example, you may want to assure the Change and transport setting is always set to No Changes allowed
and any violation against this rule shall be reported as Warning or even Critical check status.
Managed Object |
Dynamic Group or Static Group of SAP Systems |
Depends on |
- Clients (wildcard * allowed)
-
Defines a comma or space-separated list of clients the given rule shall be checked on. You may use wilcard * to define multiple clients, i.e.
1*
to define all1xx
clients. Use * to apply a rule to all clients found. - Exclude clients (optional)
-
Optionally exclude clients (separated by commas) from include rule before. For example, you may want to apply a rule to all clients using * but want to exclude client 000 and 066.
- Rule
-
Define the rule you want to check on the set of clients defined using the Clients field.
Select one of:
Client must exist
,Client must NOT exist
,Client Role must be
,Client Role must NOT be
,Currency must be
,Changes and transports must be
,Changes and transports must NOT be
,Cross-Client Object Changes must be
,Cross-Client Object Changes must NOT be
,Client Copy and Comparison Tool Protection must be
,Client Copy and Comparison Tool Protection must NOT be
,CATT and eCATT Restrictions must be
,CATT and eCATT Restrictions must NOT be
,Locked due to client copy
,Protection against SAP upgrade
- Argument
-
Define the arguments, i.e. the given value of this rule. The list or field depends on the argument Rule defined before. For example, if you choose Changes and transports must be as a rule, select one of the following arguments as given value:
Changes without automatic recording
,Automatic recording of changes
,No Changes allowed
,Changes w/o automatic recording
,no transports allowed
- Tag
-
Add an optional Tag that appears in the check output. This might be useful in Service Level Reports to document a certain paragraph or the like.
- Status if Rule is violated
-
Define the status if the rule is violated, either Warning or Critical. The overall Check status will be the worst of all rules.
SAP_IDOCS
Monitors number of SAP intermediate documents (Idocs) found using specific select criteria.
The SAP_IDOCS Custom Check is available for SAP ABAP systems and monitors the number of Idocs found with specific user selection criteria against configurable thresholds. You may, for example, search Idocs with a special erroneous status sent to a certain partner and report records found as Warning or even Critical check status, if the number is above the corresponding thresholds.
Managed Object |
Dynamic Group or Static Group of SAP Systems |
Depends on |
- IDOC Selection
-
Defines selection criteria to query for Idocs. All criteria are used with an AND clause, i.e. an Idoc must match all criteria specified to be found.
Be careful to actually enter selection data, especially limit the selection by max age in days. Otherwise, the check may select a huge amount of data and time-out, since the
EDIDC
may contain many millions of records. - Clients (wildcard * allowed)
-
Defines a comma or space-separated list of clients to be used as selection criteria. You may use wildcard * to define multiple clients, i.e.
1*
to define all1xx
clients. Leave the field blank to select from all clients. - Status Numbers
-
Specify one or many status numbers of the Idoc to be used as selection criteria. Use comma-separated list to define multiple values. It is also possible to select ranges, e.g.
03-10
. Use ! to exclude a status, and please make sure to always use a leading 0 for the status.Example:
01-70, !53, !67, 80
- Time and Date
-
Define the time and date specifications of the Idocs to be selected. You can choose amongst creation time, last modification time, max age, etc. Field IDOC max age in days is a required field and initialized to one day.
- Message Type, Variant, or Function
-
Define the Idoc’s message type, variant, or function. Each field supports comma-separated list to define multiple values. Wildcard
*
is supported as well. - Direction
-
Define the Idoc’s direction, which is either
Inbox
orOutbox
. The setting affects which fields to use for further selection, i.e. the setting defines if either Receiver or Sender specs needs to be used. - Receiver or Sender
-
Define the Idoc’s following criteria for either Receiver or Sender: Port, Number, Type, or, Partner Function. Each field supports comma-separated list to define multiple values. Wildcard
*
is supported as well. - Maximum number of IDOCS to retrieve
-
Define the maximum number of Idoc’s to retrieve. It is recommended to use this setting. Default: 500.
- IDOCS Checks
-
Fill in the number of Idocs for the Critical and Warning thresholds. Obviously, the Critical should be above the Warning value. You can leave one of each blank, then the check result will either be only Critical or Warning.
- Add status text to results
-
Include the message status text with the check result.
- IDOc key field names
-
Include the list of field names from the IDoc that will be added to the check result
The key field is identified via a combination of Message type and Key field technical name, and it can only be in the first segment. |
SAP_JOB
Monitor canceled, delayed, long-running, or short-running SAP Jobs.
The SAP_JOB custom check allows you to monitor if a given SAP Job is canceled, delayed, running too long or too short, running in the defined time period, or if multiple instances of the check are running. Generally, Avantra always examines the most recent SAP Job of a given name. However, if option Report canceled job as well, if following job run was successful is used, canceled jobs still get reported, if a successful job with the same name and a more recent date/time was found. If this option is used, it is recommended to specify a reset time using Reset After otherwise the canceled job is displayed for a maximum time of two days.
Managed Object |
Dynamic Group or Static Group of SAP Systems |
Depends on |
- Job Name
-
Fill in the name of the job. The wildcard
*
is supported in order to monitor multiple jobs using the same Custom Check definition. Each SAP job matching the pattern given as job name is considered on its own and reported as a sub check within the given check.It is not recommended to use wildcard
*
together with option Status If Job Not Found, see below. - SAP Client
-
Specify the client of the job as either a deny or allow list. If you use a denylist, jobs must not run in the given list of clients, otherwise, they will not be selected. If you use an allowlist, jobs must run in the given list of clients. The list of clients can be separated by spaces, commas, or semicolons, and a client must be a three-digit number. When selecting jobs, the client is determined from SAP jobs overview table field
TBTCO.AUTHCKMAN
. - Check in each client
-
Per default, SAP_JOB Custom Check searches globally for jobs in all clients (or allowlisted or denylisted if this option is used) and sorts them by date/time to check the most recent. You can change this behavior by enabling Check in each client. SAP_JOB Custom Check will then group all job query results by client and run the same checks for each client separately. You may, for instance, want to check, if a job with the same name finished successfully in several clients, etc. Before this option appeared, you would need to create several SAP_JOB Custom Check for each client. Now using Check in each client this can now be done in one Custom Check.
If you provide a client allowlist, SAP_JOB Custom Check will search in the list of clients provided. A Warning will be reported if a allowlisted client does not exist. If you provide a denylist (which can as well be empty), SAP_JOB Custom Check will determine all clients of the system and will check in each of them, except the ones denylisted.
- SAP User
-
Specify the user of the job as either a deny or allow list. If you use a denylist, jobs must not be scheduled by users in the provided list, otherwise, they will not be selected. If you use a whitelist, jobs must be scheduled by one of the users on the list. The list of users can be separated by spaces, commas, or semicolons. If you want to use one of these characters in the user name, you must escape it with a backslash (
\
). Please note that the custom check will select the fieldTBTCO.SDLUNAME
of SAP jobs overview tableTBTCO
and thus query the user who scheduled the job. - Select Jobs started after
-
Set this time to select only jobs which are started after this time. Set a time between 00:00 and 23:59.
- Select Jobs started before
-
Set this time to select only jobs which are started before this time. Set a time between 00:00 and 23:59.
The following settings can be performed with Select Jobs started after and Select Jobs started before: If you set both times, only jobs which are started within this time interval are selected.
Example 3. Job Start Examples-
In order to select jobs started between 10:00 and 16:00, set Select Jobs started after to 10:00 and set Select Jobs started before to 16:00.
-
In order to select jobs started between 23:00 and 02:00 (of the next day), set Select Jobs started after to 23:00 and set Select Jobs started before to 02:00.
-
- Execute check during time selection
-
This checkbox is only relevant if Select Jobs started after and Select Jobs started before are set. If both are set, the check is by default not executed when the current agent time is in the selection interval! If you want to execute the check also when the current agent time is in the selection window, then mark this checkbox.
- Alert already cancelled Job as
-
Choose a check status to return in case the watched Job is cancelled.
- Report canceled job as well, if following job run was successful
-
By default, a canceled job will no longer be reported, if a more recent and successfully finished job with the same name has been found. You can change this behavior by enabling this option.
- Status If Job Not Found
-
Choose a check status to return in case the watched Job is not found as a released job. If you do not want to have this feature enabled, you simply leave the field blank, which is the default.
If you use wildcards * in the job name definition and multiple jobs are found, the check result will return as Warning with message
WARNING - Multiple jobs with different names found for target name <yourjob*>: <list> Please turn 'Status If Job Not Found' option off or do not use wildcards for job name.
- Reset after
-
You may define a time span after which the check status is set back to Ok in this field.
If you leave this field blank, you need to restart or delete the job inside your SAP System to clear the generated Warning or Critical check status.
- Number of Simultaneous Running Jobs
-
You may define Warning and/or Critical thresholds for the number of simultaneously running Jobs with the same name.
- Job Start Delay Time
-
You may define Warning and/or Critical thresholds for the delay of Job start.
- Maximum Job Run Time
-
You may define Warning and/or Critical thresholds for the maximum Job run time.
- Minimum Job Run Time
-
You may define Warning and/or Critical thresholds for the minimum Job run time.
- Maximum Time Since Last Job Start
-
You may define Warning and/or Critical thresholds for the maximum elapsed time since the last start of the Job.
- Show OK Status
-
Check this flag if you want to display the jobs finished properly in the check message.
SAP_PI_COMMCHANNELS
Verify specific PI communication channels.
The SAP_PI_COMMCHANNELS Custom Check allows you to monitor dedicated PI communication channels. Like the default check PI_CommChannels, it measures the time an individual channel is in ERROR
state and compares it to the Warning and Critical time thresholds to determine the state of the custom check.
You may filter the channel list for the channel attributes party
, service
, channelName
, and activationState
. The check will be applied to all channels matching each of the filter attributes, i.e. the criteria are logically AND related. To match multiple channels, you may use the wildcard * to match 0..n arbitrary characters. You can specify multiple patterns per filter attribute by concatenating them with a comma.
The check result will show all matching channels, regardless of their error state.
Managed Object |
Dynamic Group or Static Group of SAP Systems |
Depends on |
- Party
-
Define a filter expression for the
party
attribute of a communication channel; use the wildcard character (*) to define a pattern and/or a comma-separated list of patterns to match multiple channels.Example:
party_A, party_B
- Service
-
Define a filter expression for the
service
attribute of a communication channel; use the wildcard character (*) to define a pattern and/or a comma-separated list of patterns to match multiple channels.Example:
\*_service_A, *_service_B
- Channel
-
Define a filter expression for the
channel
name attribute of a communication channel; use the wildcard character (*) to define a pattern and/or a comma-separated list of patterns to match multiple channels.Example:
*prod_sender*
- Message
-
Define a filter expression for the
message
attribute of a communication channel; use the wildcard character (*) to define a pattern and/or a comma-separated list of patterns to match multiple channels.Example:
*exception*
- Activation State
-
Define a filter expression for the
activation state
attribute of a communication channel; use the wildcard character (*) to define a pattern and/or a comma-separated list of patterns to match multiple channels.Example:
STARTED
- Channel State
-
Define a filter expression for the
channel state
attribute of a communication channel; use the wildcard character (*) to define a pattern and/or a comma-separated list of patterns to match multiple channels.Example:
STARTED
SAP_QRFC_IN_QUEUE
Verify dedicated qRFC inbound queues with special parameters.
The SAP_QRFC_IN_QUEUE Custom Check allows the monitoring of dedicated inbound qRFC queues similar to transaction SMQ2
. It supplements the native checks QRFC_IN_ERRQ and QRFC_IN for users with special requirements, i.e. to monitor a given queue with special settings different from the native standard checks.
For configuration please refer to the corresponding Custom Check type SAP_QRFC_OUT_QUEUE Custom Check. All settings are exactly the same, with the only difference that they refer to inbound queues.
Managed Object |
Dynamic Group or Static Group of SAP Systems |
Depends on |
Please refer to configuration section of SAP_QRFC_OUT_QUEUE Custom Check.
SAP_QRFC_OUT_QUEUE
Verify dedicated qRFC outbound queues with special parameters.
The SAP_QRFC_OUT_QUEUE Custom Check allows the monitoring of dedicated outbound qRFC queues similar to transaction SMQ1
. It supplements the native checks QRFC_OUT_ERRQ and QRFC_OUT for users with special requirements, i.e. to monitor a given queue with special settings different from the native standard checks.
First, define a set of queues using the queue name and clients (optional) on which the Warning and Critical conditions are applied. It is allowed to define only one condition. If at least one queue in the set matches either condition, the whole Custom Check check status will be set to the condition matched.
Managed Object |
Dynamic Group or Static Group of SAP Systems |
Depends on |
- Include Queue Names (required)
-
Define one or a set of qRFC queues which are to be monitored. Multiple queues can be entered separated by comma (
,
). You can use spaces before or after a separating comma since they are ignored. In case your queue name contains a comma, you need to escape it with\
. Wildcard*
is supported.Example:
MYQUEUE1, MYQUEUE2*
- Exclude Queue Names
-
Define one or a set of qRFC queues which are to be excluded from the include set above. For multiple queues, the same applies as for Include Queue Names. In the upper example, all queues
MYQUEUE2*
are included. UsingMYQUEUE2EX1, MYQUEUE2EX2
, you can exclude two queues from the set. - Include Clients
-
Limit upper defined queue names to a list of specified clients. Leave this field blank to get qRFC queues from all clients. Multiple clients can be entered separated by a comma. You can use spaces before or after a separating comma since they are ignored. Wildcard
*
is supported.Example:
800, 9*
- Excluded Clients
-
Define one or a set of clients which are to be excluded from the include set above. For multiple clients, the same applies as for Include Clients. In the upper example, all queues
9*
are included. Using910, 911
, you can exclude two clients from the set. - All/Any
-
Define if all conditions provided must match a queue to be reported or if any of the conditions is enough.
- Queue is reported as hanging or erroneous
-
Condition is matched if the status of the queue is marked as erroneous or hanging by the SAP system. Examples:
CPICERR
,SYSFAIL
, and others. - Status of Queue is one of
-
Using this option you can exactly define which status a queue must have to match the condition. You can specify a list of status strings either separated by comma or spaces.
- Status of Queue is not one of
-
As before but the other way round: you might for example want to have all status reported except one which is the OK status.
- Number of queued entries is >=
-
Condition matches if the number of queued entries is equal to or above the given threshold.
- Age of oldest queued entry is >=
-
Condition matches if the age of the oldest (i.e. the first) queued entry is equal to or above the given threshold. The format is days/hours/minutes, with the digit followed by the one-letter abbreviation of the unit, i.e. d/h/m. You use more than one unit, e.g.
1d 12h
or1h 30m
.
SAP_REPORT
Run your own ABAP monitoring report.
The SAP_REPORT Custom Check allows you to execute an arbitrary ABAP report available in the SAP System. The report result must have the following structure:
-
First Line: The keywords
OK
,WARNING
, orCRITICAL
(case sensitive!) -
Following lines: Any free text displayed as check message.
-
Each line has a maximum length of 256 characters.
Managed Object |
Dynamic Group or Static Group of SAP Systems |
Depends on |
- Report
-
Fill in the name of the report
- Variant
-
Define optionally the variant of the report.
The variant has to be defined in the logon client of the RFC user.
If you receive an error detailing PROG_NOT_WHITELISTED after activating this custom check, please refer to this article: Avantra allow list for ABAP Reports |
SAP_SYS_CHANGE_OPTIONS
Monitors SAP system change options against user configured given values.
The SAP_SYS_CHANGE_OPTIONS {custom-check} is available for SAP ABAP systems and monitors SAP system change options (configured in transaction SE06
) against user configured given values. You may, for example, make sure that for a production system all system change options are set to _Not modifiable. This can be easily configured and then monitored by this Custom Check.
Managed Object |
Dynamic Group or Static Group of SAP Systems |
Depends on |
- Software Component
-
Enter the technical name of the software component you want to apply a rule for. You can define multiple entries separated by a comma. Any blank spaces before or after the comma will be ignored. Wildcard
*
is supported as well. - Namespace/Name Range
-
Enter the technical ID of the namespace you want to apply a rule for. You can define multiple entries separated by a comma. Any blank spaces before of after the comma will be ignored. Wildcard
*
is supported as well. - Exclude (optional)
-
Optionally exclude software components or namespaces from include rule before. For example, you may want to apply the Not modifiable rule to all software components using
*
but want to exclude componentsLOCAL
andHOME
. - Rule
-
Define the rule you want to check on the set of software components/namespaces defined. Select either:
Modifiable must be
,Modifiable must NOT be
,Software component/namespace must exist
,Software component/namespace must not exist
- Modifiable
-
Define the Modifiable given value for this rule. As in transaction SE06, for software change options, you have the choice between 4 options. For namespaces, there are only two, modifiable or not.
- Tag
-
Free text field to add a custom reference which will appear in the check output. This might be useful in Service Level Reports to document a certain paragraph or the like.
- Status if Rule is violated
-
Define the status if the rule is violated, either Warning or Critical. The overall Check status will be the worst of all rules.
SAP_WEB_SERVICE_MONITOR
New custom check for Webservice Message Monitor
The SAP_WEB_SERVICE_MONITOR Custom Check will monitor messages as seen in the ABAP Webservices message monitor (transaction SRT_MONI).
Managed Object |
Dynamic Group or Static Group of SAP Systems |
Check Cycle |
Basic |
Depends on |
- Processing Status Group
-
Processing status group; refer to your SAP system for the existing status group IDs.
- Max. Messages
-
The maximum number of messages to be selected.
- Monitor Window Minutes
-
Number of minutes from now to check for errors in the web service message monitor. If zero (0), this will default to 60 minutes.
- Include Sender Interfaces
-
Filter for including sender interface(s). The format is comma-separated without spaces, i.e., AttachmentFolderReplicationRequest_Out, Customer*
- Include Receiver Interfaces
-
Filter for including receiver interface(s). The format is comma-separated without spaces, i.e., AttachmentFolderReplicationRequest_In, Business*
- Warning Threshold
-
Configures warning threshold for SAP_WEB_SERVICE_MONITOR check based on the number of records returned.
- Critical Threshold
-
Configures critical threshold for SAP_WEB_SERVICE_MONITOR check based on the number of records returned.
SAP_WORKFLOW_ERRORS
Monitor SAP workflow errors.
The SAP_WORKFLOW_ERRORS Custom Check monitors the SAP system and retrieves information about SAP workflow errors.
Managed Object |
Dynamic Group or Static Group of SAP Systems |
Depends on |
- Client
-
Specify the SAP clients where to collect workflow errors from. If empty, the client defined for the SAP RFC user is used. Multiple clients are supported.
- Days
-
Specify the number of days from today to check for workflow errors. If blank, then all errors are selected without date limitation.
- Task
-
Set the filter for SAP_WORKFLOW_ERRORS check. The format is comma-separated without spaces, i.e., TS90000017,TS90000018,TS90000017.
- Warning
-
Configure the warning threshold for SAP_WORKFLOW_ERRORS check based on the number of records returned.
- Critical
-
Configure the critical threshold for SAP_WORKFLOW_ERRORS check based on the number of records returned.
SAP_WORKFLOW_EVENT_QUEUE
This Custom Check monitors the SAP workflow event queue data.
Managed Object |
Dynamic Group or Static Group of SAP Systems |
Depends on |
- Days
-
Number of days from today to check for event queue errors. If blank, then it defaults to 7 days.
- Object Type
-
Filter for including object type(s). The format is comma-separated without spaces, i.e., ADDRESS, BUS20* Default is all object types.
SAP_WP_Overview
Monitor SAP Systemwide Work Process Overview (SM66) for specified instances in the SAP System
This check retrieves the SAP Systemwide Work Process Overview data for all or specified SAP instances in Avantra.
Managed Object |
Dynamic Group or Static Group of SAP Systems |
Depends on |
- SAP Instances
-
Add systems to monitor. Wildcard
*
is supported, use comma for multiple values - WP Type
-
Select the work process type, e.g., BTS (Background), DIA (Dialog), SPO (Spool), etc.
- Processing time Warning
-
Define a Warning threshold for processing time
- Processing time Critical
-
Define a Critical threshold for processing time
- Usage Warning
-
Configure the percentage threshold value for used work process types (i.e., DIA, BTC, etc.) that should be returned as a Warning if the “used” percentage of the selected work process [type] goes above the specified value
- Usage Critical
-
Configure the percentage threshold value for used work process types (i.e., DIA, BTC, etc.) that should be returned as a Critical if the “used” percentage of the selected work process [type] goes above the specified value
SECURITY_AUDIT_LOG
Monitor the security audit log of ABAP systems.
The SECURITY_AUDIT_LOG Custom Check provides monitoring of the security audit log of SAP ABAP systems. It corresponds to what can be done with transaction SM20
, so you will find the config of this custom check equal to what can be done in the transaction’s user interface. The evaluation works across all instances.
This Custom Check requires the API for RSUSR002 to determine users according to complex selection criteria. It is available starting from SAP Basis 7.50, but as well for older SAP releases back to 7.00. However, the older releases have to be on a certain support package level, please see SAP Note 1930238 – SUIM: API for RSUSR002 for more information about which support package is required for the corresponding release. |
For systems with SAP Basis release 7.50 and above: The SECURITY_AUDIT_LOG works no matter if the security audit log recording target is set up as |
Managed Object |
Dynamic Group or Static Group of SAP Systems |
Depends on |
- Time interval (in minutes)
-
The time to search back in the audit log from the point in time the check is evaluated. This time configures as well how long entries are displayed. If you set up the check for RealTime Monitoring, reasonable values would be 60 or 120 minutes. In case you may want to run it as Daily Checks, e. g. to document additionally on a daily basis, you might want to enter 1440 minutes, for one day.
- Clients (wildcard * allowed)
-
Define the clients to filter the audio log records. If you specify
*
, all clients in the system are checked, except the ones on the exclude list. - Exclude clients (optional)
-
Exclude clients from being checked. This makes sense if
*
is used as the client list above. - Users (wildcard * allowed)
-
Define the users you want to check, again wildcard
*
might be useful to specify a certain selection. If you don’t want to filter on users, you can as well leave this field blank. - Exclude users (optional)
-
Exclude users from being checked. This makes sense if you want to check all users except those for whom it is well known that records exist.
- Msg ID (wildcard * allowed)
-
Directly define 3 characters audit message IDs to query for. You can use wildcard
*
to use to specify selections for example useAU*
to query for all message IDs stat start withAU
. You can leave this field as well blank and filter on whole audit classes. If used together with audit classes, both selections are linked by and OR operation. - Exclude Msg ID (optional)
-
Exclude message IDs from being checked. This makes sense if a range with
*
is used as the message IDs and you want to exclude individual message IDs.
All lists items in the clients, users, and message ID fields are to be separated by , . Trailing or leading spaces are ignored.
|
- Audit Classes — Dialog Logon, RFC/CPIC Logon, …
-
Filter for the selected audit classes. If you do not specify anything, this is the same as select for all. If used together with message ID selection, both criteria are linked by an OR operation.
- Event Type
-
Filter on the type of event, choose either
All
,Severe and Critical
, orOnly Critical
. - Warn Count/Crit Count
-
Specifies the number of records that are to be found to turn the check result status to the corresponding check status. For example, if you want to check to be Critical starting from one found record, enter 1 into the Crit Count field.
If you don’t enter a number in one of the Warn/Crit Count fields, the check result will be Ok. This might be useful for a check which is intended for info purposes only. |
SECURITY_AUDIT_LOG_CONFIG
Monitor the security audit log configuration of ABAP systems.
The SECURITY_AUDIT_LOG_CONFIG Custom Check provides monitoring of the security audit log configuration of SAP ABAP systems. It corresponds to what can be done with transaction SM19
or RSAU_CONFIG
, so you will find the config of this custom check equal to what can be done in the transaction’s user interface. With this Custom Check you can define audit classes (Classic event selection) or message IDs (Detail event selection) which must be checked on your SAP system for a specific set of clients and a specific set of users. If your SAP system does NOT have these audit classes or message IDs set, the check reports a Critical or Warning status.
Managed Object |
Dynamic Group or Static Group of SAP Systems |
Depends on |
- Event Selection
-
SAP ABAP systems provide two transactions to configure security audit log configuration:
SM19
andRSAU_CONFIG
. WhileSM19
provides only basic selection criteria, the newerRSAU_CONFIG
provides much more detailed configuration settings.
If the security audit log configuration is configured with transaction SM19
, then use the Classic selection.
If the security audit log configuration is configured with transaction RSAU_CONFIG
, then use the Detail selection.
- Clients (select all with *)
-
Define the clients for which you want to check the security audit log configuration. If you specify
*
, the security audit log configuration must be set on all clients. - Users (select all with *)
-
Define the users for which you want to check the security audit log configuration. If you specify
*
, the security audit log configuration must be set for all users. - Event Prio (Classic only)
-
Define the event priority which must be set for the defined client(s) and users(s). Choose either
All
,Severe and Critical
, orOnly Critical
. - Audit Classes — Dialog Logon, RFC/CPIC Logon, … (Classic only)
-
Mark the audit class which must be selected for the defined client(s) and users(s). You cannot deselect the System Events checkbox, this is always enabled from SAP by default.
- Msg IDs (Detail only)
-
Setting the security audit log for specific message IDs can be configured in
RSAU_CONFIG
and only inDetail event selection
. Directly define the 3 characters audit message IDs to check for. Wildcards * are supported. - Status if rule does not match
-
Report this
status
if your SAP system does not have the required security audit log configuration for the defined client(s) and users(s). - Tag
-
Use this optional
tag
to show a specific message for this check in the check result. Free text field to add a custom reference which will appear in the check output. This might be useful in Service Level Reports to document a certain paragraph or the like.
All lists items in the clients, users, and message ID fields are to be separated by , . Trailing or leading spaces are ignored.
|
SQL_QUERY
Query the database of the Managed Object and evaluate result data.
The SQL_Query Custom Check can be used to create Database Checks with a user-defined SQL query and an optional user-defined evaluation logic.
It is available on both standalone databases and SAP System type managed objects.
You need a Java Virtual Machine 1.8.0_65 or higher in order to make use of all functions of this Check. |
Usually, you will define some JavaScript code
to provide evaluation logic that operates on the result set returned by the SQL query.
However, in a simpler case, you can use the Alias Column Syntax with aliases xandria_message
and xandria_status
to add a check message and set the check status.
The rows in a xandria_message
column are concatenated, and the worst row value of xandria_status
defines the check status of the Custom Check.
Managed Object |
Dynamic Group or Static Group of SAP Systems, Databases |
Depends on |
- SQL Query
-
Define the SQL SELECT statement to perform on the Database. Update, delete, and other queries which could modify data will not be executed for security reasons.
See also this document SQL_Query Custom Check.
This field features Custom Check Macros and Custom Monitoring Parameters. - Evaluation Script
-
Define a JavaScript code snippet to provide the evaluation logic. See API Documentation below on how to use the provided API.
See also this document SQL_Query Custom Check.
If the SQL query is simple and no evaluation logic is necessary, there is an option to write an SQL query without writing an evaluation script. Define the following columns in your query:
- xandria_status
-
the status of the actual row. The values must be 2 for CRITICAL, 1 for WARNING, 0 for OK, -1 for UNKNOWN
- xandria_message
-
the check message of the actual row
Example:
select xx as xandria_status, yy as xandria_message, … from … where …
Avantra Agent executes the query above. Then all xx values (xandria_status
) are read and the worst one defines the overall status of the check. After that all yy values (xandria_message
) are read. The agent computes a check message with those values. Finally, all other fields are read and a table is created for you which shows the result values.
Use the database functions case when else (depends on your RDBMS) to create an appropriate check status and check message.
USER_PROFILES
Verify user profile assignments of SAP ABAP systems.
The USER_PROFILES Custom Check allows the monitoring of user profiles and role assignments in SAP ABAP systems. This helps to ensure and continuously monitor, that there are no users with too many permissions. For example, if any user (except system users) have the SAP_ALL
and/or SAP_NEW
profiles assigned.
Please checkout as well the solution document USER_PROFILES Custom Check Examples, it provides various examples which are a good starting point to apply your organization’s rules.
This Custom Check requires the API for RSUSR002 to determine users according to complex selection criteria. It is available starting from SAP Basis 7.50, but as well for older SAP releases back to 7.00. However, the older releases have to be on a certain support package level, please see SAP Note 1930238 – SUIM: API for RSUSR002 for more information about which support package is required for the corresponding release. |
This Custom Check is designed to work cross client, although the Avantra RFC user is defined in one specific client only. For other clients than the one specified by the RFC user, the Avantra Agent logs on with the same credentials. So you need to make sure, that the same user is maintained in any client you want to have user authorisations checked. |
Managed Object |
Dynamic Group or Static Group of SAP Systems |
Depends on |
- Clients
-
Define the clients the user profiles and roles are to be checked. If you specify
*
, all clients in the system are checked, except the ones on the exclude list. - Exclude clients
-
Exclude clients from being checked. This makes sense if
*
is used as the client list above. - Users
-
Define the users you want to check. If you want to check all users, you can simply leave this field blank or enter
*
. - Exclude users
-
Exclude users from being checked. This makes sense if all users are to be checked
*
is used in the user list above. For example, you might want to exclude certain system users, likeSAP*
orDDIC
.
All lists items in the clients and users fields need to be separated by , . Trailing or leading spaces are ignored.
|
- Find users who have — all profiles and all roles below (AND)
-
The check will search for users which have all profiles and all roles listed assigned. In the real world, it makes sense to check for profiles and roles separately, for example, to run a check which checks for
SAP_ALL
andSAP_NEW
profiles. - Find users who have — at least one of the authorization objects below (OR)
-
The check will search for users which have any of the profiles or roles listed assigned. This would be the right choice to check for users which have
SAP_ALL
orSAP_NEW
profiles assigned. - Profiles
-
List of profiles to search for separated by
,
. Trailing or leading spaces are ignored. - Roles
-
List of roles to search for separated by
,
. Trailing or leading spaces are ignored. - Check is check status if users are found matching criteria
-
Select the severity of the check result if users are found. Possibly only Critical and Warning make sense here.
WIN_SERVICE
Monitor if Microsoft Windows Services are running.
The WIN_SERVICE Custom Check allows you to monitor if a certain Service on a Microsoft Windows host is or is not running. This Custom Check has no effect on Unix-like operating systems.
Managed Object |
Dynamic Group or Static Group of Servers, SAP Instances, SAP Systems, stand-alone Databases |
Depends on |
- Service Name
-
Define the display name or the technical service name in this field. You can find the technical Service Name in the field Service Name of the General tab in the Properties of the respective service.
Use the Services snap-in of the Microsoft Management Console. The display name is consequently shown in the Display Name field at the same tab. You must not use the executable name.
This field may contain Custom Check Macros.
- Status If Service Is Running
-
Select the check status in case the service is running.
- Else
-
Select the check status in case the service exists but is not running.
- Status if service does not exist
-
Select the check status in case the service does not exist.
USER_AUTHORIZATIONS
Verify user authorizations of SAP ABAP systems.
The USER_AUTHORIZATIONS Custom Check allows the monitoring of user authorizations in SAP ABAP systems. This helps to ensure and continuously monitor, that there are no users with too much or the wrong set of permissions. Organizations often require to segregate different duties, so if a certain user has a given authorization A, they must not have authorizations B and/or C. This kind of check can be done with USER_AUTHORIZATIONS as well.
Please also see this solution document USER_AUTHORIZATIONS Custom Check Examples, which provides various examples which are a good starting point to apply your organization’s rules.
This Custom Check requires the API for RSUSR002 to determine users according to complex selection criteria. It is available starting from SAP Basis 7.50, but as well for older SAP releases back to 7.00. However, the older releases have to be on a certain support package level, please see SAP Note 1930238 – SUIM: API for RSUSR002 for more information about which support package is required for the corresponding release. |
This Custom Check is designed to work cross client, although the Avantra RFC user is defined in one specific client only. For other clients than the one specified by the RFC user, the Avantra Agent logs on with the same credentials. So you need to make sure, that the same user is maintained in any client you want to have user authorisations checked. |
Managed Object |
Dynamic Group or Static Group of SAP Systems |
Depends on |
- Clients (wildcard * allowed)
-
Define the clients the user authorizations are to be checked. If you specify
*
, all clients in the system are checked, except the ones on the exclude list. - Exclude clients (optional)
-
Exclude clients from being checked. This makes sense if
*
is used as the client list above. - Users (wildcard * allowed)
-
Define the users you want to check, again wildcard
*
might be useful to check all users. - Exclude users (optional)
-
Exclude users from being checked. This makes sense if
*
is used in the user list above. For example, you might want to exclude certain system users, likeSAP*
orDDIC
.
All lists items in the clients and users fields need to be separated by , . Trailing or leading spaces are ignored.
|
- Find users who have — all authorization objects below (AND)
-
The check will search for users which match all of the authorization objects specifications listed below.
- Find users who have — at least one of the authorization objects below (OR)
-
The check will search for users which at least one of the authorization objects specifications listed below. This is especially useful to check that important authorizations are not given to any user, except some users.
- Find users who have — first authorization object and at least one of the following authorization objects (OR)
-
This specific condition is intended for segregation scenarios. If a user matches the first row, all the following rows starting from 2 to n are checked, and if a least one of 2-n matches, the whole condition is true.
- Check is Status if users are found matching criteria
-
Choose a check status, mostly Critical or Warning cause usually you would search for unwanted authorizations.
- Authorization Object
-
This is the authorization object to be checked. For example, to check for permission to maintain users, you would enter
S_USER_GRP
. See the corresponding SAP transaction. - Field
-
This corresponds to the authorization object. In the case of the example with
S_USER_GRP
the field would beACTVT
, i. e. an authorizations activity. - Value
-
The value of the corresponding field to check. In the case of activities
ACTVT
, these are numbers, but it could as well be transaction codes, i. e. text strings. Multiple values are separated by spaces or commas. - Value Condition
-
Either Select users having all listed values, or Select users having at least one of the listed values. This way you could for example, select for forbidden activities of a certain authorization object in one line.