Function TH_SERVER_LIST failed due to missing authorizations

This function mainly fails if the RFC user defined in the configured ABAP connection is missing the required authorization (object S_TCODE and transaction SM51) to call the function TH_SERVER_LIST on the remote S/4HANA system.

A typical scenario is when you add a new SAP system in CrystalBridge Monitoring and the standard function TH_SERVER_LIST is executed on the remote system to retrieve the list of its available servers. If the RFC user is missing the required authorization, the call of this function fails, and the following message is raised in CrystalBridge Monitoring:

  • Executed FM ‘TH_SERVER_LIST’ on RFC ‘<RFC_NAME>’ failed with error (RC=<RC>) Missing authorization S_TCODE for t-code ‘SM51’.

On the S/4HANA system, a new authorization check for the object S_TCODE and transaction SM51 was added to be able to execute the standard SAP function TH_SERVER_LIST.

The default authorization roles (administration role and remote user role) already contain this authorization, and the RFC user must have one of these two authorization roles assigned. For more information about these roles, see the chapter Users and Authorization roles.

Troubleshooting Steps

This chapter provides an overview of the steps you can perform to check if all requirements were met before continuing with the processing.

1. Check the SAP system information

First, check which SAP_BASIS version is installed on the SAP system and if this system fulfills the SAP system prerequisites. If it is supported, also check if the remote SAP system is an S/4HANA system because the issue mentioned here relates to S/4HANA systems only.

If the affected system is not an S/4HANA system, please create a ticket in the SNP Support Portal with the following information:

  • The SAP_BASIS version and all SAP components installed on the affected SAP system

  • The version of CrystalBridge Monitoring that is installed on the central and remote SAP system(s)

  • A list of authorizations assigned for the RFC user on the remote system

  • All available details about the function failure (system logs, runtime errors, etc.)

2. Check the configured ABAP connection

Start transaction SM59 and find the configured ABAP connection that is used for the remote SAP system. Check if the RFC user defined in this ABAP connection is valid. For example, check that it exists on the system and that it is not locked .

3. Check the authorizations of the RFC user defined in the ABAP connection

The quickest way to identify missing authorizations for the RFC user is to start transaction SU53 and check the missing authorizations for the RFC user on the remote system.

By default, transaction SU53 displays the missing authorizations for the current dialog user who executed this transaction. Therefore, you need to display the missing authorizations by specifying the name of the RFC user.

If you do not find relevant information in transaction SU53, you can additionally check the user authorizations. Proceed as follows to do so:

  1. Check if the RFC user has the user role Administration or Remote assigned as previously mentioned.

    • If the required role is not assigned (neither any copied custom role), check manually if the user has authorization for the object S_TCODE and transaction SM51.

    • If the user does not have the required authorization, assign the required authorization role to this user or add authorization for this object manually.

  2. Check if the assigned authorization roles containing the required object and transaction code (either the default role or a custom role) is generated on the remote SAP system

    • If the authorization profile of the assigned role is not generated, this user does not have any authorizations included in this role. Because this authorization profile must be generated, ask your SAP Basis team to generate this profile in order to assign all authorizations to the RFC user.

If the above steps are successful, the RFC user now has all the required authorizations to call the function TH_SERVER_LIST on the remote SAP system without any authorization issues.