SAP security upgrade
Pre-Steps in SAP security upgrade:
1. You must verify that the SU25 step 1 has been executed correctly in the Development system. This should have been done during the installation and should not be performed again unless you want to wipe out all your SU24 changes.
2. You must compare your SU24 settings between DEV, QAS and PRD because sometimes these might not have been transported or the target systems were open(ed) and changed there.
3. You should also verify whether any data was changed in SU22 (never change SU22!)
4. Before starting to upgrade roles which you do not use, you can consider deleting the obsolete ones. You must prior check whether the role is not assigned to ANY USER in ANY CLIENT of the transport domain otherwise the import events will not allow it's deletion. There is currently only the possibility to delete roles manually in the system and you must remember to capture them in a transport before hand. For information about mass deletion of roles (please be carefull!) and generally about transporting roles see SAP note 313587 and 571276.
After the upgrade:
1.Remember to transport all your SU24 changes through to PRD. This is necessary incase you do need to or accidentally do open a role in QAS or PRD and want the proposals to be the same and is necessary for the "No check" indicators otherwise the systems would behave differently for the same roles.
2. After the upgrade steps are completed, it is advisable to verify in transaction SUPC that all the roles have current generated profiles.
The SAP system profile parameter auth/no_check_in_some_cases has the value
“Y”. If the profile parameter is set to .N, the value must be changed. (This ensures better security).
If roles were already used in the source release, they must be updated. Transactions that were selected in the menu of existing roles can be protected using additional authorization objects in the target release. This means that tables USOBT_C and USOBX_C have to be updated as well as the existing roles.
The SU25 tcode is used for to fill the customer tables of the profile generator the first time the profile generator is used, or update the customer tables after an upgrade.
1. Transaction -SU25
“Y”. If the profile parameter is set to .N, the value must be changed. (This ensures better security).
If roles were already used in the source release, they must be updated. Transactions that were selected in the menu of existing roles can be protected using additional authorization objects in the target release. This means that tables USOBT_C and USOBX_C have to be updated as well as the existing roles.
The SU25 tcode is used for to fill the customer tables of the profile generator the first time the profile generator is used, or update the customer tables after an upgrade.
1. Transaction -SU25
1. Initially Fill the Customer Tables
The first step is only required if you have a fresh installation and are using the profile generator
for the first time, or if you want to refill the tables.
2. A. Preparation: Compare with SAP values
Step 2A
Compares the new USOBT and USOBX tables with USOBT_C and USOBX_C.
This compares the Profile Generator data from the previous release with the data for the current release. New default values are written in the customer tables for the Profile Generator
Step 2B
Add any new transactions/updates to tables USOBX_C and USOBT_C.
If you have made changes to the check indicators or field values in transaction
SU24, you can compare these with the new SAP defaults. You can see the values delivered by SAP and the values that you changed next to each other, and can make an adjustment, if desired.
Hint:
Steps 2A and 2B make changes to the customer tables of the Profile Generator.
If you want to transport these changes, choose step 3 in transaction .SU25. Before implementing any changes in system, take corresponding business approval for all role changes. The step 2C and 2D step will clearly identify the roles affected and new tcodes introduced in new systems.
Step 2C
This step guides you through all the roles that are affected by newly added authorization checks and that have to be changed to correspond. The corresponding authorization profiles need to be edited and regenerated. You can jump directly to role maintenance.
SU25, 2C step also contains the new SAP roles introduced.
If you go to one by one role, there are some authorization objects that are got affected during upgrade. We can categorize these authorization objects as below:-
1. Standard New – These are new authorization objects that are introduced in new system for corresponding tcode.
2. Manually new - It shows the authorization objects which were manually added in old system. Some of the values got updated for this also.
3. Standard Updated - Updated means, in old system if you have kept the standard values as it is, SAP has updated these standard values (u can check this one in SU24 check indicators).
4. Maintained New- Some of the organizational values introduced as field in authorization object.
After maintaining all new authorization objects, you can save it and generate the profile. If you get back to SU25 2C step shows all the roles with green signal. Means all roles saved and generated.
Step 2C
Compares the new USOBT and USOBX tables with USOBT_C and USOBX_C.
This compares the Profile Generator data from the previous release with the data for the current release. New default values are written in the customer tables for the Profile Generator
Step 2B
Add any new transactions/updates to tables USOBX_C and USOBT_C.
If you have made changes to the check indicators or field values in transaction
SU24, you can compare these with the new SAP defaults. You can see the values delivered by SAP and the values that you changed next to each other, and can make an adjustment, if desired.
Hint:
Steps 2A and 2B make changes to the customer tables of the Profile Generator.
If you want to transport these changes, choose step 3 in transaction .SU25. Before implementing any changes in system, take corresponding business approval for all role changes. The step 2C and 2D step will clearly identify the roles affected and new tcodes introduced in new systems.
Step 2C
This step guides you through all the roles that are affected by newly added authorization checks and that have to be changed to correspond. The corresponding authorization profiles need to be edited and regenerated. You can jump directly to role maintenance.
SU25, 2C step also contains the new SAP roles introduced.
If you go to one by one role, there are some authorization objects that are got affected during upgrade. We can categorize these authorization objects as below:-
1. Standard New – These are new authorization objects that are introduced in new system for corresponding tcode.
2. Manually new - It shows the authorization objects which were manually added in old system. Some of the values got updated for this also.
3. Standard Updated - Updated means, in old system if you have kept the standard values as it is, SAP has updated these standard values (u can check this one in SU24 check indicators).
4. Maintained New- Some of the organizational values introduced as field in authorization object.
After maintaining all new authorization objects, you can save it and generate the profile. If you get back to SU25 2C step shows all the roles with green signal. Means all roles saved and generated.
Step 2C
step also contains the new SAP roles introduced.
After generating all profiles in SU25 2C step, you can jump to 2D step.
After generating all profiles in SU25 2C step, you can jump to 2D step.
Step 2D
If you execute this step, it will show the list of roles and old tcode and corresponding new tcode.
If business wants to use new tcode, then u can replace old tcodes by new one by clicking on automatically adjust menu. Otherwise go to manually adjust menu and generate the profile.
The new tcodes are introduced in 2D step, this doesn't means the old tcodes are no longer exists in new system. We have to check manually for each and every tcode.Some tcode does not exists in new systems. FOr e.g. RZ02 is replaced by RZ20 in ECC6. RZ02 no longer exists in ECC6.
STEP 3
This step transports the changes made in steps 1, 2a, and 2b. Tailoring the Authorization Checks .This area is used to make changes to the authorization checks.
STEP 4
Changes to the check indicators are made in step 4. You can also go to step 4 by calling transaction-SU24.
You can then change an authorization check within a transaction.
1. When a profile to grant the user authorization to execute transaction is generated, the authorizations are only added the Profile Generator when the check indicator is set to Check/Maintain.
2. If the check indicator is set to do not check, the system does not check the authorization object of the relevant transaction.
4. Check Indicator (Transaction SU24)
This Step is optional and relates to step 2.B
5. Deactivate Authorization Object Globally
AUTH_SWITCH_OBJECTS that allows you to switch off authorization objects for checks globally.
6. Copy Data from Old Profiles
This step is only required if you actually are using the PFCG and roles for the first time. This
step will support you to convert your formerly used profiles into roles in different steps.
