Security Upgrade

NOTE MARCH 2011

Security upgrade

SAP® systems are upgraded on a frequent basis, and as part of such
an upgrade the security requires special attention as well.

While new authorization objects are introduced - even in purely technical
upgrade scenarios - additional relations between authorization objects
and transactions are also updated in the corresponding SAP® standard
tables amongst a lot of other things.
To benefit from these new implementations, and to make sure that
code integrated authority-checks are reflected in the profile generator
appropriately, the PFCG tool requires an upgrade together with the
affected elements of a security concept, as e.g. roles.

The security upgrade is actually an important enabler for stable
SAP® authorization environments and should be part of every
SAP® upgrade and Enhancement Pack scenario.

Starting point is transaction SU25 – a tool for the profile generator
upgrade that leads through the individual steps.

 How to perform a profile generator upgrade [SU25]


 
Exhibit: Transaction SU25

1.    Initially Fill the Customer Tables   
The first step is only required if you have a fresh installation and are using
the profile generator for the first time, or if you want to refill the tables.

2.    A. Preparation: Compare with SAP values
This step will provide the delta between the SAP® standard tables USOBT
and USOBX and the respective custom tables USOBT_C and USOBX_C.
The changes from the SAP® standard tables will be updated in the custom
tables. To transport these tables you have to perform step 3 later on.   

2.    B. Compare Affected Transaction   
In this step an overview of affected transaction will be displayed that were
maintained by the customer in SU24 [maintaining SU24 for SAP® standard],
and have been updated by SAP® with the upgrade now. It can be determined
whether the customer specific entries are to be kept or to be adapted
based on the SAP® suggestions that come in with the upgrade.   

2.  C. Roles To Be Checked   
This step will provide an overview of the roles that are actually affected
by the upgrade. The roles can be worked on individually according to
prioritization, and can then be transported.   

2. D. Display Changed Transaction Codes   
Sometimes SAP® transactions are replaced or become obsolete.
This step will provide the necessary overview. Per double-click the
affected transactions can be replaced by SAP® suggestions.

3.    Transport of Customer Tables   
This step will allow you to transport the changes performed in
2.A. and B. The tables mentioned above will be completely transported
[not only the delta].   

4.    Check Indicator (Transaction SU24)   
This Step is optional and relates to step 2.B.   

5.    Deactivate Authorization Object Globally   
This is a link to transaction AUTH_SWITCH_OBJECTS that allows
you to switch off authorization objects for checks globally.   

6.    Copy Data from Old Profiles   
This step is only required if you actually are using the PFCG
and roles for the first time. This step will support you to convert
your formerly used profiles into roles in different steps.   

! NOTE   

The integrated button  "Information about this transaction"
provides some additional helpful information.

 
Filename/Title Größe
Note_03_11_Security_Upgrade.pdf 25.07 KB