Objectives
There are a couple of objectives for having to upgrade the SAP Security infrastructure:
· Converting manual profiles created via SU02 to activity groups, as SAP recommends the use of Profile Generator (PFCG) for the maintenance of profiles;
· Adding new transactions representing additional functionality to the applicable activity groups;
· Adding the replacement transactions that aim at substituting obsolete or old-version transactions, including the new Enjoy transactions;
· Adjusting the new authorization objects that SAP added for the new release; and
· Ensuring that all existing reports, transactions and authorizations still function as expected in the new release of SAP.
2.2. Overview of the Security upgrade process
Once the Development system has been upgraded to 4.6, the security team will need to perform the following steps as part of the Security Upgrade:
· Convert Report Trees to Area Menus;
· Review users (via SU01) to check for any new or changed fields on the user masters;
· Convert manual profiles created via SU02 to Activity Groups (See Approaches below);
· Compare SU24 customer settings to new SAP default settings (SU25 steps 2A-2C);
· Determine which new / replacement transactions have to be added to which activity groups (SU25 step 2D);
· Transport the newly-filled tables USOBT_C and USOBX_C that contain the SU24 settings you’ve made (SU25 step 3); and
· Remove user assignments to the manual profiles.
2.3. Approaches to convert manual profiles to Activity Groups:
2.3.1. Approach #1: SAP’s standard utility SU25
SAP provides an utility for converting Manual Profiles to Activity Groups and to identify the new and replacement transactions that need to be added to each activity group.
You can access this utility by typing “SU25” in the command box.
If you do decide to use SU25 Step 6 to convert the Manual profiles to activity groups, you will need to watch out for the following “gotchas”:
Naming convention (T_500yyyyy_previous name)
All activity groups created before SU25 is run, are renamed to T_500yyyyy_previous name.
See
Transaction Ranges
Ranges of transactions are not always added correctly to the newly-created activity groups. Some of the transactions in the middle of the range are occasionally left off. E.g. you have a transaction range of VA01 – VA04 for a specific manual profile. After SU25 conversion, the new Activity Group only contains VA01 and VA04. Transactions VA02 and VA03 were not added.
It is important that a complete download of table UST12 is done prior to running SU25. Once SU25 has been run, a new download of UST12 can be done to identify which transactions have been dropped off.
The missing transaction codes will need to be added manually to the relevant activity group via PFCG.
Missed “new” transactions
The output of one of the steps in SU25 is a list of the new replacement transactions (e.g. Enjoy transactions) that need to be added per activity group. E.g. transaction ME21N replaces ME21. The list will identify each activity group that has ME21 where ME21N needs to be added to.
In some cases SU25 does not identify all new transactions to be added.
2.3.2. Approach #2: Manual reconstruction of Profiles as Roles (Activity Groups)
An alternative approach to SU25 is to manually create an activity group for each manual profile that was created via SU02.
The advantage of this approach is that you won’t have any missing transactions that were “dropped off” with the SU25 conversion.
No comments:
Post a Comment