Thursday, March 29, 2012

SAP Security related activities in Upgrade

The SAP system profile parameter auth/no_check_in_some_cases has the value
“Y”. If the profile parameter is set to .N, the value must be changed. (This ensures better security).

If roles were already used in the source release, they must be updated. Transactions that were selected in the menu of existing roles can be protected using additional authorization objects in the target release. This means that tables USOBT_C and USOBX_C have to be updated as well as the existing roles.

The SU25 tcode is used for to fill the customer tables of the profile generator the first time the profile generator is used, or update the customer tables after an upgrade.

1. SU25
Step 2A

Compares the new USOBT and USOBX tables with USOBT_C and USOBX_C.
This compares the Profile Generator data from the previous release with the data for
the current release. New default values are written in the customer tables for the
Profile Generator

Step 2B
Add any new transactions/updates to tables USOBX_C and USOBT_C.

If you have made changes to the check indicators or field values in transaction
SU24, you can compare these with the new SAP defaults. You can see the values
delivered by SAP and the values that you changed next to each other, and can make
an adjustment, if desired.

Steps 2A and 2B make changes to the customer tables of the Profile Generator.
If you want to transport these changes, choose step 3 in transaction .SU25. Before implementing any changes in system, take corresponding business approval for all role changes. The step 2C and 2D step will clearly identify the roles affected and new tcodes introduced in new systems.

Step 2C

This step guides you through all the roles that are affected by newly added authorization checks and that have to be changed to correspond. The corresponding authorization profiles need to be edited and regenerated. You can jump directly to role maintenance.

SU25, 2C step also contains the new SAP roles introduced.

If you go to one by one role, there are some authorization objects that are got affected during upgrade. We can categorize these authorization objects as below:-

1. Standard New – These are new authorization objects that are introduced in new system for corresponding tcode.

2. Manually new - It shows the authorization objects which were manually added in old system. Some of the values got updated for this also.
3. Standard Updated - Updated means, in old system if you have kept the standard values as it is, SAP has updated these standard values (u can check this one in SU24 check indicators).
4. Maintained New- Some of the organizational values introduced as field in authorization object.

After maintaining all new authorization objects, you can save it and generate the profile. If you get back to SU25 2C step shows all the roles with green signal. Means all roles saved and generated.

SU25, 2C step also contains the new SAP roles introduced.
After generating all profiles in SU25 2C step, you can jump to 2D step.

Step 2D
If you execute this step, it will show the list of roles and old tcode and corresponding new tcode.
If business wants to use new tcode, then u can replace old tcodes by new one by clicking on automatically adjust menu. Otherwise go to manually adjust menu and generate the profile.
The new tcodes are introduced in 2D step, this doesn't means the old tcodes are no longer exists in new system. We have to check manually for each and every tcode.Some tcode does not exists in new systems. FOr e.g. RZ02 is replaced by RZ20 in ECC6. RZ02 no longer exists in ECC6.

This step transports the changes made in steps 1, 2a, and 2b. Tailoring the Authorization Checks .This area is used to make changes to the authorization checks.

Changes to the check indicators are made in step 4. You can also go to step 4 by calling transaction-SU24.

You can then change an authorization check within a transaction.

1. When a profile to grant the user authorization to execute transaction is generated, the authorizations are only added the Profile Generator when the check indicator is set to Check/Maintain.
2. If the check indicator is set to do not check, the system does not check the authorization object of the relevant transaction.

Review Items:-
Security Related Parameters
You can compare and check security related parameters from old release to current release.
Review users (via SU01) to check for any new or changed fields on the user masters (Check especially background user-ID for authorizations, to avoid cancellation of batch jobs).

1 comment:

Samantha said...

Thank you for this post...! I was looking for something exactly like this. Will be upgrading from 5 to 6 with EHP6. Do you know if there are any security implications or gotchas of which I need to be aware or plan for ahead of time? Is SU25 the only upgrade tcode Security uses? Is anything done with SU24?