Activity list for SAP Security Upgrade

Post upgrade - Execute SU25 - Step 2A, 2B Post upgrade - Execute SU25 - Step 2C Post upgrade - Execute SU25 - Step 2D Post upgrade - Authorization changes post SSUA Post upgrade - New functionalities Post upgrade –Support

Security Upgrade Procedure

The Security Upgrade can be broadly classified intodifferent tasks :

Make Security & Role Modifications Execute transaction SU25 steps 2A-2D to identify roles, authorization objectsthat have been

impacted Use IBM SSUA tool to perform the Security Upgrade. Add/modify/delete authorization objects/values. Check password / login instance profile parameters.

Sụ25 Screen

The SU25 Transaction

This transaction is used to populate the customer tables of the Profile Generator the first time the Profile Generator is used, or update the customer tables after an upgrade.The customer tables of the Profile Generator are used to add a copy of the SAP default values for the check indicators and field values.

These check indicators and field values are maintained intransaction SU24. If you have made changes to check indicators, you can compare these with the SAP default values and adjust your check indicators as needed.

SU25 Steps

Step 1: Initially Fill the Customer tables:If you have not yet used the Profile Generator or you want to add allSAP default values again, use the initial fill procedure for the customer tables.

Step 2: Post-Processing the Setting after upgrading to a higher release2a: Preparation- Compare with SAP values.2b: Compare Transactions.2c: Roles to be checked.2d: Display changed transaction code.

SU25 Steps (continued)Steps2a to2d:If you have used the Profile Generator in an earlier Release and want to compare the data with the new SAP defaults after an upgrade, use Steps 2a to 2d. Execute the steps in the order specified here.Step2a: Preparation- Compare with SAP values.Step 2a is used to prepare the comparison and must be executed first.Step2b: Compare Transactions.

If you have made changes to check indicators or field values in transaction SU24, you can compare these with the new SAP default values.The values delivered by SAP are displayed next to the values you have chosen so that you can adjust them if necessary.

If you double-click on the line, you can assign check indicators and field values. You maintain these as described in the documentation for transaction SU24.

Note: On the list of transactions to be checked to the right of the list you can see the status which shows whether or not a transaction has already been checked. At first the status is set to be checked. If you choose the transaction in the change mode and then choose save, the status is automatically set to checked. By choosing the relevant menu option in the list of transactions you can manually set the status to check without changing check indicators or field values, or even reset this status to be checked. If you want to use the SAP default values for all the transactions that you have not yet checked manually, you can choose the menu option to copy the remaining SAP default values.

SU25 Steps ( continued )Step2c:Roles to be checked.

You can determine which roles are affected by changes to authorization data.The corresponding authorization profiles need to be edited and regenerated.The affected roles are assigned the status "profile comparison required".

Alternatively you can dispense with editing the roles and manually assign the users the profile SAP_NEW (make sure the profile SAP_NEW only contains the sub profiles corresponding to your release upgrade. This profile contains authorizations for all new checks in existing transactions).The roles are assigned the status "profile comparison required" and can be modified at the next required change (for example, when the role menu is changed).This procedure is useful if a large number of roles are used as it allows you to modify each role as you have time.

But this alternative should be avoided

The process can take several minutes. To go directly to the authorization data for a role, double-click the relevant role in the output list. If you have roles in several clients, you must perform this step in every client to determine which roles are affected.

SU25 Steps ( continued )Step2d: Display changed transaction codes.

Transactions in the R/3 System are occasionally replaced by one or more other transactions. This step is used to create a list of all roles that contain transactions replaced by one or more other transactions.The list includes the old and new transaction codes. You can replace the transactions in the roles as needed. Double-click the list to go to the role.

SU25 Steps ( continued )Step 3: Transport the customer tables:

This step transports the changes made in steps 1, 2a, and 2b. Tailoring the Authorization Checks This area is used to make changes to the authorization

checks. Changes to the check indicators are made in step 4. Step 4 to 6 is not required for upgrade from 4.6C or from any other higher version.

These steps are for upgrade from lower version of 4.6C.

Step 4: Check indicator (Transaction SU24):

You can also go to Step 4 by calling transaction SU241. You can then change an authorization check within a transaction.2. When a profile to grant the user authorization to execute a transaction is generated,

theauthorizations are only added to the Profile Generator when the check indicator is set toCheck/Maintain.

If the check indicator is set to do not check, the system does not check the authorizationobject of the relevant transaction.

You can also edit authorization templates that can be added to the authorizations for a rolein the Profile Generator.These are used combine general authorizations that many users need.SAP delivers a number of templates that you can add directly to the role, or copy and thencreate your own templates, which you can also add to roles.

See the general documentation for the meaning of the check indicators.

Step 5: Deactivate authorization object Globally: In step 5 you can deactivate authorization objects system wide.

Step 6: Create roles from manually created profiles ± Copy data from old profiles:

In step 6 you can create roles from authorization profiles that you generated manually. You then need to tailor and check these roles.

See documentation for the Profile Generator and for changing check indicators