12-02-2010 4:13 AM
Hello Gurus,
we are upgrading our systems to ECC 6.0 from 4.6C.
in SU25 step, do i need to manually go into every role and find the differences in Field values ?
there are more than 2500 roles and its becoming tedious task.
Is there any easy or other procedure available for the same ?
Regards,
Chaitanya
12-02-2010 12:05 PM
Hello All,
our requirements are such that we need so many roles.
we folow strict SOD, audits etc etc.
that's not the question at this point of time. we can discuss the requiremnt of so many roles later.
Current scenario is , many people might have done upgrades before.
does anyone used any better procudure for SU25(c) step or do we need to manually conpare roles between both versions ?
12-02-2010 6:05 AM
12-02-2010 8:14 AM
12-02-2010 9:37 AM
Krishna,
there are many many new transactions and authorization objects in ECC 6.0 over 4.6c.
Each of those represents functionality which may or may not be relevant to your upgraded way of using ECC 6.0.
How could you possibly automate this? You will have to bite the bullet and look at the changes. I just hope you have well maintained roles (i.e. with proper use of PFCG / SU24) which will make the task a lot easier.
And yes, definitely look at the recommended posts by Julius.
Frank.
12-02-2010 9:44 AM
Hello All,
We have around 18k roles in our system of them SU25(C) showed around 2500 roles to maintain.
So we have to manually go to every role in both ECC 6.0 and 4.6C and find out what are the new objects,new filed values recommended by SAP etc etc.
is it possible to maintain an RFC b/w both systems and compare AGR tables ?
has anyone done such before ?
12-02-2010 9:57 AM
Hi Krishna,
18000 Roles.. pretty intresting. How many users you have? I first advise to relook at your security design. It is very high and hard to maintain with so many number of roles.
However, yes you can compare the roles. Goto SUIM transaction and you have an option to compare roles thru RFC.
An alternative is to get the data from AGR_TCODES, and USOBT_C to perform a comparison. But the challenge is with the # of roles and tcodes in it. If you are manually downloading the table contents, use Excel 2007 or the latest, since there is no restriction of 65535 rows.
Hope this helps!!
Regards,
Raghu
12-02-2010 11:02 AM
Raghu,
if you don't care about security/compliance you might just as well add SAP_NEW to every user and be done with it - that's the equivalent of what you're proposing
The issue at hand is that
- there are new transactions that you might want to assign to users to succeed the 4.6c ones, which may enhance productivity
- the new authorization objects have not been added just to annoy upgrading customers. They either are necessary to make the transactions work in ECC, or they provide additional/changed security options. There IS no way to automatically upgrade. YOu have to talk to your functional people and find out how the changes affect them.
Frank.
12-02-2010 11:22 AM
Hi Frank,
I wonder on why you have replied to me. Is your response goes to Krishna? My recommendations above never says to skip SU25 checks. I was just making him understand on the complexity with managing 18000 roles and recommending him to reduce them further, since managing them would be easy, before they upgrade. As per him there are 2500 roles which needs to be adjusted. If he has to do it manually, just imagine how many man hours it require. Hope you agree with me?
Rgds,
Raghu
Edited by: Raghu Boddu on Dec 2, 2010 5:29 PM
12-02-2010 12:24 PM
Apologies, thought you were recommending some kind of automated role fixes...read you wrong there.
Regards,
Frank.
12-02-2010 12:05 PM
Hello All,
our requirements are such that we need so many roles.
we folow strict SOD, audits etc etc.
that's not the question at this point of time. we can discuss the requiremnt of so many roles later.
Current scenario is , many people might have done upgrades before.
does anyone used any better procudure for SU25(c) step or do we need to manually conpare roles between both versions ?
12-02-2010 12:09 PM
Hi Krishna,
There is no other alternative. You have to check and fix the individual roles before you proceed further.
Regards,
Raghu
12-02-2010 1:09 PM
There are many tricks you can use to shave a role upgrade down to about 2 day's work, but day 1 is during the implementation design way back when to consider upgrades much later on...
Just knowing that you have 18k roles and 2500 turned red in step 2a is not enough infos to give you any efficient advice (I am not talking about your time... ;-).
What is however obvious is that between 2a and 2c there is 2... ah...?!?! That is your next closest catalyst, but dont hit the "accept SAP data" button unless you have not done any changes in SU24!
Some other key figures for upgrades are:
- Number of roles with distinctly different menus.
- Number of changed auths which are not copies.
- Number of manual auths needing manual adjustments.
- Obsolete and disabled objects.
- Security patches for unnoticed missing auth-checks.
- Cut-over, development freeze and parallel maintenance time period.
Cheers,
Julius
12-03-2010 4:47 AM