Solved: SAP Security Upgrade 4.6C to ECC 6.0

Former Member · ‎12-02-2010

Hello Gurus,

we are upgrading our systems to ECC 6.0 from 4.6C.

in SU25 step, do i need to manually go into every role and find the differences in Field values ?

there are more than 2500 roles and its becoming tedious task.

Is there any easy or other procedure available for the same ?

Regards,

Chaitanya

Former Member · ‎12-02-2010

Hello All,

our requirements are such that we need so many roles.

we folow strict SOD, audits etc etc.

that's not the question at this point of time. we can discuss the requiremnt of so many roles later.

Current scenario is , many people might have done upgrades before.

does anyone used any better procudure for SU25(c) step or do we need to manually conpare roles between both versions ?

Former Member · ‎12-02-2010

This message was moderated.

Former Member · ‎12-02-2010

Hi,

Julius has already added a few threads/wikis in the thread "[A collection of threads: FAQ's, intros and memorable discussions|;". Why to re-invent the wheel again

Regards,

Raghu

koehntopp · ‎12-02-2010

Krishna,

there are many many new transactions and authorization objects in ECC 6.0 over 4.6c.

Each of those represents functionality which may or may not be relevant to your upgraded way of using ECC 6.0.

How could you possibly automate this? You will have to bite the bullet and look at the changes. I just hope you have well maintained roles (i.e. with proper use of PFCG / SU24) which will make the task a lot easier.

And yes, definitely look at the recommended posts by Julius.

Frank.

Former Member · ‎12-02-2010

Hello All,

We have around 18k roles in our system of them SU25(C) showed around 2500 roles to maintain.

So we have to manually go to every role in both ECC 6.0 and 4.6C and find out what are the new objects,new filed values recommended by SAP etc etc.

is it possible to maintain an RFC b/w both systems and compare AGR tables ?

has anyone done such before ?

Former Member · ‎12-02-2010

Hi Krishna,

18000 Roles.. pretty intresting. How many users you have? I first advise to relook at your security design. It is very high and hard to maintain with so many number of roles.

However, yes you can compare the roles. Goto SUIM transaction and you have an option to compare roles thru RFC.

An alternative is to get the data from AGR_TCODES, and USOBT_C to perform a comparison. But the challenge is with the # of roles and tcodes in it. If you are manually downloading the table contents, use Excel 2007 or the latest, since there is no restriction of 65535 rows.

Hope this helps!!

Regards,

Raghu

koehntopp · ‎12-02-2010

Raghu,

if you don't care about security/compliance you might just as well add SAP_NEW to every user and be done with it - that's the equivalent of what you're proposing

The issue at hand is that

- there are new transactions that you might want to assign to users to succeed the 4.6c ones, which may enhance productivity

- the new authorization objects have not been added just to annoy upgrading customers. They either are necessary to make the transactions work in ECC, or they provide additional/changed security options. There IS no way to automatically upgrade. YOu have to talk to your functional people and find out how the changes affect them.

Frank.

Former Member · ‎12-02-2010

Hi Frank,

I wonder on why you have replied to me. Is your response goes to Krishna? My recommendations above never says to skip SU25 checks. I was just making him understand on the complexity with managing 18000 roles and recommending him to reduce them further, since managing them would be easy, before they upgrade. As per him there are 2500 roles which needs to be adjusted. If he has to do it manually, just imagine how many man hours it require. Hope you agree with me?

Rgds,

Raghu

Edited by: Raghu Boddu on Dec 2, 2010 5:29 PM

koehntopp · ‎12-02-2010

Apologies, thought you were recommending some kind of automated role fixes...read you wrong there.

Regards,

Frank.

Former Member · ‎12-02-2010

Hello All,

our requirements are such that we need so many roles.

we folow strict SOD, audits etc etc.

that's not the question at this point of time. we can discuss the requiremnt of so many roles later.

Current scenario is , many people might have done upgrades before.

does anyone used any better procudure for SU25(c) step or do we need to manually conpare roles between both versions ?

Former Member · ‎12-02-2010

Hi Krishna,

There is no other alternative. You have to check and fix the individual roles before you proceed further.

Regards,

Raghu

Former Member · ‎12-02-2010

There are many tricks you can use to shave a role upgrade down to about 2 day's work, but day 1 is during the implementation design way back when to consider upgrades much later on...

Just knowing that you have 18k roles and 2500 turned red in step 2a is not enough infos to give you any efficient advice (I am not talking about your time... ;-).

What is however obvious is that between 2a and 2c there is 2... ah...?!?! That is your next closest catalyst, but dont hit the "accept SAP data" button unless you have not done any changes in SU24!

Some other key figures for upgrades are:

- Number of roles with distinctly different menus.

- Number of changed auths which are not copies.

- Number of manual auths needing manual adjustments.

- Obsolete and disabled objects.

- Security patches for unnoticed missing auth-checks.

- Cut-over, development freeze and parallel maintenance time period.

Cheers,

Julius

Former Member · ‎12-03-2010

Thanks Julius,

will check the same.

Regards,

Chaitanya