on 04-09-2014 1:14 PM
Hi,
We have recently upgraded our development ECC system to ECC 6.0 EHP 6 from EHP4. We found there are lot of roles affected by
the upgrade in step 2c of SU25.All the proposed changes are due to step 2a which updates the objects/transactions which were never modified by the customer.
While we are still analysing the roles in DEV, the production upgrade date is fast approaching.
Is it advisable to upgrade the Production now and perform the SU25 in DEV later and promote the roles to Production after proper testing in QA?
or is it something we have to do immediately after the upgrade before releasing it to the end users?
Thank you in advance,
Silver
Hi Silver Surfer
Is it advisable to upgrade the Production now and perform the SU25 in DEV later and promote the roles to Production after proper testing in QA?
Do you mean - is it okay for EHP6 to be applied to Production and fix the security later? If so....
Your risk is if new authorisations checks have been introduced to existing transactions that are in design then users may start to receive authorisations errors. If you are willing to risk a flood of annoyed users complaining of lack of access it is technically possible.
Though, if you are moving from EHP4 to EHP6 was security testing along with functionality testing? If so, you may have covered a large portion of the risk.
As far as SU25 goes, it is to assist with fixing up SU24 values based on SAP proposals. Once you need to make changes to SU24 you need to adjust the roles (As per you Step 2c). I've been at places where they made the decision to execute Steps 2a and 2b and then go into PFCG for each impacted role and deactivate the new proposals (i.e. SU24 updated but PFCG remains unchanged from authorisation perspective). This approach enabled them to "technically" complete the security steps and move a transport through to test environment. However, they were relying on security testing of the roles to identify authorisations issues. If issue was identified, they would then fix the role.
Whatever your approach with SU25 is.... security roles need to be tested as part of an upgrade.
Regards
Colleen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello
Is it advisable to upgrade the Production now and perform the SU25 in DEV later and promote the roles to Production after proper testing in QA?
or is it something we have to do immediately after the upgrade before releasing it to the end users?
Not a good practice. I would get this first adapted before starting the upgrade on the next system.
You may read these SAP notes which provides the recommendations.
1539556 - FAQ Administration of authorization default values
727536 - FAQ| Using customer-specific organizational levels in PFCG
Regards
RB
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I would suggest to fix the adjustments before move to production (atleast most used roles based on priority). As it might affect users in production directly after the upgrade.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
76 | |
9 | |
8 | |
7 | |
6 | |
5 | |
5 | |
5 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.