R/3 upgrade

Former Member · ‎07-13-2008

Guys,

I understand that system upgrades are done in pieces eg: 1- DEV,2- QA,3-PRD. As soon as it is done for DEV, we can run su25 and update the customer tables.And similarly for QA and PRD.But for QA and PRD we just transport the newly filled tables form DEV.From my understanding we dont need sap_new profile any of the users in DEV,QA.But for PRD do we need sap_new profile? as the business runs in production will the system upgrades affect the users authorization? or once it is upgraded ,just transport the tables from QA without assingnig sap_new to any of the end users??

jurjen_heeck · ‎07-13-2008

If you transport the customer tables your upgraded roles need to be transported as well. As long as that hasn't happened you may need SAP_NEW. Also, (I think) SAP_NEW will only cover newly installed authorization objects, not newly activated checks on existing objects.....

Wether the upgrade will influence enduser authorizations is something you'll only know after upgrading DEV (or an equivalent sandbox for that matter) and following all steps in SU25. Maintain all affected roles and make sure they're transported and assigned properly before you allow your endusers to log on to your upgraded production system.

Former Member · ‎07-14-2008

Thanks, Maintain all affected roles and make sure they're transported and assigned properly before you allow your endusers to log on to your upgraded production system.?

How can I stop the end users not to access the system until all the roles are transported to PRD?

jurjen_heeck · ‎07-14-2008

> How can I stop the end users not to access the system until all the roles are transported to PRD?

By locking their accounts. tr. SU10 for instance

Former Member · ‎07-14-2008

> How can I stop the end users not to access the system until all the roles are transported to PRD?

Another popular way is transaction EWZ5 - part of the Euro Converter tools. I recommend reading the instructions before you click on "Lock All".

As far as I know, users (except DDIC in 000 perhaps) cannot logon anyway while the actual upgrade is running. Though I am not sure of that.

Cheers,

Julius

Edited by: Julius Bussche on Jul 14, 2008 9:12 AM

Transaction name corrected.

Former Member · ‎07-13-2008

According to [the docs|http://help.sap.com/saphelp_nw70/helpdata/EN/8a/7b553efd234644e10000000a114084/frameset.htm] you should assign it to all users in the system in which you are revising your authorization concept.

The term "development system" is not explicitly mentioned, but I think that is what the author meant.

Cheers,

Julius

Former Member · ‎07-13-2008

>


> The term "development system" is not explicitly mentioned, but I think that is what the author meant.
> 
> Cheers,
> Julius

Considering what is usually in SAP_NEW, you wouldn't really want it in prod.....

Former Member · ‎07-13-2008

>


> Considering what is usually in SAP_NEW, you wouldn't really want it in prod.....

The docs above even state that not only should the assignment of SAP_NEW in the "authorization review system" be removed after the upgrade of the roles, but the profile itself should be deleted.

It is not uncommon to find long SAP_NEWs assigned to users with SAP_ALL, who don't know about report RSUSR406. One would think that anyone trusted with access such as SAP_ALL, should know that.

Could make a good interview question

Cheers,

Julius

Former Member · ‎07-13-2008

> It is not uncommon to find long SAP_NEWs assigned to users with SAP_ALL, who don't know about report RSUSR406. One would think that anyone trusted with access such as SAP_ALL, should know that.

To give someone the benefit of the doubt, they may have found the button in SU21...or maybe not.

jurjen_heeck · ‎07-13-2008

>


> One would think that anyone trusted with access such as SAP_ALL, should know that.

Oh, the amount of people who are oblivious to the true concept/contents of SAP_ALL.... it is often seen as the miracle cure.

I had to look up the report name today, after you mentioned it. The button in SU21 I did know. (sigh of relief here, thanks Alex!)

Former Member · ‎07-13-2008

> I had to look up the report name today, after you mentioned it. The button in SU21 I did know. (sigh of relief here, thanks Alex!)

I use SU21 too! I only remember the other way from reading audit reports

Former Member · ‎07-13-2008

>


> I use SU21 too! I only remember the other way from reading audit reports

Are you guys making fun of me?

Actually, there are some other ways as well...

- When new objects are added to the pre-upgrade SAP_ALL, it needs to be regenerated: the system first deletes the authorizations of SAP_ALL to regenerate it with all the new ones. However, as RSUSR406 contains authority-checks, you should ensure that you have only a PFCG role authorized for profile generation and not only SAP_ALL when doing this, or alternately use report AGR_REGENERATE_SAP_ALL.

- Transport an object to the system. During import, the system will automatically regenerate SAP_ALL, unless SAP note 439753 is applied (Bernhard recently mentioned that in another thread).

- Implement SAP note 1064621 from a different client.

I can think of a few more, but that should be okay to move on to the next question now...

Cheers,

Julius

Former Member · ‎07-14-2008

>

> Are you guys making fun of me?

Not intentionally