Activity list for SAP Security Upgrade

• Post upgrade - Execute SU25 - Step 2A, 2B

• Post upgrade - Execute SU25 - Step 2C

• Post upgrade - Execute SU25 - Step 2D

• Post upgrade - Authorization changes post SSUA

• Post upgrade - New functionalities

• Post upgrade –Support

Security Upgrade Procedure

The Security Upgrade can be broadly classified intodifferent tasks :

• Make Security & Role Modifications

• Execute transaction SU25 steps 2A-2D to identify roles, authorization

objectsthat have been impacted

• Use IBM SSUA tool to perform the Security Upgrade.

• Add/modify/delete authorization objects/values.

• Check password / login instance profile parameters.

Sụ25 Screen

The SU25 Transaction

This transaction is used to populate the customer tables of the Profile
Generator the first time the Profile Generator is used, or update the customer
tables after an upgrade.

The customer tables of the Profile Generator are used to add a copy of the
SAP default values for the check indicators and field values.

These check indicators and field values are maintained intransaction SU24. If
you have made changes to check indicators, you can compare these with the
SAP default values and adjust your check indicators as needed.

SU25 Steps

Step 1: Initially Fill the Customer tables:

If you have not yet used the Profile Generator or you want to add allSAP
default values again, use the initial fill procedure for the customer tables.

Step 2: Post-Processing the Setting after upgrading to a higher release

2a: Preparation- Compare with SAP values.

2b: Compare Transactions.

2c: Roles to be checked.

2d: Display changed transaction code.

SU25 Steps (continued)

Steps2a to2d:
If you have used the Profile Generator in an earlier Release and want to
compare the data with the new SAP defaults after an upgrade, use Steps 2a
to 2d. Execute the steps in the order specified here.

Step2a: Preparation- Compare with SAP values.

Step 2a is used to prepare the comparison and must be executed first.

Step2b: Compare Transactions.

If you have made changes to check indicators or field values in transaction

SU24, you can compare these with the new SAP default values.

The values delivered by SAP are displayed next to the values you have
chosen so that you can adjust them if necessary.

If you double-click on the line, you can assign check indicators and field
values. You maintain these as described in the documentation for transaction
SU24.
Note: On the list of transactions to be checked to the right of the list you can
see the status which shows whether or not a transaction has already been
checked. At first the status is set to be checked. If you choose the transaction
in the change mode and then choose save, the status is automatically set to
checked. By choosing the relevant menu option in the list of transactions you
can manually set the status to check without changing check indicators or
field values, or even reset this status to be checked. If you want to use the
SAP default values for all the transactions that you have not yet checked
manually, you can choose the menu option to copy the remaining SAP default
values.

SU25 Steps ( continued )

Step2c:Roles to be checked.
• You can determine which roles are affected by changes to
authorization data.

The corresponding authorization profiles need to be edited and

regenerated.

The affected roles are assigned the status "profile comparison

required".

• Alternatively you can dispense with editing the roles and manually
assign the users the profile SAP_NEW (make sure the profile SAP_NEW
only contains the sub profiles corresponding to your release upgrade.
This profile contains authorizations for all new checks in existing
transactions).The roles are assigned the status "profile comparison
required" and can be modified at the next required change (for
example, when the role menu is changed).This procedure is useful if a
large number of roles are used as it allows you to modify each role as
you have time.

• But this alternative should be avoided

The process can take several minutes. To go directly to the authorization data for a
role, double-click the relevant role in the output list. If you have roles in several
clients, you must perform this step in every client to determine which roles are
affected.

SU25 Steps ( continued )

Step2d: Display changed transaction codes.

Transactions in the R/3 System are occasionally replaced by one or more other
transactions. This step is used to create a list of all roles that contain transactions
replaced by one or more other transactions.

The list includes the old and new transaction codes. You can replace the
transactions in the roles as needed. Double-click the list to go to the role.

SU25 Steps ( continued )

Step 3: Transport the customer tables:

• This step transports the changes made in steps 1, 2a, and 2b.

• Tailoring the Authorization Checks This area is used to make changes to the
authorization checks. Changes to the check indicators are made in step 4.
 • Step 4 to 6 is not required for upgrade from 4.6C or from any other higher
version.

These steps are for upgrade from lower version of 4.6C.

Step 4: Check indicator (Transaction SU24):

• You can also go to Step 4 by calling transaction SU24

1. You can then change an authorization check within a transaction.

2. When a profile to grant the user authorization to execute a transaction is

generated, theauthorizations are only added to the Profile Generator when
the check indicator is set toCheck/Maintain.

• If the check indicator is set to do not check, the system does not check the
authorizationobject of the relevant transaction.

• You can also edit authorization templates that can be added to the
authorizations for a rolein the Profile Generator.These are used combine
general authorizations that many users need.SAP delivers a number of
templates that you can add directly to the role, or copy and thencreate your
own templates, which you can also add to roles.

• See the general documentation for the meaning of the check indicators.

Step 5: Deactivate authorization object Globally:

• In step 5 you can deactivate authorization objects system wide.

Step 6: Create roles from manually created profiles ± Copy data from old profiles:
• In step 6 you can create roles from authorization profiles that you generated
manually. You then need to tailor and check these roles.

• See documentation for the Profile Generator and for changing check
indicators