Most Customers ask how do we know which all roles get impacted after an Upgrade or what would be the effort required to remediate the roles; Following is the approach
Important tables -
AGR_1251 - Authorization data for the activity group
AGR_TCODES - Assignment of roles to Tcodes
USOBT_C - Relation Transaction > Auth. Object (Customer)
USOBX_C - Check Table for Table USOBT_C
Steps related to Security to be performed during an Upgrade -
- SU25 - 2A - Preparation and Compare values with SAP Values - This step fills the USOBT_C and USOBX_C tables with SAP Standard values.
- SU25 - 2B - Compare Affected Transactions
- SU25 - 2C - Roles to be Checked
- SU25 - 2D - Display Changed Transaction Codes
To find out the effort required, even before you Upgrade the system follow the below steps, which can help you give a high level estimate of efforts -
SU25 - 2B - All the standard transactions which the customer modified authorizations will be available. Check the table USOBT_C excluding the modifier SAP, which gives all the Transactions modified by the customer. All the transactions displayed here in the source version will be listed in 2B step after Upgrade.
Check the tables AGR_1251 or AGR_TCODES, USOBT_C and USOBX_C, you will get the roles to transactions to Authorization Objects. Download that information. Get a simple program developed to compare the transactions, authorization objects with the same in ECC 6.0, list down all the new authorization objects introduced. Give this to customer and ask him to fill the values for the new auth objects, which can help to accelerate this step when you do the Upgrade as all the values are readily available.
SU25 - 2C - Go to Table AGR_1251, check all the customer roles with Modified status as G Maintained, M Modified and U Manual. All these roles will have to be modified after Upgrade.
SU25 - 2D - PRGN_CORR2 table has the list of transactions changed between versions. So the new transactions introduced will be listed here. Customer can take a decision to which new Tcodes to be assinged to which roles.
SU25 - 2D - PRGN_CORR2 table has the list of transactions changed between versions. So the new transactions introduced will be listed here. Customer can take a decision to which new Tcodes to be assinged to which roles.
Hope this info helps.
Note - Security Consultants and Experts, request you to check the and correct the approach.
No comments:
Post a Comment