Академический Документы
Профессиональный Документы
Культура Документы
Session Outline
SAP Upgrade Overview and Security Considerations (10 min)
Security Upgrade Approach, Key Decisions and General Considerations (10 min)
Detailed Security Upgrade Considerations (25 min) Summary Lessons Learned (10 min) Questions and Answers (5 min)
2
This has reduced the urgency to upgrade for some, but activity is still occurring.
4.0B
4.5A
(expired 10/99)
Starting Position
Key Point
Each option will have a different impact on the security approach and resource requirements
6
Several factors will have an impact on the complexity of the upgrade and the length of time required to perform it (security is one of the key factors)
LEVEL OF COMPLEXITY
Prep
Prep
Fit/Gap
Prod Build
Cutover Rehearsal
Security Upgrade
Key Points
Security upgrade activities must start early in a project Testing is key and starts early in the project Security is key during rehearsal and cut-over
-
Manually synch security transports to production after the cut-off date (user master record changes will not have to be included)
DV2
QA2
PRD
Rehearsal 4.6x
REH
Copy Production Upgrade to 4.6x Load Hot Packs Import Transports Validate the system
However, upgrading v4.6x SAP security introduces new risks and challenges that require a significant work effort, most of which will be critical path
- Some redesign tasks needed for technical only upgrades
The need for redesign activities is affected by the following key factors
- Improperly maintained or designed roles from initial implementation - Upgraded security structures - Future with MySAP.com workplace
- Merge of BW functionality
10
Partner
R/3
R/3 System
FI
LO HR
Workplace
Consumer
Workplace
Supplier Workplace
As the system architecture becomes much more complex, many security issues beyond the application layer will need to be considered 11
In the workplace, attention to R/3 security role naming standards is key (e.g., see the R3 vs. WP in the user menu)
Small things can now have a major impact to the endusers view of SAP
12
Access Requirements
(e.g., new t-codes, reports, BW Info-Catalog)
14
Terminology Change: In v4.6c, single/composite activity groups became single/composite roles) User Composite Activity Groups Activity Groups
Menu: T-codes Web links, reports, etc.
Auth. Profiles
Service Rep
Reports
Report trees are replaced with unique SAP transaction codes
16
More automation
Automatic regeneration of profiles after transport For derived activity groups, automatic role variant maintenance (you can now push down authorization values vs. have to maintain each version manually) Auto selection of maintenance type when editing an activity group
17
System Parameters
New parameters that control the user buffer and multiple log sessions
18
19
Alcatel Overview
20
In August 2000, an upgrade to SAP v4.6c & BW v2.0b was announced and project officially began In November 2000, Alcatel Canada completed the upgrade
21
Profile Generator was used for the maintenance of all activity groups / profiles Composite profiles were not used in v4.0b
22
Important BW Considerations
Transaction codes are generally not relevant for end-users Authorization objects for data restrictions must be customized
23
24
26
Current Restrictions
Report Tree migration New Authorization Objects Renaming of Activity Groups New Authorization Concept of User Menus
Checks
mySAP.com
27
Other Questions
Will mySAP.com workplace and CUA be used? Having ESS in scope will be a key factor in this decision.
If HR position based security is used, will this be continued as part of the upgrade? Having mySAP.com workplace in scope will be a key factor in this decision.
If manual profiles are used, will they be transitioned to the profile generator (i.e., starting using activity groups)? 28
Tested Security Roles and Cut-over Updated End-user mapping Performed Security Cut-over
30
Our approach was to convert channels into roles and have the BW security administrator maintain the channel administration
Process maintains all reports and end-user assignments
31
32
33
34
During an upgrade to v4.6x, the naming conventions changes as follows: Activity groups:
Old Name: New Name: ZF:100_000 T_50000450_ZF:100_000 ZF:100_001 RY_50000451_ZF:100_001 (now includes the internal number)
Responsibilities:
Old Name: New Name: (now includes the internal number)
Since activity groups can NOT be renamed, a key decision needs to be made whether to rename them. Both options will have significant impact on the upgrade and security administration. Also, note if the profiles from the activity group were directly assigned to a user in the old system, after the upgrade they will be lost from the start
-
In v4.6x, there is a new tab in the user master record for assigning activity groups
35
Correction Process
Develop v4.0x Download Format
37
Identify the Population of Transaction Codes that have changed Work with Process Teams to determine Strategy
- Assign New Transaction, Remove Old - Assign Old Transaction Only - Allow Access to Both Old and New Transactions
- Read Old Status and Merge with New - Profile Comparisons in SUIM (dependent on upgrade strategy)
39
40
41
43
The default authorizations (control tables) for the Profile Generator are called the SU24 objects
SU24 objects are defined in table USOBT (transfer to USOBT_C when the Profile Generator is initialized) Table USOBT lists, by transaction code, the default authorization objects (with field values) that will be included in an activity group by the Profile Generator The entries in USOBT are maintained by SAP (and are not 100% accurate)
SU24 Objects Table: USOBT_C Profile Generator Activity Group
Transaction codes
Defaults
Authorization Objects Fields/Values
Menu
Transaction codes
Authorizations
Authorization Objects Fields/Values
44
46
Individually maintain all t-codes that have a Status of To be Checked, until all have been Checked
47
48
The Decision
Customizing Option
Would generally only include the transactions a user is authorized to use Profiles would require additional customizations
Other considerations Project Timelines ROI (return on Investment) Training Functional vs. Technical Workplace
51
BW User Menus
Represents an independent decision for BW Since Info-catalogs were used in v4.0b, in order to maintain this functionality in v4.6c, custom User Menus were required
Alcatel utilized both the BEx Analyzer and BEx Browser
May not be an issue if the BEx tools are not utilized as the method for report delivery
52
53
Key Challenges
SU24 defaults only define the S_TCODE object (no others) Experiences indicate that much of the ABAP behind the reports will change during an upgrade Many new authorization object checks
It is critical to ensure that reports are exposed to rigorous authorization testing given the changes
54
55
56
Project Planning
Significant Point: Management needs to understand that significant and complex changes to v4.6x security will lead to critical path activities
The planning process is key and should start early in the project
As part of the planning process, the following key tasks need to be performed
Prepare a detailed inventory of SAP security components (e.g., roles, t-codes in use, custom objects, org. & functional restrictions) Determine a strategy for report tree migration, user menus and custom folders Define SAP security features that are not in scope for the upgrade (e.g., no Central User Administration or Single Sign-on) Prepare a detailed workplan and define roles & responsibilities
57
A key success factor for our upgrade was the continued development and hi-availability within the v4.0b system
Significant number of integration efforts generated many changes within v4.0b
Any changes processed into the v4.0b PRD environment were needed in the 4.6c system
This required significant duplication of efforts; included profile changes but not end-user assignments
Key decision required by the project management and the business is the accepted level of development freeze Change management tools are essential
58
Authorization Testing
Testing is just as critical during an upgrade as an implementation
Might be considered higher, considering the end-user community expects the system to continue to run smoothly and they understand the system this time!!
59
Cut-over was not a one time effort - Practice the plan as much as possible
60
61
62
63