Solved: Cannot perform Role Modifications after EHP Upgrad...

former_member275658 · ‎06-03-2010

Hi All,

We recently upgraded to EHP1 SPS6. After this when I tried to do a role ehancement a dialog box appeared which says that "Before proceeding further you have to run SU25 Step 2A to 2C because of Upgrade happened in the system"

I am not very much familiar with the SU25 steps and their consequences.

1. Please suggest if we had to run step 2A in SU25 before starting EHP upgrade?

2. As the EHP is complete now how to proceed with SU25 steps to avoid inconsistancies ?

Please suggest.

Regard's

S.A

Former Member · ‎06-03-2010

Which implementation approach did you use to build the existing roles?

It is up to you really...

I would start by reading the documentation on SU25.

Personally, I can recommend using SU24, and therefore SU25 after each SP and upgrade and having a tight control on it (i.e. in your development systems).

Cheers,

Julius

Former Member · ‎06-03-2010

Which implementation approach did you use to build the existing roles?

It is up to you really...

I would start by reading the documentation on SU25.

Personally, I can recommend using SU24, and therefore SU25 after each SP and upgrade and having a tight control on it (i.e. in your development systems).

Cheers,

Julius

former_member275658 · ‎06-04-2010

Do I need to execute all the steps of SU25 starting from step 2 (A) till step 6 ?

Former Member · ‎06-04-2010

Hi

You can execute only upto step 3. That should suffice your requirement.

Thanks.

Anjan

former_member275658 · ‎06-04-2010

Okay! I have executed Step 2 (A) till Step 3 (transport customer tables). Please let me know what things I have to look now in details after I ran these steps ? I never used SU25 till now, I do not want to mess up anything. Please guide me.

Thank you!

Former Member · ‎06-04-2010

> Okay! I have executed Step 2 (A) till Step 3 (transport customer tables). Please let me know what things I have to look now in details after I ran these steps ? I never used SU25 till now, I do not want to mess up anything. Please guide me.

Hi Salman

Did you read through the information which pops up when you execute any step.

Major work will be in step 2B and Step 2C.

Step 2B: You will need to adjust the check indicator values for transactions(Some new objects gets added with every upgrade)

Step 2C: Adjust the roles to include the new objects added to teh transactions in Step 2C.

Step 2D: Some transactions become obsolete and are replaced by new transactions which are needed to be included in your roles(Check with functional teams if this is required immediately).

Please read through the information tips that pops up when you execute any step for more details.

Caution: Please read through the documentation before executing these steps.

Thanks.

Anjan

Edited by: anjanpandey on Jun 4, 2010 9:16 AM

Former Member · ‎06-04-2010

I would suggest also checking whether anyone else has made any changes in SU24 or SU22, in this system and any further transport targets of the SU25 steps.

Cheers,

Julius

former_member275658 · ‎06-04-2010

Dear Anjan,

Thanks for your valuable suggestions!

I have few more doubts:

1. I see that many roles authorization tab has became red. Is it due to the inclusion of new tcodes or just auth objects?

2. Do I manually need to pick each role and generate it by checking the new authorizations that came ?

3. After generating all the single roles ( when everything is green), do I need execute the step 3 (Transport customer tables) ?

4. After executing Step 3 do i need to follow same procedure in QAS and PRD systems ?

Waiting for your reply!

Thanks again!

Salman

Former Member · ‎06-04-2010

> 1. I see that many roles authorization tab has became red. Is it due to the inclusion of new tcodes or just auth objects?

Roles have red status once you execute step 2C. Did you execute step 2B already? If yes then you need to regenerate the roles individually. new tcodes will come into picture with step 2D.

> 2. Do I manually need to pick each role and generate it by checking the new authorizations that came ?

yes, you need to generate all teh roles individually after maintaining the values for new objects which come in after step 2B.

> 3. After generating all the single roles ( when everything is green), do I need execute the step 3 (Transport customer tables) ?

You can do it if you want to transport your check indicator values or skip it for now and can do it later.

> 4. After executing Step 3 do i need to follow same procedure in QAS and PRD systems ?

No, you can transport the roles through mass transport option available in trxn PFCG to QAS and transport to PRD once your integration testing is complete.

Thanks.

Anjan

former_member275658 · ‎06-04-2010

Thanks for the quick reply Anjan

I will update if any errors or questions!

Thanks again!

Former Member · ‎06-04-2010

Hi Salman

After any upgrade, security consultant need to perform following steps:

1. Go to transaction SU25

2. Run steps 2A to 2D

3. Each steps has its own significance.Read the instructions carefully when you click on each tab from 2A to 2D.

4. You need to adjust the roles, new t-codes with old ones and new authorization objects with old ones.

5. After Steps 2A to 2D have been executed, follow the good practice to transport your check indicator values by executing Step 3.

Thanks.

Anjan

former_member275658 · ‎06-04-2010

1. I have corrected all the roles in the step 2C. Just kept the old auths as it is and deactivated the new auths which came in those auth objects and generated each role.

2. I did not replaced the old tcodes with the new tcodes which came in step 2D.

3. Started the step 3 for transport customer tables

Questions:

1. Will it affect any user if I just keep the old authorizations ?

2. Will it affect if I do not replace the old tcodes with the new ones ?

3. Do I need to manually import the transport request of step 3 (transport customer tables) into QAS ?

4. I recently had to change the SU24 settings due to inconsistancy in P_Orgin object but I reversed it after making changes to the role. So do I need to check anything in SU24 ?

Waiting for reply!

Thank you!

Edited by: Salman123 on Jun 6, 2010 6:23 PM

Former Member · ‎06-07-2010

> 1. Will it affect any user if I just keep the old authorizations ?

yes, it might affect if any existing transaction is checking for authrization of new objects. e.g With the new SAP releases trxn SM59 now checks for object S_RFC_ADM as well. so you need to include this object in your roles giving access for trxn SM59.

> 2. Will it affect if I do not replace the old tcodes with the new ones ?

That call is from the business side. Please check with your business analysts.

> 3. Do I need to manually import the transport request of step 3 (transport customer tables) into QAS ?

If auto import scheduler is not active in QAS then you have to import the TR manually.

> 4. I recently had to change the SU24 settings due to inconsistancy in P_Orgin object but I reversed it after making changes to the role. So do I need to check anything in SU24 ?

Step 2B in trxn SU25 takes care of your SU24 updates.

Thanks.

Anjan

former_member275658 · ‎06-07-2010

Thanks again Anjan! Your valuable suggestions are really helpful.

1.What is the best practice after executing the steps 2A to 2D and Step 3 ?

2. Do we need to involve functional teams for testing the changes made to the roles and inclusion new authorizations due to upgrade before transporting the mass roles to QAS ?

As Always Thanks!

former_member275658 · ‎06-07-2010

Sri,

Sorry, I didn't saw your update which I suppose is answer to my latest question.

Sri/Anjan,

I checked SU24 for tcode SM59, I see in column of SU24 "TSTCA" their is an entry for auth object S_RFC_ADM . I am not sure what that entry in TSTCA means ?

Please advise

Thanks!

Bernhard_SAP · ‎06-07-2010

hello,

that is the additional check when the transaction is started. The value is maintained in SE93.

b.rgds, Bernhard

Former Member · ‎06-08-2010

.

Hi Salman,

1.

http://searchsap.techtarget.com/generic/0,295582,sid21_gci1368921,00.html

2. Functional people involvement is needed . After modification. Unit testing is required before transporting role, to check the functionality of roles modified.

Transport all the roles after unit testing to quality system for furhter UAT (User acceptance Testing)

Thanks,

Sri

Former Member · ‎06-08-2010

Hi Salman,

1.

http://searchsap.techtarget.com/generic/0,295582,sid21_gci1368921,00.html

2. Functional people involvement is needed . After modification. Unit testing is required before transporting role, to check the functionality of roles modified.

Transport all the roles after unit testing to quality system for furhter UAT (User acceptance Testing)

Thanks,

Sri

former_member275658 · ‎06-08-2010

Hello Sri and All,

Thanks for your suggestions!

We have a concept of assigning only composite roles to the users. Could you please tell what will be the best practice for testing ?

Like we have the same roles in Dev and Prod which are assigned to the users in PRD. Can we use the original user id's in prod and make a copy of it in dev system for tetsing the roles?

I want to make the testing effort easy for everyone.

Thank you!

Former Member · ‎06-07-2010

Salma,

Steps in Security Upgrade:

1. Execute transaction SU25 steps 2A u2013 2D to identify roles, authorization objects that have been impacted.

2. Download all the role impacted in red status by upgrade to higher version in excel alongwith new authorization object introduce.

3. Share the list with business concept owners, to check the new object , so that they can provide you the value need to be fix in roles as per their need.

4. Fixing of roles , if required adjust SU24 for t.code if required ( differ case by case)

After modification. Unit testing is required before transporting role, to check the functionality of roles modified.

Transport all the roles after unit testing to quality system for furhter UAT (User acceptance Testing)

Thanks,

Sri

former_member275658 · ‎06-09-2010

Before upgrade I have downloaded the table USOBX_C for comparision after Upgrade.

Is it feasible to use the older USOBX_C and compare with New USOBX_C table after upgrade?

Are the SU25 results perhaps stored in a table somewhere that we can query/dump to Excel?

Thank you !

Bernhard_SAP · ‎06-10-2010

former_member275658 · ‎06-10-2010

I am getting a error in step 2(a) in SU25 :

Postprocessing (SAP Note 323817) required for $APPLIC

Postprocessing (SAP Note 323817) required for $S_ADMI_FCD

Org. level contained in SAP default value $APPLIC is missing in table USORG. Contact SAP.

Org. level contained in SAP default value $BUKRS is missing in table USORG. Contact SAP.

Org. level contained in SAP default value $KOART is missing in table USORG. Contact SAP.

Org. level contained in SAP default value $KOKRS is missing in table USORG. Contact SAP.

Org. level contained in SAP default value $S_ADMI_FCD is missing in table USORG. Contact SAP.

Org. level contained in SAP default value $WERKS is missing in table USORG. Contact SAP.

I saw one note posted in SDN. Note 1360441:

"Alternatively, you can install the report provided in the attachment (attachment Z_BEAUTIFY_SUx_ORGFIELDS.TXT) as a customer-defined program and online report in your system and use this report for the cleanup.

Note the following special features when you use the program:

1.The report is available only to users who are also authorized to use transaction SU25.

2.Perform the cleanup according to the error situation, first for the SAP authorization default values (radio button CRR_SU22) and then for the customer-defined authorization default values (radio button CRR_SU24).

3.In the first step, the report outputs a list of authorization default values that are semantically incorrect in an ALV list.

4.Select the entries that are not required and enter =DELE in the OK code field.

5.Important: The error screen depends on the installed components of a NetWeaver system. Ensure that SAP Support checks the error situation BEFORE you use the cleanup report."

I don't where to install this report in the system and run. Please let me know if anyone else faced this error and how they resolved it ?

Thank you!

former_member275658 · ‎07-28-2010

Hi All,

I have completed the Role Adjustments/Generations in development for the roles came in step 2C of SU25.

Result-> Two transports need to be moved to QAS->PRD

a. Step 3 transport of SU25 which transports the custom tables (USOBX_C and USOBT_C) from Dev ->QAS ->PRD

b. Mass transport of roles which have been adjusted and generated through PFCG in step 2c roles.

My question is:

Which transport should go first in QAS ? Is it step 3 transport for custom tables which needs to be moved first then we have to move the mass transport request of roles ?

Please let me know if thers is any dependency between these two transports.

Regard's

Cannot perform Role Modifications after EHP Upgrade