Question:
Hi
I am on an SAP Authorisations team on a system with around 7500 roles. We are just about to upgrade from 4.6C to ECC5 (mySAP ERP 2004). This is a 1 to 1 upgrade with no new funcionality.
I have performed some initials tests on an upgraded temporary version (sandbox) of our system, in order to establish what the impact will be on our authorisations concept. Therefore I have extracted all records from USOBX_C on both the new and the old system for all the transaction codes that we use and I find that many of the transaction codes have new authority checks.
1. USOBX_C contains around 19.000 records on the old system for the used transaction codes and 23.000 on on the new system.
2. There are around 900 T-codes that contain new checks on objects (only around 250 contain new authority checks that have check indicator Check/Maintain.)
3. There are around 4300 combinations of transaction codes and objects that exist in the new system and not in the old system. These are new combinations that should probably be inserted in the affected roles(or what)?
Now I am uncertain about what this will actually mean for our roles and authorisations:
1. Will we have to insert all new authorisation objects (we will probably do this manually and not with SU25) according to USOBX_C or will it only be needed to update for objects that have the check indicator Check/Maintain?
2. Should we expect that our roles suddenly cannot run the transaction codes that they used to before we have inserted the new authorisation objects in the roles?
Jon
Answer:
I should probably mentioned, that if generating the roles using the expert module for profile generation many of the roles will have new objects appearing. As far as I undertsand it this imposes a risk to using the SU25 method, and that is one of the reasons we want to avoid that.
Jon
Answer:
You WANT to use SU24 and all the new objects that are delivered in the 'CM' column. SU24 is designed to add consistency to your roles and minimize long term maintenace. Primary time save is NOT "reinventing the wheel" every time you add the same tcode to different roles and to quickly correct the old roles.
Every upgrade in SAP has the potential to add new objects to a tcode. The question you need to ask based on your data is , are the new objects added to old tcode? Are he objects in 'CM' column in SU24?
YOu should be using the expert mode and using Read old an merge new EVERY time you enter a role for maintenance. You should be maintianing SU24 so that if no changes are made in the role nothing new is added if you resolve the "yellow" lights and enter athorization maintenanacne three consecutive times and read old merge new on each entry.
Further you should only have a MANUAL authorization in your role if there is a Standard to support it. With randomly added Manual authorizations you have no idea if they are still needed if a tcode is removed.
You will have to test all your roles individually so each role runs independantly and then negative test the role alone and then with other roels to ensure no SOD's exist.
_________________
John A. Jarboe
Answer:
Hi John
Thanks a lot for your answer. However I have some questions that I hope you can clarify.
You WANT to use SU24 and all the new objects that are delivered in the 'CM' column.
So only those objects that have the check indicator Check/Maintain will have to be inserted?
You should be maintianing SU24 so that if no changes are made in the role nothing new is added if you resolve the "yellow" lights and enter athorization maintenanacne three consecutive times and read old merge new on each entry.
We have no intention to make changes in SU24. But what do you mean by "enter athorization maintenanacne three consecutive times and read old merge new on each entry. "?
Further you should only have a MANUAL authorization in your role if there is a Standard to support it. With randomly added Manual authorizations you have no idea if they are still needed if a tcode is removed.
Unfortunately it is an old system that has been maintained differently through the years, so there is a lot of things that are not ideal. F.ex. there are many roles with Manually inserted objects.
What is an SOD?
Best regards,
Jon