asug 2001 sap r3 sap bw security upgrade

Session 2505Session 2505SAP R/3 & SAP BW SAP R/3 & SAP BW Security Upgrade Security Upgrade Methods and DecisionsMethods and Decisions

Steve Lundy – Alcatel CanadaJohn Hodges – Deloitte & ToucheMike Abbott – Deloitte & Touche

2

Session Outline

• SAP Upgrade Overview and Security Considerations (10 min)

• Key v4.6x Security Features (5 min)

• Alcatel Overview (5 min)

• Security Upgrade Approach, Key Decisions and General Considerations (10 min)

• Detailed Security Upgrade Considerations (25 min)

• Summary Lessons Learned (10 min)

• Questions and Answers (5 min)

3

SAP Upgrade Overview and Security SAP Upgrade Overview and Security ConsiderationsConsiderations

4

SAP v4.6x Upgrade Trends

Some example factors that are driving v4.6x upgrades• New functionality and redesigned enjoySAP transactions

• Improved reporting- Web-enabled - Simplification of use - Cross-application ad hoc reporting- Business process integration with the Business Information Warehouse

• Web integration features - New web-based transactions for new user groups- Functional enhancements for implementing web-based business processes

• Software support and Maintenance Schedule

5

3rd Qtr 031st Qtr 00

4.5A

4th Qtr 00 1st Qtr 01 2nd Qtr 01 3rd Qtr 01 4th Qtr 01 1st Qtr 02 2nd Qtr 022nd Qtr 00 3rd Qtr 00

3.0D

3.0F

3.1H

4.0B

3.1I

4.5B

(expired 10/99)

4.6A

4.6B

In mid-2000, SAP announced that the maintenance schedules for versions 3.1i and 4.0b would be extended.

This has reduced the urgency to upgrade for some, but activity is still occurring.

SAP Maintenance Expiration Schedule

6

StartingPosition

Technical upgrade with the replacement of workarounds by new release functionality

New release along with new functionality and process improvements

New release along with significant new functionality, process improvements, and tools & processes for e-Business

OPTIONS

Technical & Functional

2

Technical Upgrade with Delivered

Functional Changes

1

Technical, Functional& e-Business components

3

Several upgrade options are available

Key Point Each option will have a different impact on the security approach and resource requirements

7

Sample Upgrade Project Estimating Model Key Factors

Breadth of functionality implemented

Number of SAP modifications

Number of custom programs

Number of interfaces and bolt-ons

Security functional changes, numberof profiles and access restrictions

Geographic scope

Key Factors

Breadth of functionality implemented

Number of SAP modifications

Number of custom programs

Number of interfaces and bolt-ons

Security functional changes, numberof profiles and access restrictions

Geographic scope

Several factors will have an impact on the complexity of the upgrade and the length of time required to perform it

(security is one of the key factors)

LEVEL OF COMPLEXITYLEVEL OF COMPLEXITY

LOW

MEDIUM

HIGH

Upgrade Estimates (Months)

Medium Complexity (~4+ months)

Low Complexity (~2.5+ months)

High Complexity (~7+ months)

8

Sample SAP Upgrade Roadmap

Prep

-

Fit/Gap

Unit Test

Integration Test Cycle 1

Integration Test Cycle 2

End-user Delta Training

ProdBuild

EUA

Cutover Rehearsal

Rebuild

Prep Realization

Business Blueprint

Final Preparation -Go Live &

Support

Security Assessment

Security Upgrade

Key Points Security upgrade activities must start early in a project Testing is key and starts early in the project Security is key during rehearsal and cut-over

9

Sample Upgrade System Landscape

DEV PRDQASProduction Support

4.0x

DV2

REH

Upgrade Project

4.6xQA2

Rehearsal

4.6x

Manually synch security transports to production after the “cut-off” date

(user master record changes will not have to be included)

Integration test Cycle 1 & 2 End User Training

Key System Build Tasks

Copy Production Upgrade to 4.6x Load Hot Packs Import Transports Validate the system

PRD

Actual Cut-over

4.6x

10

• The traditional risks and challenges with SAP security still exist- Role mapping, testing and security training are still very important

• However, upgrading v4.6x SAP security introduces new risks and challenges that require a significant work effort, most of which will be “critical path”

- Some “redesign” tasks needed for technical only upgrades

• The need for “redesign” activities is affected by the following key factors- Improperly maintained or designed roles from initial implementation

- Upgraded security structures

- Future with MySAP.com workplace

- Merge of BW functionality

SAP Security Upgrade Overview

11

Marketplaces

New Dimension ApplicationsCRM, B2B, BW, APO

Employee

Workplace

Partner

Workplace

Customer

Workplace

Consumer

Workplace

Supplier

Workplace

Catalogs (Buy or Sell)

Vendor / Customer Sites

ERP SystemR/3 Backend

R/3 System

R/3

FIFI LOLO

HRHR

Busines

s Sce

narios

Generally, the upgrade is just the starting point on a long journey that will have many points along the way that impact SAP and infrastructure security

As the system architecture becomes much more complex, many security issues beyond the “application layer” will need to be considered

Beyond the Upgrade

12

Even though the upgrade is started at the R/3 level, it is important to understanding that some future mySAP.com workplace integration

considerations might impact the R/3 upgrade work

• In the workplace, the standard SAP menu does not exist, so “user menus” will need to be organized in each security role

– This can be deferred at the R/3 level, but must occur for workplace integration

• In the workplace, attention to R/3 security role naming standards is key (e.g., see the “R3” vs. “WP” in the user menu)

– Small things can now have a major impact to the end-user’s view of SAP

Example Workplace Integration Considerations

R/3 Level Security – Linked to the mySAP.com workplace

13

• Regardless if you are upgrading or newly installing v4.6x, SAP security will present some unique challenges

• SAP security specialists will be needed to help lead the efforts to navigate these challenges; however, understand that support will be needed from the Process and Technical Teams

• Key challenges include:

AccessRequirements

(e.g., new t-codes,reports, BW Info-Catalog)

SAP “view” to End Users

(e.g., user menus and custom folders)

SAP SecurityAdvanced Features

(e.g., HR position based, derivedroles, workplace, CUA and SSO)

Key Security Upgrade Considerations

14

Key v4.6x Security Features

15

Service Rep

Menu: T-codesWeb links, reports, etc.

CompositeActivityGroups

User ActivityGroups

Auth.Profiles

Terminology Change:In v4.6c, single/composite activity groups became

single/composite roles)

And the Profile Generator became the Role Administrator

16

What’s New in v4.6? – General

• New Transaction Codes– New t-codes for new functionality– New t-codes that replace existing functionality

• New Authorization Objects– New objects that will add to security checking options

• Reports– Report trees are replaced with unique SAP transaction codes

• Linkage of SAP security to a new concept called “User Menu”– Used to provide users with access to only the menu option (or t-codes) they need

17

What’s New in v4.6x? – PFCG

• Improved Documentation– Improved online help (has more “step by step” instructions) and a new area for documenting

activity group details directly in R/3

• Simplification of the tool and new features– Direct entry of transactions– New ability to assign access to individual reports, html links and document paths

• More automation– Automatic regeneration of profiles after transport– For derived activity groups, automatic role variant maintenance (you can now “push” down

authorization values vs. have to maintain each version manually)– Auto selection of “maintenance type” when editing an activity group

• New “composite” role feature– Can be used organize role assignments and simplify user administration

18

• Central User Administration (CUA) and Global User Manager (GUM)– New features to simplify user administration and support “multiple” application systems

• Mass User Maintenance– New selection criteria for mass operations (based on “selection” options from SUIM reports)

• System Parameters– New parameters that control the user buffer and multiple log sessions

• Security Audit Log– New feature to enhance security reporting and monitoring

• Transport Management System (TMS)– New features to link security with a workflow approval process

What’s New in v4.6x? – Other Security Topics

19

Check Point – Any Quick Questions?

20

Alcatel Overview

21

Alcatel / Newbridge Overview

• Both are public companies

• In November 1999, Newbridge went live on v4.0b with FI/CO, MM, PP, QM, SD and B/W (v1.2)

– A total of 2,500 users were enabled on day 1 across North America, Europe and Asia

• In May 2000, Newbridge was purchased by Alcatel of France– Newbridge’s 5,000 employees would join over 120,000 employees within Alcatel– v4.0b at “Newbridge” would continue to operate as the system for Alcatel Canada– As a result of this acquisition several new projects began within SAP to aid the corporate integration

process– Challenges in v4.0b would include new consolidations, customer base and many users

• In August 2000, an upgrade to SAP v4.6c & BW v2.0b was announced and project officially began

• In November 2000, Alcatel Canada completed the upgrade

22

Key R/3 Security Numbers

• 2,500 users with 1,000 profiles to meet the various levels of tasks, public reporting restrictions and internal control requirements

• Generally split along corporate lines through company codes, sales organizations, purchasing organizations and plants– Some additional functional splits were identified and configured

• Profile Generator was used for the maintenance of all activity groups / profiles

• Composite profiles were not used in v4.0b

23

Key Business Warehouse Points

• General overview– Security from the original implementation was based

around Info-cubes at a “power user” and “browser user” level

• Query/report creators and query/report executors• Over 150 profiles to support data restriction requirements• No business content, 16 custom cubes• Authorization objects customized for 4 cubes

• Important BW Considerations• Transaction codes are generally not relevant for end-users• Authorization objects for “data” restrictions must be customized

24

Overall Upgrade Approach Overview

• At Alcatel Canada, the approach was a technical upgrade

• Although it was a technical approach, new “functional” considerations had to be considered during the upgrade

• New Transactions which replace existing transactions

• User Menus and the SAP Easy Access Menu

• SAP Reporting and Report Trees

• Workplace and Central User Administration

• Scope Creep! – generally from previous system workarounds

25

Timeline and Key Events

• August 2000 - v4.6c development environment created from v4.0b DEV system

• Early September 2000 - v4.6c QA environment created from v4.6c DEV

• September / October 2000 - extensive integration testing

• October 2000 - production cut-over test #1

• Late October 2000 - Development “freeze” placed on v4.0b

• Early November - production cut-over test #2

• November 10-12 - Cut-over to production environment; all transport applied; focus testing performed; system closed to end-users Friday morning

• November 13, 2000 – “Drop-dead” date for go-live - end-users begin Monday morning on the upgrade v4.6c system

26

Security Upgrade Approach, Considerations and Key Decisions

27

Key Security Upgrade Considerations (R/3)

# of new transaction

codes

Report Tree migration

New Authorization

Objects

New Authorization

Checks

Utilization of Manual

Profiles

Renaming of Activity

Groups

Existing Security

Customization

Current Restrictions

Concept of User Menus

mySAP.com

28

Key Security Questions and Decisions (R/3)

Alcatel Questions– Will old and new t-codes be used? Maybe both?

– Will Report Trees be migrated to new standard t-codes per report?

– Will user menus be used?

– Will custom t-codes be added to the SAP standard menu?

– If using activity groups, will the new name be used or will they be re-named (i.e., make a copy

and change the name)?

– Will derived activity groups be used?

Other Questions– Will mySAP.com workplace and CUA be used? Having ESS in scope will be a key factor in this

decision.

– If HR position based security is used, will this be continued as part of the upgrade? Having

mySAP.com workplace in scope will be a key factor in this decision.

– If manual profiles are used, will they be transitioned to the profile generator (i.e., starting using

activity groups)?

29

Alcatel Security Upgrade Approach (R/3)

• Security Upgrade Approach – Key Tasks– Performed a security assessment of the current environment vs. v4.6x functions

– Upgrade existing activity groups

– Created new activity groups • Also deleted some that would not longer be used and enhanced others to address some outstanding security

audit issues

– Tested Security Roles and Cut-over

– Updated End-user mapping

– Performed Security Cut-over

• Timing of all activities followed the ASAP methodology

30

• Our approach to the upgrade for BW was same as R/3

• The following were key exceptions• SU25 process generally not applicable in BW

• No new end-user authorization objects

• Activity groups were not re-named (BW v1.2 to v2.0 is comparable to v4.5 to v4.6)

• User Menu strategy was independent of R/3 decision

Alcatel Security Upgrade Approach (BW)

31

• In BW v2.0b, the concept of the “Info-catalog” is replaced by the roles in profile generator– Info-catalog was used by Alcatel in v1.2

– Conversion programs can be run to translate an Info-catalog into a role

– Channels are replaced by a User Menu

• Our approach was to convert channels into roles and have the BW security administrator maintain the channel administration– Process maintains all reports and end-user assignments

Key Security Upgrade Considerations (BW)

32


33

Alcatel Security Upgrade Challenges

34

New Transaction Codes and Authorization Objects

Detailed Security Upgrade Considerations

Handling SU24 Object Changes

Renaming of Activity Groups11

33

22

User Menus, Area Menu “Folders”, and Reporting Strategies44

35

• During an upgrade to v4.6x, the naming conventions changes as follows:

Activity groups:Old Name: ZF:100_000

New Name: T_50000450_ZF:100_000 (now includes the internal number)

Responsibilities:Old Name: ZF:100_001

New Name: RY_50000451_ZF:100_001 (now includes the internal number)

• Since activity groups can NOT be renamed, a key decision needs to be made whether to rename them. Both options will have significant impact on the upgrade and security administration.

• Also, note if the profiles from the activity group were directly assigned to a user in the old system, after the upgrade they will be lost from the start

- In v4.6x, there is a new tab in the user master record for assigning activity groups

New Activity Group NamesNew Activity Group Names

36

Correction ProcessCorrection Process

Apply 4.6x upgrade

Download v4.0x End-user Assignments

Create CATT to upload Role

4.6x Assignments

Develop v4.0x Download

Format

Upload Role Assignments

Key Tools and Considerations:Customized ABAP to Download Profile AssignmentsCATT ScriptsProcess will be critical in final cut-over process

Convert 4.0 to 4.6 data

37





33

22


38

New t-code Identification: SU25 2d

Understand that this report is nice, but not 100% comprehensive

39

Upgrades: Managing New R/3 t-codes

• Determine Transaction Codes in Scope- Current Role Documentation, BPPs, ST03, RBE tool

• Identify the Population of Transaction Codes that have changed

• Work with Process Teams to determine Strategy- Assign New Transaction, Remove Old- Assign Old Transaction Only- Allow Access to Both Old and New Transactions

• Compare SU24 Values for New vs. Old t-codes- Adjust Check Indicators as Needed- Adjust Default Values as Needed

• Upgrade in Activity Groups- Read Old Status and Merge with New- Profile Comparisons in SUIM (dependent on upgrade strategy)

Any t-code changesimpact Training

40

Many new t-codes function as before; however, exceptions exist

SD Example: VL01 (now VL01N)

“Transaction is Outdated” error

SD Example: VL04 (now VL10A,B,C)

“Conversion For release v4.6x” error

41

Other t-codes have been completely redesigned

Enter Incoming Invoices

FB10 vs. FB60

42

Updated Authorization Objects

• New Authorization Objects– Over 350 new objects between v4.0x and v4.6c

• Identify how many affect the scope of your upgrade

• Obsolete Authorization Objects

• Changes to how the system performs checks– Key is to isolate a strategy for managing the changes to

authorization objects

– Strategy is defined through SU24

43





33

22


44

SU24 Objects: Overview

• The default authorizations (“control tables”) for the Profile Generator are called the SU24 objects

• SU24 objects are defined in table USOBT (transfer to USOBT_C when the Profile Generator is initialized)

• Table USOBT lists, by transaction code, the default authorization objects (with field values) that will be included in an activity group by the Profile Generator

• The entries in USOBT are maintained by SAP (and are not 100% accurate)

Profile GeneratorSU24 Objects

Activity Group

Menu

Transactioncodes

Authorizations

Authorization Objects

Fields/Values

Table: USOBT_C

Transactioncodes

Defaults

Authorization Objects

Fields/Values

45

Using SU25: The Options Defined

• Option 1: Overwrites customer tables with new SAP default values

• Option 2a: Updates customer tables with new version defaults, but leaves any customization or changes

• Option 2b: Report detailing any customizations and how they compare to the new default values

• Option 2c: Updates roles based on SU24 objects from 2a & 2b (must be comfortable with 2a & 2b prior to running this step)

• Option 3: Transports any changes made in Options 1, 2a, 2b.

• Option 4: Maintain check indicators (launches transaction SU24)

• Option 5: Allows system-wide object deactivation (excluding BASIS & HR)

• Option 6: Create Roles from Manual Profiles that used S_TCODE

46

• Reliability of SU24 objects– Concerned that any additions of objects made to profiles, in v4.0x,

were not updated in SU24

– Comparisons between v4.0b PRD vs. v4.6c DEV

• Upgrade of existing profiles– Address the issues from SAP per step 2C

– Added new authorization objects

– Configure new fields within objects

– Addition of new transactions addressed as a separate upgrade step

SU24 Objects: Key Considerations

47

Using SU25: Option 2b.

Individually maintain all t-codes that have a Status of “To be Checked”, until all have been “Checked”

Save all changes to a single transport request

48





33

22


49

User Menu Overview

• Key Considerations– User menus are assigned, available

and generally managed through profile generator

- Users can see only & exactly what transactions they have access to

– Accuracy of role definitions is critical– Coordination with training team is

essential– Users can create a personal

“favorites” list of transactions using a “drag & drop” feature

- If mySAP.com workplace is in the horizon, then user menus will be required

An appropriate strategy for user menus with the business represents a critical decision within the upgrade process

50

Why is a decision needed?

• In order to optimize the features of customized user menus, considerable customizations are required

• User menus can be confusing to sophisticated end users– Without customizations user menus will be

repetitive, redundant and overall cumbersome

The test user here has only four assigned roles

51

The Decision

• Customizing Option– Would generally only

include the transactions a user is authorized to use

– Profiles would require additional customizations

• SAP Standard menu– Disables the user menus

and focuses on utilization of favorites

– No additional customizations beyond technical upgrades

Other considerations• Project Timelines

• ROI (return on Investment)• Training

• Functional vs. Technical• Workplace

52

BW User Menus

• Represents an independent decision for BW

• Since Info-catalogs were used in v4.0b, in order to maintain this functionality in v4.6c, custom User Menus were required– Alcatel utilized both the BEx Analyzer and BEx Browser

• May not be an issue if the BEx tools are not utilized as the method for report delivery

– Unlike R/3, additional customization was not required• When upgrading, several OSS notes and programs were applied to

convert Info-Channels into Roles

53

• The SAP approach to R/3 level reports has changed with v4.6x

- SAP has moved from one t-code, with many reports, to individual t-codes per report

• The new t-codes are linked to the standard SAP menu; however, the old report tree t-codes are not linked

– Any custom report added to a report tree will now need a custom t-code

– And these custom t-codes will need to be added to a custom folder in the standard SAP menu

v4.6xPre v4.6x

old t-code F-97 is not linked to thestandard SAP menu

Menu paths callsF.97 (GL Report Tree) Examples of new report

t-codes

Report Trees and Upgrades

54

Alcatel and Upgraded Reports

• Key Challenges– SU24 defaults only define the S_TCODE object (no others)

• Experiences indicate that much of the ABAP behind the reports will change during an upgrade

• Many new authorization object checks

– Providing access to new report t-codes • Our approach was to assign new transactions into the roles with the old

report tree transactions

• It is critical to ensure that reports are exposed to rigorous authorization testing given the changes

55


56

Summary Lessons Learned

57

• Significant Point: Management needs to understand that significant and complex changes to v4.6x security will lead to “critical path” activities

• The planning process is key and should start early in the project

• As part of the planning process, the following key tasks need to be performed• Prepare a detailed inventory of SAP security components (e.g., roles, t-codes in use,

custom objects, org. & functional restrictions)

• Determine a strategy for report tree migration, user menus and custom folders

• Define SAP security features that are not in scope for the upgrade (e.g., no Central User Administration or Single Sign-on)

• Prepare a detailed workplan and define roles & responsibilities

Project Planning

58

Maintenance of 4.0b SystemMaintenance of 4.0b System

• Be aware demands for current system will not diminish during upgrade

• A key success factor for our upgrade was the continued development

and hi-availability within the v4.0b system– Significant number of integration efforts generated many changes within v4.0b

• Any changes processed into the v4.0b PRD environment were needed

in the 4.6c system– This required significant duplication of efforts; included profile changes but not end-user

assignments

• Key decision required by the project management and the business is

the accepted level of development freeze

• Change management tools are essential

59

Authorization Testing

• Testing is just as critical during an upgrade as an implementation– Might be considered higher, considering the end-user community

expects the system to continue to run smoothly and they understand the system this time!!

• Detailed authorization test plans need to be developed– Consider using a series of unit tests (through CATT scripts)– Testing should occur at the unit and integration level

• Unit testing at the individual role level, while integration testing based on positions

• Test plans included positive and negative testing

– Security resources should be dedicated to testing• Short test time frame = demanding resource requirements

60

• Our upgrade project had a drop dead go-live date and the team would only have 72 hours to upgrade production– Translation: cut-over had to be perfect (at least nearly perfect)

• Production Cut-over planning– Included all steps required to convert to the upgraded system, timing and key co-

ordination points• v4.0b system shut-down (BASIS upgrade)• execution of transports (including OSS fixes)• validation of transports• manual configuration steps• execution of CATTs for user assignments• staggered user activation for focused testing• re-opened the system

• Cut-over was not a one time effort - Practice the plan as much as possible

Cut-over Planning and Execution

61

• Depending on the status of the “As Is” SAP security roles, “redesign” activities may need to be performed as part of a “technical only” upgrade

• Beyond the process of upgrading SAP security roles, other key activities should be considered (e.g., SOD analysis, user administration, policies & procedures and infrastructure security)

• Having dedicated resources, from the beginning of the project, helps establish an effective knowledge transfer process from consultants

• Security planning and execution must be performed in strict coordination with all the other teams… SAP v4.6x is still an integrated system.

Other Key Lessons Learned

62

The End – Any Questions?

63

Thank you for attending!Please remember to complete and return your evaluation form following this session.

Session Code: [2505]

asug 2001 sap r3 sap bw security upgrade

Documents

project security

security approach

security training

security features

minsap upgrade overview

minsecurity upgrade

security considerationssap

key decisions