[ ECC6 Security Upgrade Procedure ]

This guide shows the steps that must be followed from a security prespective when upgrading to ECC6.

Run transaction SU25

Step1: Completed during the upgrade.

Step2A: Completed during the upgrade
This step is used to prepare the comparison and must be executed first

Step2B: Compares changes made to check indicators in SU24

Step2C: Determines which roles are affected by changes to authorization data. The corresponding authorization profiles need to be edited and regenerated. The affected roles are assigned the status "profile comparison required".

Note: This step takes a long time and might timeout. There is no option to run this job in the background so complete the following if a timeout occurs:

Tranaction: SE38


Enter program: SU26_LIST_ACTIVITY_GROUPS_NEW

And copy to: ZSU26_LIST_ACTIVITY_GROUPS_NEW

And make the following changes:

Set all the selection screen parameters to “DEFAULT ‘X’ NO-DISPLAY’

Then save and compile.

Now execute in the background:



Execute immediately.

Wait for job to finish and retail a copy of the output.

Output will look like the following in SM37:

                                                

The resultant output will be quite large so to capture the main changes view the contents of the specific SAP_NEW sub-profile.

SU02

The profiles of importance are:
S_NEW_6300    Partial profile for SAP_NEW, Release: 630
S_NEW_6400    Partial profile for SAP_NEW, Release: 640
S_NEW_7000    Partial profile for SAP_NEW, Release: 700

Drill down on each of the above profiles and note the new objects:

 

S_DX_MAIN

DX Workbench: Transaction Code and Activity

S_NEW_630000

S_DX_PROJ

DX Workbench: Transaction Code, DX Project, and Activi

S_NEW_630000

S_IDOCMETA

IDoc Metadata: Load and Display IDoc Metadata in XI

S_NEW_630000

F_PAYM_ACT

Additional activity checks for payment items/orders

S_NEW_640000

S_ALM_CONF

Alert Management: Configuration

S_NEW_640000

S_ALM_CUST

Alert Management: Edit Alert Categories

S_NEW_640000

S_PPF_CONF

Define Conditions for Actions

S_NEW_640000

S_PPF_CUST

Edit Action Profile and Define Actions

S_NEW_640000

N_1PLATH

ISHMED: Authorization for Day-Related Planning Authori

S_NEW_640000

S_PPF_ADM

Starting Processing Report, Administration Reports

S_NEW_640000

S_ICF_ADM

Administration for Internet Communication Framework

S_NEW_700000

S_RFC_ADM

Administration for RFC Destination

S_NEW_700000

S_TREX_ADM

Administration of TREX

S_NEW_700000

IB_IBASE

Authorization Object for Installed Base

S_NEW_700000

P_LSO_TU

Authorization for LSO Content Management

S_NEW_700000

PPF_ADMIN

Authorization for Parallel Processing

S_NEW_700000

W_BUDG_TY

Budget Type

S_NEW_700000

S_RS_OHDST

Data Warehousing Workbench - Open Hub Destination

S_NEW_700000

S_RS_PC

Data Warehousing Workbench - Process Chains

S_NEW_700000

F_NTC_AMT

F_NTC_AMT

S_NEW_700000

F_NTC_PER

F_NTC_PER

S_NEW_700000

P_RU_0294C

HR-RU: Authority to check records of infotype 0294

S_NEW_700000

N_BORR_HIS

IS-H: Medical Records: Edit Borrowing History

S_NEW_700000

F_PSDO_VGT

PSCD Beleg: Contract Object Type Authorization

S_NEW_700000

F_PSDO_BEG

PSCD Document: Authorization Group for Contract Object

S_NEW_700000

S_SRMRECST

Records Management: Record: Authorizations for Record

S_NEW_700000

F_TD_CORR

controls the  correction of  an already fixed time dep

S_NEW_700000

N_2BI

i.s.h.med: Base Item

S_NEW_700000

 

The above authorisation objects are new objects added to existing functionality. Therefore if not new functionality is utilised the only the above objects will have to be reviewed.

New Auth Object Review:

 

SU24

Repeat for all objects.

Export the data and review.

 

Step2D: Lists all the old transactions and new transaction replaced by SAP.

Now identify all the roles that contain the above mentioned transactions. All these roles will need new authorisation objects assigned.

Step3: This step transports the changes made in steps 1, 2a, and 2b.

The remainder of the steps are optional.