cancel
Showing results for 
Search instead for 
Did you mean: 

Post Upgrade - Profile Generator (SU25) - Support Required

SAPSupport
Employee
Employee
0 Kudos
477

Recently, Upgrade has been done from SAP S4 2020 to 2023.

Problem Statement-
Post upgrade, we performed SU25 2A, 2B, 2C Steps and found a very high number of roles (some thousands) got impacted due to the changes made in 2A, 2B with addition, deletion, updation of authorization
values.
To go and review that very high number of roles is difficult since it involves manual task.

Concerns / Queries for which supprt is needed:

  1. In which step (2A/2B/2C), role changes will happen?
    2. Once 2C is executed, will all the roles be changed before merge? if yes, what is the use of "Merge"?
    3. Post merge, will the role get updated with new values immediately?
    4. Is there a way where we can stop updating the new values post executing 2A, 2B, 2C?
    5. Is there a way to identify roles that will be modified during 2A, 2B?
    6. What will be the conseqences on existing user's access if we do not execute 2A, 2B, 2C post upgrade?
    7. Post executing of 2c merger of authorization, do we need immediate action on the roles / we can take our own time to analyze and fix?
    8. Is there a way where we can retain old values to the roles post executing 2A, 2B, 2C?

Regards,

Security team.


------------------------------------------------------------------------------------------------------------------------------------------------
Learn more about the SAP Support user and program here.
View Entire Topic
SAPSupport
Employee
Employee
0 Kudos

Dear Team,

although these questions are answered already either at the transaction documentation, help.sap.com and/or SAP notes/KBAs, here is  an answer to your questions one by one:

  1. In which step (2A/2B/2C), role changes will happen? A: in 2C
    2. Once 2C is executed, will all the roles be changed before merge? if yes, what is the use of "Merge"? A: when starting 2C a flag for the requirement of the merge is set. At this point the 'old' authorization data still exists. Only with starting the merge, the comparison and update of authorizations with the existing auth.-proposal values is performed.
    3. Post merge, will the role get updated with new values immediately? A: No, only when you save or generate the profile the data is written to the DB.
    4. Is there a way where we can stop updating the new values post executing 2A, 2B, 2C? A: Yes , for 2A, 2B you can use the 'Expert Mode for Step 2', for 2C you can use the simulation of the merge (see SAP note 1941325)
    5. Is there a way to identify roles that will be modified during 2A, 2B? A: 2A, 2B do not modify role data. The Expert mode for Step 2 offers the display of affected roles, 2C a Simulation mode w/o updating the roles (see Q4)
    6. What will be the conseqences on existing user's access if we do not execute 2A, 2B, 2C post upgrade? A: users may get authorization errors for all functions with changed authorization checks
    7. Post executing of 2c merger of authorization, do we need immediate action on the roles / we can take our own time to analyze and fix? A: Yes at least the roles for your core business processes and handling sensitive data should be adapted immediately, all other roles can be updated later, users can continue to work by using the role SAP_NEW (See KBA 2548064 with further information)
    8. Is there a way where we can retain old values to the roles post executing 2A, 2B, 2C?  A: see Q4. Furthermore you should create backup transports with step 3 and for your roles before/after reaching any milestone of the update process to have a fall back just in case.

b.rgds, Bernhard

 

ManikantaKonijerla
Discoverer
0 Kudos

Hi,

Thanks for the response. Can we re-run 2A & 2B Steps? will this cause any inconsistency?

Regards,

Mani.

Bernhard_SAP
Advisor
Advisor
0 Kudos
Hello Mani,
Bernhard_SAP
Advisor
Advisor
0 Kudos
Step 2A,2B won't create inconsistencies. As you seem to perform the post upgrade steps the first time, please check out all the documentation first. Also SAP course ADM940 provide a lot of information. As suggested already, create backup transports with step 3 of su25 before and after any mile stone, i.e. also before you start!) to have the opportunity to undo any changes. The transport needs to be exported to have the data you want to 'backup'. Please consult your basis consultant, in case you are not sure about the post upgrade steps!
ManikantaKonijerla
Discoverer
0 Kudos

Hi Bernhard,
Thanks for the response.
Using "Deactivate Merge Mode", we have deactivated merge mode for one of the role and this role is skipped from modification. (Authorizations tab is green).
However, when we try to add new application (Transaction / Catalog), role is getting updated with new authorizations.
By any chance, do we have an option to halt this?
Regards,
Mani.

Bernhard_SAP
Advisor
Advisor
0 Kudos
Well, obviously you have not noticed, how the merge of authorizations work in PFCG. Please rad SAP note 113290. The merge compares the menu entries and their su24 proposals with the existing authorizations and updates them according to the listed rules in note 113290.
Bernhard_SAP
Advisor
Advisor
0 Kudos
This is done, whenever the merge is performed. Automatically, when you change menu entries. These merge is not performed, if you use the Expert mode->Edit old status.
Bernhard_SAP
Advisor
Advisor
0 Kudos
This is done, whenever the merge is performed. Automatically, when you change menu entries. These merge is not performed, if you use the Expert mode->Edit old status. Sooner or later you need to consider, whether to use the actual SAP proposals copied to SU24 with step 2A or continue with your old existing SU24 proposals.