Investigating Installation and Upgrade Tasks

Objective

After completing this lesson, you will be able to manage installation and upgrade tasks in SAP Business Role Maintenance.

Basic Settings for Using Role Maintenance

Activating Role Maintenance after a new installation requires two steps.

Required Steps for Operating Role Maintenance

  • The SAP system profile parameter auth/no_check_in_some_cases has the value "Y"

  • The default tables are filled, which control the behavior of Role Maintenance when a transaction is selected in a role.

Both steps are described in detail in this lesson.

Hint

The parameter auth/no_check_in_some_cases is already set to "Y" in the default settings. You only need to create the customer default tables.

Screenshot metadata for parameter auth/no_check_in_some_cases and its current value.

You only need to check that the profile parameter is set to the correct value.

To check this, use transaction RZ11. The figure shows transaction RZ11 after you have entered the parameter name (auth/no_check_in_some_cases). For Current value, Y must be entered.

To check this, use transaction RZ11. The figure shows transaction RZ11 after you have entered the parameter name (auth/no_check_in_some_cases). For Current value, Y must be entered.

You can find more details on the currently selected parameter by choosing Documentation.

Alternatively, you can select and check the parameter setting using report RSPFPAR.

Hint

If the parameter has the value "N", it must have been set to this value in the default profile or in the instance profiles of the SAP system. Transaction RZ10 is used to maintain and manage these profiles (you can call this transaction by choosing ToolsCCMSConfigurationProfile MaintenanceSystem Profiles. You should use this transaction to delete the parameter from both the default and the instance profiles. The parameter is then set to its default value "Y".

Where do the Default Values Come From?

Illustration showing where the default values for Role Maintenance come from.

If an administrator selects a transaction while creating a role, Role Maintenance selects the authorization objects that are checked in this transaction and maintained in Role Maintenance. Four cases can occur:

  • For an authorization object against which the check is performed in the selected transaction, Role Maintenance has default values for the authorization content so that full authorization can be provided. The traffic light beside the authorization is green.

  • For an authorization object against which the check is performed in the selected transaction, Role Maintenance does not have default values for the authorization content. In the example on the slide, the SAP Office transaction SO01 has been selected, from which you can access files at operating system level. For security reasons, no specifications are made as to which files can be accessed in read-only or in write mode. The traffic light beside the authorization is yellow.

  • For an authorization object against which the check is performed in the selected transaction, Role Maintenance does not have default values for the authorization content, and this field is an "organizational level field". The traffic light beside the authorization is therefore red.

  • It may be the case that some authorization checks during transaction processing were not maintained in Role Maintenance. The corresponding authorization objects do not appear in the profile overview.

    Hint

    This should, however, only occur as an exception. It is usually sensible to maintain the missing authorization objects in the tables using transaction SU24.

Tables USOBX_C and USOBT_C control the behavior of Role Maintenance after the transaction has been selected. After a new installation, these tables are empty and must be filled with values before Role Maintenance is used for the first time. The next step, shown on the next slide is required to do this.

Initial Fill of the Default Tables

Diagram showing the transaction SU25 copying the SAP defaults from USOBX and USOBT to the customer tables USOBX_C and USOBT_C.

SAP delivers the tables USOBX and USOBT. These tables are filled with default values and are used for the initial fill of the customer tables USOBX_C and USOBT_C. After the initial fill, you can modify the customer tables, and therefore the behavior of Role Maintenance, if required.

Table USOBX defines which authorization checks are to be performed within a transaction and which are not (despite programmed authority-check command). This table also determines which authorization checks are maintained in Role Maintenance.

Table USOBT defines for each transaction and for each authorization object which default values an authorization created from the authorization object should have in Role Maintenance.

Under menu item 1, Initially Fill the Customer Tables, transaction SU25 copies the SAP defaults from USOBX and USOBT to the customer tables USOBX_C and USOBT_C. You can use Role Maintenance as of this point.

Caution

If you call transaction SU25 and there are already values for date/time and user entered under Point 1, filling the table again would delete the changes that you have made and overwrite them with the SAP values.

For a full description of the functions of "SU25", choose the Information about this transaction button.

Adjusting Authorization Default Status

Graphic showing the adjustment of authorization default status.

After the customer tables USOBX_C and USOBT_C have been filled, you can maintain them to adjust the behavior of Role Maintenance and the authorization checks to be performed for each transaction. The tables are maintained in transaction SU24.

This transaction displays the authorization default values of a transaction.

Note

As of SAP NetWeaver 2004s, the check status (check or do not check) is separated from the default authorization status. The display and maintenance options in transaction SU24 have been modified accordingly.

The behavior of objects is governed by the maintenance status of the authorization object and the check indicator.

  1. Authorization Default Status

    Possible values for the authorization default status are as follows.

    Authorization Default Status:

    • Yes

      By setting this default status, developers inform administrators that the user requires an authorization for this object to execute the core functionality of the application.

      If this application is added to a role, the Profile Generator adds an authorization for this object in the role. The fields of the authorizations are predefined with the proposed values.

    • Yes, Without Values

      By setting this default status, developers inform administrators that the user requires an authorization for this object to execute the core functionality of the application. However, the developers cannot specify any values, since these are only determined in the customer system.

      If the administrator adds the application to a role, the Profile Generator places an empty authorization for this object in the role.

    • No

      By setting this authorization default status, developers inform administrators that a user does not require an authorization for this object to execute the core functionality of this application.

      If this application is added to a role, the Profile Generator does not place an authorization for this object in the role.

    Hint

    To edit the preset check indicators and default values (in SU24), you need the authorization object S_DEVELOP with the following values:

    • ACTVT: 03 (Display) or 02 (Change)

    • DEVCLASS: Any

    • OBJTYPE:

      • - SUSK (assignment of transaction to authorization object in customer systems)
      • - SUST (assignment of transaction to authorization object in SAP systems)

    • OBJNAME: Name of the transaction

    • P_GROUP: Any

  2. Check Indicator

    The following check indicator values are supported.

    Check Indicator

    • Check

      Default check indicator.

      The appropriate authorization object is always checked.

    • Do Not Check

      The authorization check for this authorization object is deactivated. The system does not check whether the user has a suitable authorization.

      This indicator cannot be chosen for HR and Basis authorization objects.

      Caution

      Authorization check is suppressed during runtime.

  3. Maintenance status of authorization object

    The maintenance status of an authorization object indicates whether authorization default data has been maintained correctly for the object.

    Possible values are

    • 'Maintained' (green icon) - Default status (and any authorization field values) have been maintained completely.

    • 'Not maintained' (red icon) - The authorization default status has not yet been maintained or another priority 1 error has occurred.

    • 'Maintained with warning' (yellow icon) - Authorization field values have not been maintained correctly for the object; a priority 2 (or lower) warning exists.

    • 'Do not check' (gray icon) - The authorization check has been disabled for the object (Check Indicator is set to "Do not check").

Caution

If you change the field values, these are distributed by Role Maintenance as new defaults during role maintenance. This affects all roles for which the affected transaction is in the menu, and the authorization values are read again (Read old status and merge with new data).

This is the case regardless of whether the change in the role is for this transaction or a different transaction.

Hint

In the SAP Standard, there is currently no restore function for the data of the SU24. For a smaller volume, you can manually reset the changes to the data of the change document (the data basis is in accordance with report SU2X_SHOW_HISTORY or it can be taken from the tables USOBT_CD and USOBX_CD).

If the data of the SU24 seems to be inconsistent in your system, you can analyze the data and repair it using the report SU24_AUTO_REPAIR. This report automatically detects and repairs inconsistencies that have a negative influence to the PFCG or the upgrade post-processing steps (transaction SU25).

For details about these reports, see SAP note 1539556 - Administration of authorization default values.

Upgrading Role Maintenance

After an upgrade, transactions that were selected in the menu of existing roles can be protected using additional authorization objects in the target release. This means that tables USOBT_C and USOBX_C have to be updated as well as the existing roles.

The authorization checks added in the target release require that tables USOBX_C and USOBT_C as well as the roles created in the source release be updated to the latest version. To do this, you can use the transaction SU25, step Postprocess of Settings After Upgrading to Higher Release.

Illustration showing the postprocess of settings after upgrading to higher release.

Caution

When executing transaction SU25, you should keep in mind that the customer may have changed table USOBX_C or USOBT_C in the source release. The step Installing the Profile Generator in transaction SU25may not be executed for this reason as it would completely overwrite the tables.

Consequently, a comparison procedure is required, which is performed using the step Postprocess the Settings After Upgrading to a Higher Release.

Automatic Comparison with SU22 Data

This compares Role Maintenance data from the previous release with the data for the current release. New default values are written in the customer tables for Role Maintenance. You only need to perform a manual adjustment later (in step 2B) for transactions in which you changed the settings for authorization default values. You can also display a list of the roles to be checked (step 2C).

Modification Comparison with SU22 Data

If you have made changes to the authorization values in transaction SU24, you can compare these with the new SAP defaults. You can see the values delivered by SAP and the values that you changed next to each other, and you can make an adjustment, if desired. You can assign the authorization default values by double-clicking the relevant line.

Search for Obsolete Applications

This step searches for obsolete, locked, or no-longer-existing transactions or function modules so you are able to adapt PFCG roles for correct authorization in the new SAP release.

Update of Application Groups in Role Menu
You have inserted application groups (for example, SAP Fiori tile catalogs) into the menu of roles. The applications contained in the application groups were also included in the role menu as sub nodes of the groups. If you add applications to a group or delete applications from a group, you must update the role menu.
Roles to be Checked

This step guides you through all the roles that are affected by newly-added authorization checks and that have to be changed to correspond. You can jump directly to Role Maintenance.

Hint

Steps Automatic Comparison with SU22 Data and Modification Comparison with SU22 Data make changes to the customer tables of Role Maintenance. If you want to transport these changes, choose step Transport of Customer Tables in transaction SU25.

New Functionality in SU25: Deactivating Merge Mode in Step "Roles to be Checked"

Transaction SU25 is required after an upgrade to update the customer-specific authorization default values and roles. Step Roles to be Checked provides a list of roles which are affected by the newly added or changed authorization default values. The roles that authorization data must be merged with get the "Profile comparison required" status (merge mode) and are marked with red traffic lights. The merge mode triggers an automatic merging when we go into Role Maintenance in transaction PFCG. This automatic merging is often undesired because role administrators may want to display the original authorization data first before the merge process.

With the new functionality in Step Roles to be Checked, you can now select a set of roles that have a red status and deactivate the merge mode using function key F7. All the roles that you process in this manner get a new yellow status. When you now navigate back to transaction PFCG, the system no longer merges the roles automatically, but displays the relevant authorization data. To take advantage of this new feature, import the relevant Support Package, see SAP Note 1417883.

As long as one role has a yellow status, the function key F8 can be used to reactivate the merge mode. You can change between the active and inactive mode as many times as required. Whenever step Roles to be Checked is called again, roles with an inactive merge mode are automatically transferred to active mode.

Additional information related to this new function enhancement:

  • Meaning of the Statuses

    The role statuses in Step Roles to be Checked are not identical to the authorization statuses of roles in the Authorizations of Role Maintenance. Step Roles to be Checked refers only to whether or not the authorization data should or can be merged. The status of the related authorization profiles in PFCG is irrelevant. The exact status definitions are as follows:

    • Red: The authorization data must and can be merged (merge mode is active).

    • Yellow: The authorization data must be merged, but this is not possible (merge mode is inactive)

    • Green: The authorization data has already been merged.

  • Role Lock

    During a status change, the roles are temporarily locked. Roles that cannot be locked remain in their old status.

  • Roles that Have a Green Status

    For roles which the authorization data has already been merged, you can never change the status. Selecting these roles does not have any effect. Once you have transferred all the roles in the list to green status by merging the authorization data, you do not have to perform any further activities in step Roles to be Checked. As a result, the functions for changing the merge mode and the selection functions are not available.

Generate Standard Role SAP_NEW

Four steps to upgrade role: SAP_NEW. SU25 is the first step. Select source release is the second step. Execute role generation is the third step. And, display SAP_New in PFCG is the fourth step.

If you use a very large number of roles, it can be useful for reasons of time, to do without the postprocessing initially, and to assign the role SAP_NEW to the users manually. The role SAP_NEW is used to bridge the differences in releases in the case of new or changed authorization checks for existing functions, so that your users can continue to work as normal.

The role SAP_NEW must use be generated in accordance with the system environment in transaction SU25Manually Adjust Selected RolesGenerate Standard Role SAP_NE or SAP_NEW_F4 or using the report REGENERATE_SAP_NEW.

After generation, the role SAP_NEW contains authorizations for all new checks in existing transactions.

The role SAP_NEW guarantees backward compatibility of the authorizations if a new release or an update or authorization checks introduce checks for previously unprotected functions.

Caution

This role contains very extensive authorizations, since, for example, organizational levels are assigned with the full authorization asterisk ("*").

Once you have included the new authorization checks in your authorization concept, delete the role SAP_NEW from each of the corresponding master records. Do not wait until you have finished processing everything, but do it immediately, "user for user", to avoid retaining authorizations that are too extensive.

Hint

In older SAP releases, where the report GENERATE_SAP_NEW is not available, you still require the profile SAP_NEW. Therefore, you must use transaction SU02 for the profile administration and to assign the SAP_NEW profile to the users manually.

This composite profile contains very extensive authorizations, since, for example, organizational levels are assigned with the full authorization asterisk ("*").

Either temporarily assign the previously adjusted composite profile SAP_NEW or the relevant single profiles contained in it, SAP_NEW_"Release". You require all single profiles between the old release and the new release.

Note

The role SAP_NEW_F4 contains the full authorization for all objects with the field ACTVT and the fixed value F4 and further directly registered objects. This role is not part of XPRA and should, in general, only be used if required.

Workbench for Switchable Authorization Scenarios

A central switchable authorization check is needed for different application scenarios and as a requirement for security-relevant corrections to the authorization concept.

If SAP delivers new authorization checks in already established business processes via corrections delivered in a Note or Support Package, these checks should be available in the customer's landscape, but they should not affect production processes. You can identify new authorization checks with scenario names in the delivered code. A scenario groups together the new or changed authorization checks of a business process. The switchable authorization scenario construct is a simple way of introducing tighter security requirements scenario-by-scenario, according to customer requirements. The cross-application solution of switchable authorization checking creates the necessary transparency about the degree of conversion of tighter authorization concepts.

For details on this Switchable Authorization Scenarios, refer to SAP notes 1908870 - SACF: Workbench for switchable authorization scenarios and 1922808 - SACF: FAQ - Supplementary application information.

Practice System Exercise: Maintain Authorization Default Values

Note

If you have access to a practice system, you can now execute this exercise.

Business Example

This exercise reinforces the topics of default values for Role Maintenance, proposal values, and the steps to perform after an upgrade.

Task 1: Display the Authorization Default Values

Display the authorization default values for transaction FD03.

Steps

  1. Start the Maintain Authorization Default Values transaction (SU24).

    1. In the OK code field, enter transaction code SU24.

      Note

      You can also start the Maintain Authorization Default Values transaction in the SAP Reference Implementation Guide (SPRO):

      - SAP Menu: ToolsCustomizingIMGExecute Project, (transaction code: SPRO).

      - IMG path: SAP Customizing Implementation GuideSAP NetWeaverApplication ServerSystem AdministrationUsers and AuthorizationsMaintain Authorizations and Profiles Using Profile GeneratorWork on SAP Check Indicators and Field Values.

      - Choose Change Check Indicators.

  2. Display the authorization default values for transaction FD03 and check the following:

    Are there any authorization objects with the default status

    - Yes

    - Yes, Without Values

    - No

    ____________________

    To which authorization objects is the default status "Yes" assigned?

    __________________________________________________________

    1. Enter FD03 in theTransaction Code field.

    2. Choose Execute (F8).

    Result

    There are authorization objects with the default status Yesand Yes, Without Values shown.

    The default status "Yes" is assigned to the following authorization objects:

    - B_BUPA_RLT

    - F_KNA1_APP

    - F_KNA1_BED

    - F_KNA1_BUK

    - F_KNA1_GEN

    - F_KNA1_GRP

    - F_MANDATE

  3. Which default values are assigned to the authorization fields of the authorization object F_KNA1_APP?

    Fill in the following table.

    ObjectFieldValue (Interval)
    F_KNA1_BUK  

    		  

    		  

    1. The authorization default values are listed in the Authorization Default Values area.

    2. Check the entries in the line with authorization object F_KNA1_APP.

      ObjectFieldValue (Interval)
      F_KNA1_APPACTVT03
       ACTVTC2
       APPKZF

    3. Choose Back (F3) to return to the initial screen of the Maintain Authorization Default Values transaction.

  4. To which authorization objects is the default status "No" assigned?

    1. Choose the Complete Object List icon.

      There are further authorization objects with the default status No shown.

Task 2: Compare the Automatically Entered Authorizations in a Role with Authorization Default Values

Create a role GR##_FI_FD03 and compare the automatically entered authorizations with the authorization default values from the previous task.

Steps

  1. Start the role maintenance transaction and create the predefined role. Enter a short description, and save.

    1. SAP Menu:

      ToolsAdministrationUser MaintenanceRole AdministrationRoles (transaction code PFCG).

    2. Enter the name for the role GR##_FI_FD03 in the Role field.

    3. Choose Create Single Role.

    4. Enter description Check authorization default values in the Description field.

    5. Then choose Save (Ctrl+S) to save your role.

  2. Add the transaction FD03 to the role menu.

    1. Go to the Menu tab page.

    2. Choose the Transaction button and enter the following transaction code in the Transaction code field:

      - FD03

    3. Choose Assign Transactions.

    4. Then choose Save (Ctrl+S) to save your role.

  3. Go to the Authorizations tab page and define the organizational levels.

    Define the organizational level:

    - Organizational level: Company Code= 1010

    Why do you have to enter an authorization value for the company code?

    __________________________________________________________

    1. Go to the Authorizations tab page.

    2. Choose Change Authorization Data.

    3. Enter the following values in the Define Organizational Levels window:

      - Company code: 1010,

    4. Why do you have to enter an authorization value for the company code?

      The field company code has been created as an organizational level.

    5. Choose Save (Ctrl+S) to save the authorization values for the organizational levels.

  4. Answer the following questions.

    For which authorization objects did the system automatically generate authorizations?

    ______________________________________

    ______________________________________

    ______________________________________

    ______________________________________

    Why is the status of the authorization objects F_KNA1_APP, F_KNA1_BUK, and F_KNA1_GEN set to Standard and why is the traffic light symbol status set to green?

    __________________________________________________________

    __________________________________________________________

    __________________________________________________________

    1. Expand Object Class AABB and Object Class FI.

    Result

    The system automatically generates authorizations for the following authorization objects:

    Green light:

    - S_TCODE

    - F_KNA1_APP

    - F_KNA1_BUK

    - F_KNA1_GEN

    Yellow light:

    - B_BUPA_RLT

    - F_BNKA_MAN

    - F_BNKA_MAO

    - F_KNA1_AEN

    - F_KNA1_BED

    - F_KNA1_GRP

    - F_MANDATE

    The status of the authorization objects F_KNA1_APP, F_KNA1_BUK, and F_KNA1_GEN are set to Standard and why is the traffic light symbol status set to green.

    All fields of the authorization objects F_KNA1_APP and F_KNA1_GEN could be filled with default values.

    The organization level field of F_KNA1_BUK f is interpreted as an authorization default value.

  5. Maintain Authorizations - Set all open authorization values to full authorization (top set of traffic lights).

    1. Choose the Status button.

    2. Choose Execute (Enter) in the Assign Full Authorization of Subtree window.

  6. Maintain Authorizations - Generate the authorization profile for your role.

    1. Choose the Generate icon.

    2. In the Assign Profile Name for Generated Authorization Profile window, accept the proposed profile name and choose Execute (Enter).

    3. Choose Back (F3) to return to the Change Roles screen.

Log in to track your progress & complete quizzes

Learning

SAP FacebookSAP YoutubeSAP LinkedIn