SAP Upgrades. Authorizations are always neglected, why?

Posted by Fabio Mambretti on Mar 18, 2022 12:00:00 AM

 

SAP updates are frequent. SAP releases feature updates to its products but also new features or patch security.

 

SAP Security Update

SAP installations receive these updates less frequently. A SAP update task still requires a certain amount of work. Although SAP has recently reduced the volume of updates by favoring frequency. Precisely to limit the impact on customers.

 

Although updates are made to introduce new features or ensure support from SAP, security aspects are almost always underestimated and overlooked.

 

So what to do before and after a security upgrade?

 

1. Prepare to upgrade your system

During the various releases of the new packages SAP tracks the new features or changes made to the system.

Through the help.sap.com website it's possible in fact to see for every released update what are the new introduced functionalities è possibile infatti vedere per ogni pacchetto rilasciato quale siano le nuove funzionalità introdotte.

 

SAP_UPGRADE

 

Reading the new features introduced for the reference component (e.g. BASIS area) from the departure release to the arrival release allows us to be ready to evaluate new Security SAP features introduced or understand any changes to existing features.

 

 

2. Technical or functional upgrade?

 

There are two types of SAP upgrades, technical or functional (sometimes the terminology can be different):

  • Technical how much an upgrade is made without introducing any new features. In other words, everything that was there before must also work in the new release
  • Functional, I upgrade the system to introduce a new functionality e.g.: "New General Ledger"

 

Of course the upgrade process in these cases requires different efforts and ways to address the project. In the first case, especially if the departure and arrival releases are very close, the efforts are much less, in the second case it is a real project.

 

in any case permissions and then roles need to be updated to take on the new features (even if not used).But what happens if it is not done?

  • Each change in the authorization roles will appear a pop-up warning of the non-update
  • The distance in permit terms between releases may shift the adjustment effort further in time. Switching from an ECC6 to S/4HANA, in the system conversion option, could actually be a jump from an older release of ECC 6 regarding permit aspects

 

3.The importance of not using SAP standard roles

 

As mentioned in the official documentation, one of the reasons not to use sap standard roles is due to system upgrades.

Sap standard roles can also be updated during release updates.

 

The direct use of these roles would therefore involve overwriting "our" roles with the newer ones.

 

That's why it's important, if you decide to use sap standard roles as your starting point, always make a copy in the customer's namespace (then Z or Y).

 

4.Is that how you did the roles? Are they ready for an SAP release upgrade?

 

In upgrade projects, the effort to upgrade roles can be a few days or several tens of days. This depends on how technically the authorization roles are made.

 

If the authorization roles (commonly also known as SAP profiles) comply with SAP best practices, you can use the automatic upgrade tool (called the SU25 transaction) following the steps it proposes.

 

In this case, SAP will automatically do a lot of work. All you have to do is adjust the roles (the more roles there are and the more transactions they contain, the more likely you are to have to update them will go up).

 

5. SAP HANA, S/4HANA what are sap security focus points?

 

It is advisable to clarify immediately what is the difference between HANA and S/4HANA.

  • HANA, this is sap's proprietary database. see also for example oracle db2 microsoft sql
  • S/4HANA (all attached) is the application that is installed on the HANA database. Corresponds to sap erp suite installed on HANA or other databases

 

What are the points of focus during upgrades to the HANA or S/4HANA database?

  • HANA database, from an application point of view there are not many actions to be carried out. It's basically transparent. However, it can be a time to review database security. For example, enable communications encryption, native to the HANA database, and hardening systems.
  • The approach to S/4HANA with regard to SAP permissions is very different. Here, in fact, the user access interface can change dramatically. Several new components are introduced:
    • SAP Gateway o FES Front End Server
    • SAP Backend o BES Back End Server
    • SAP Netweaver Business Client

 

Access to S/4HANA applications is via FIORI's graphical interface, which includes tiles (tiles) that can correspond to transactions in SAP ECC.

 

Here it is necessary to define an authorization concept between the EDF and the BES by enabling the Odata services necessary for the operation of the application.

 

Blog post originally translated from: https://www.aglea.com/blog/gli-upgrade-di-release.-le-autorizzazioni-sono-spesso-dimenticate-perch%C3%A9

 

Topics: patch, pfcg, su25, upgrade, HANA

Subscribe Here!

Blog Aglea, cosa puoi trovare?

Ogni mercoledì pubblichiamo articoli, interviste e documenti relativi alla security SAP.

Cosa puoi trovare:

  • Suggerimenti su come mettere in sicurezza i sistemi SAP
  • Come fare a … (How To)
  • Checklist
  • Gli errori comuni che spesso vengono fatti in ambito Security SAP
  • Interviste con esperti del settore
  • Chi è AGLEA quale è la nostra vision security SAP

Recent Posts

Post By Topic

See all