Many companies are currently faced with the task of converting their SAP systems to SAP S/4HANA, because their ERP maintenance will be discontinued in the foreseeable future. Project planning usually only takes technical and organizational aspects into account, however; crucial security topics aren’t given enough priority. As a result, the implementation of the authorization concept and adaptation of the authorization roles often end up at the end of the line.
One stumbling block: missing objects in the authorization roles
SAP updates and release upgrades usually contain error corrections. However, the migration from ERP to SAP S/4HANA also entails enhancements to existing functions, as well as completely new functions. The Fiori apps set a stronger focus on the user experience and look, for example. But it isn’t only the appearance: Table structures and authorization checks implemented in programs are also updated during an upgrade to SAP S/4HANA. As a result, transactions might be checked for additional fields that were not relevant in the previous ERP system. Users who run these transactions after the migration will be severely impaired in their work. To avoid this stumbling block of missing objects in authorization roles, we recommend updating your authorization roles.
How can the authorization roles be updated with new authorization objects?
The initial situation in the ERP system and the corresponding authorization roles are the decisive factors here. Transaction SU24 enables you to modify the default values delivered by SAP Development, as well as define default values for the applications you have developed yourself. When the transactions and programs you have developed are maintained correctly in SU24, the corresponding authorization objects are proposed in transaction PFCG.
The SU24 default values are then listed in the custom tables USOBT_C and USOBX_C and can generally be transferred during the migration. Another option is to download the default values maintained in SU24 and uploading them in the new SAP S/4HANA system.
Once the maintained ERP default values have been defined in the new SAP S/4HANA system, particularly those for your customer developments, you can use transaction SU25 to update them to SAP S/4HANA.
SU25 is a transaction code that is used during the initial implementation of an SAP system and for every subsequent upgrade. This transaction code consists of six different steps, but you do not have to process all of them. We focus exclusively on steps 2a through 2c here.
When you execute step 2a, the SAP S/4HANA default authorization values are written to the SAP tables USOBT and USOBX. You then transfer the contents of these tables to the aforementioned custom tables USOBT_C and USOBX_C. To do so, you execute step 2b, which compares the standard SAP tables with the custom tables.
A red light indicates transactions maintained with different authorization objects in the ERP system. This view enables you to analyze deviations and edit them as needed.
Step 2c serves to identify the roles that are affected by the default authorization values you changed in the previous step. Here, SU25 shows you the roles that have to be merged again with the new authorization objects. In expert mode “Read old status and merge with new data”, you can load the correct default values – as long as the transactions were added to the menu when the roles were created.
Please note that roles with deleted authorization objects receive new objects automatically after merging. You should set these objects to “Inactive”. Your roles now have the correct objects at the authorization object level.
However, the conversion to SAP S/4HANA not only requires changes to authorization objects, but also changes at the transaction level, which you can display by executing step 2d. Since this report does not take all modifications into account, we also recommend examining the table PRGN_CORR2.
To assist you here, we offer optimal solutions with our SAST Role Conversion Service. These solutions help you migrate your roles and are a key component of every SAP S/4HANA migration project, both for crucial changes at the transaction level and to identify suitable Fiori apps.
Benefit from our expertise
Our practical experience has shown that companies often underestimate the role conversion, with its many necessary preparation steps. In addition to executing transactional changes, entire processes in Financials and, in particular, in the business partner area have to be redesigned.
If you need support for your SAP S/4HANA project, benefit from our expertise! Our SAP Security Consultants are experienced experts for authorization concepts and rollouts who have already executed many successful SAP S/4HANA customer projects. You can get more information on our website or simply contact us.
Paul Michaelis (SAP S/4HANA Authorizations Consultant, SAST SOLUTIONS)
Have a look at our free webinar on the topic of “SAST Role Conversion Service”. We will be happy to send you the link to access the recording “SAP Authorization Management: Tips for the secure conversion of your SAP ERP roles to S/4HANA”.
Topics based on this: