Good Practice

SAP R/3 Security upgrade document

This document describes the process that we followed in ECC 6.0 upgrade

Copyright Notice
This document contains proprietary information of HCL Technologies Ltd. No part of this document may be reproduced, stored, copied, or transmitted in any form or by means of electronic, mechanical, photocopying or otherwise, without the express consent of HCL Technologies. This document is intended for internal circulation only and not meant for external distribution.

Author Contact Details Applicable Service Line Theme

Vishal Bhanti & 51302335 Vishal.bhanti@hcl.com +91 9899 078 902 IT Client projects

Project Engagement Delivery Unit SDU Practice implementation completed by Approximate effort for implementation of this practice (in man days) Is customer approval required to publish this practice (Yes/No)?

GE-NBCU Universal NBCUniversal Media, LLC SAP-(Capability name for security) SAP Security part only 210 Days No

HCL Internal

SAP R/3 Security upgrade document

Contents
Context................................................................................................................................ 3 About the Project ................................................................................................................. 3 About the Author ................................................................................................................. 3 References ........................................................................................................................... 3 Appreciations received for the Good Practice ................................................................ 4 Case Study: SAP SECURITY UPGRADE APPROCHES ............................................... 5 Introduction........................................................................................................................... 5 Abbreviations ....................................................................................................................... 5 SAP........................................................................................................................................ 5 ECC ....................................................................................................................................... 5 ERP ....................................................................................................................................... 5 Problem Faced/ What Went Wrong: ................................................................................ 5 Solution Approach/ Remedial Action ............................................................................... 7 Benefits ............................................................................................................................... 9 Key Benefits ......................................................................................................................... 9 Learning/ Improvements .................................................................................................... 9 Applicability to Other Projects ...................................................................................... 10

HCL Internal

SAP R/3 Security upgrade document

Context
About the Project
Customer Name

NBCUniversal Media, LLC

Customer contact details

30 Rockefeller Plaza New York City 10112, U.S. ACS--Juice-GNETMaster Data

SAP Code

C/081515

Project Name

NBCUniversal is one of the worlds leading media and entertainment companies in the development, production, and marketing of entertainment, news, and information to a global audience. NBCUniversal owns and operates a valuable portfolio of news and entertainment television networks, a premier motion picture company, significant television production operations, a leading television stations group, and world-renowned theme parks. Comcast Corporation owns a controlling 51% interest in NBCUniversal, with GE holding a 49% stake.

About the Author

I joined HCL in Jun, 2009 as a fresher and since then I am working as a SAP SECURITY consultant in NBCU UNIVERSAL project. I am a graduate and completed my BTECH from BIET Jhansi in 2008. I was the part of SAP SECURITY upgrade in my project and there I learned so many good practices that I am sharing in this document. I am very enthusiastic about this document, this really help to collect some good memories of the upgrade project.

References
I have taken help from a document SAP R/3 Security upgrade document that I have prepared after the same project. Few more web links are as follows thru which I collected important information: http://www.sans.org/reading_room/whitepapers/authentication/technical-aspect-implementingupgrading-sap-security-46_119 http://www.erpgenie.com/sap/basis/Security%20upgrade%20white%20paper.htm

HCL Internal

SAP R/3 Security upgrade document

Appreciations received for the Good Practice

Here I am giving some quotes and message that I received from our client:
Subject: RE: Test Plan for SAP GUI ERP6 VishalI wanted to thank you for your quick help yesterday with the adding of the t-codes for those 2 users. We'll review the cutover plan to ensure that they get added ahead of time. Thanks again for your support. Subject: FW: ECC6 Test user IDs in RR3/RR4_v3.xls Hi Vishal, On the attached list make sure that all user IDs have same access in RR3/RR4 as in RR1.

VERY IMPORTANT: Make sure all roles assigned to which user within this list are generated and all tabs in
Profile Generator are GREEN. If you have any doubt or question, don not hesitate to let me know. Thank you for all great work you done for our team already! Subject: RE: Run team access to RD4, RR4 Nice work.

HCL Internal

SAP R/3 Security upgrade document

Case Study: SAP SECURITY UPGRADE APPROCHES

Introduction
The purpose of this document is to provide information and practices that could be helpful with SAP Security upgrades, especially pertaining to ECC 6.0

Abbreviations
SAP Systems, application and products in the data processing.

ECC

Enterprise Control Component

ERP

Enterprise resource planning

Problem Faced/ What Went Wrong:

During the upgrade project we faced different types of problems that are described as follows: Authorization level problems: In SAP we have roles thru which users have been assigned different types of access that incorporates the different transaction. During upgrading the same roles special attention is needed while updating the authorization and org objects: We can have the following authorization objects related problems: Duplication of the same authorization objects:

This can cause issues with the field values defined for this object. User would be able to access the transactions based on these field values only. If role has any duplicate field value having activity value as *, then user would be able to perform each and every task like display, change or delete the report that was actually not given to him/her thru this role.

HCL Internal

SAP R/3 Security upgrade document

During upgrading the roles we did not consider the OS field values of the new servers that had caused issues while posting some payments later after the upgrade. This is the issue due to the different OS of 4.6C and ECC6.0 version. Earlier system was on AIX and now it is on SUN OS.

Thats why in the ECC 6.0 user was getting the authorization check for this object as now OS is being used as SUN OS.

Transactions levels:
Adding the replacement transactions that aim at substituting obsolete or old-version transactions, including the new enjoy transactions. We can have the problem in this part, as while replacing the old transaction with the new transaction can cause issues with the users those are very much familiar with the old transactions. I can remind many such cases in which user had logged such complaints that they are not able to perform the transaction that they were earlier able to perform, or they are not able to see the same screen that they were able to see earlier before the upgrade.

Checks for system security at the transition period of the systems:

This section is the very essential part of the practice for upgrading a sap system. While transition of old servers to new servers, extra care is needed to secure both the servers, otherwise this can cause issues with some critical transactions like invoice payment, vendor payments etc.

Upgrades cutover activity:

There must be an appropriate cutover plan and the respective person should know his responsibility very clearly, otherwise there is least possibility of rolling back of the changes that we did during these cutover hours, above all this there must be a certain time span during which this cutover activity can be performed.

HCL Internal

SAP R/3 Security upgrade document

Solution Approach/ Remedial Action

As a standard and best practices we should follow the below methods to obtain the optimum results.

Authorization objects level issues:

Duplication of the same authorization objects: While upgrading the objects please make sure that we have deactivated the new duplicate field values, per the best practice user should always have only those access that they were earlier before the upgrade, hence, no need to add any additional access in the field values of these authorization objects:

Transactions levels:
In this section please make sure that you have not deleted the old transactions at the time of upgrading the roles. This can be replaced later when users would be familiar with the new similar transactions.

Checks for system security at the transition period of the systems:

Please always make the old systems as a read only system at the time of transition period, as no critical transactions are allowed to perform during the same period. Please also make sure that the old and new servers are open only for IT technical persons, this cannot be accessed by each and every users of SAP during the same period.

HCL Internal

SAP R/3 Security upgrade document

Upgrades cutover activity:

Clear ownership of each activity group should be established not only for testing purposes, but also for ongoing support and approval of changes. Ideally, the ownership and approval of changes should reside with different resources (i.e. the person requesting the addition of a transaction or authorization should not be the same person responsible for approving the request). The detailed cutover plan differs from the overall security work plan, in that the detailed plan outlines the exact steps to be taken during each systems upgrade it. The security team needs to ensure that enough time is allocated for each action item and that this time is built into the overall cutover plan. The project manager is usually expected to give an indication to end users and key stakeholders as to when the Productive system will be unavailable during its cutover to the new release. This downtime should thus incorporate time required to perform user master comparisons, unlocking of IDs and all other action items. We performed two mock cutovers and a final cutover before the GO-LIVE of the system. These were the activities assigned to us under the security task: Name of task % Time Task Completed taken owner 30 mins 2 hrs 4 hrs 20 mins Vishal Bhanti Vishal Bhanti Vishal Bhanti Vishal Bhanti

Provide extended list of cutover team members and roles over cutover activities 100 Map cutover user ids to project team roles - MOCK 1 ONLY Create cutover user ids - MOCK 1 ONLY Lock current ID's in new system 100 100 100

HCL Internal

SAP R/3 Security upgrade document

Benefits
Operational Excellence - Business challenges and business user demand for new functionality to improve operational excellence, enable innovation, and support new business models

Key Benefits
Concepts CUTOVER Authorization objects values Without good practices Business hours can be effected Extra and unnecessary activities can be accessed by users that they should not have actually User would complaint that they are not able to perform the earlier transactions Wait time would be very much high in any disaster cases, if clear responsibility is not defined User can perform any critical transaction that can cause business loss to organization With good practice Assurance of GO LIVE of new servers before the start of business hours Only appropriate and suitable access will be given to users

Transactions replacement Identification of high availability and disaster recovery requirements Security Checks

Comparatively less complaints will be logged Each and every issue will be addressed to the correct person and can be solved with in the certain time span Access will be restricted and there would not be any possibility of such harms

Learning/ Improvements
Extra care is needed during the hyper care time after the GO-LIVE of upgraded systems. During this time any improvements or remedial action can be performed, however, this should be done as soon as possible otherwise; it can cause business loss as well, if not solved immediately. These are some points which should be followed during any upgrade: Each and every step must be well documented. Team managers must be informed about any disasters or human errors immediately. Clear Identification of responsibilities
HCL Internal

SAP R/3 Security upgrade document

Applicability to Other Projects

The same approach can be applied in any SAP SECURITY upgrade, however, its more applicable to 4.6c onwards versions.

HCL Internal