• Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

Support Package Upgrade: How to Update SAP Authorization Roles, Part 1

  • Font size: Larger Smaller
  • Hits: 6933
  • 2 Comments
  • Print

If you haven’t already noticed, in some SAP support packages several T-Codes have been replaced with other T-Codes. These changes create a challenge in maintaining your company’s authorizations, and there are also implications to the GRC module. So, what do you do?

iStock_000015527840XSmall.jpeg

Follow these two main steps:

1. Update user authorizations so they match the T-Code changes

2. Update the relevant GRC rules and add the new T-Codes

Step #1: Updating User Authorizations

An authorization manager, a customer of ours, was requested to modify all employee authorization roles to accommodate for the T-Code changes during a support package upgrade project. But, considering the amount of users and the amount of roles in the organization, the task was estimated to take at least three weeks worth of work.

The current user authorizations had already been bothering him. He felt that the user authorizations were too widespread and for some time he’d wanted to narrow them down according to actual de-facto usage. Replacing the T-Codes now would be prolonging a situation that was not efficient.

He decided to use the opportunity to his advantage and came up with a better idea from a security point of view – one that would be much more efficient in terms of SAP authorizations. He would replace the T-Codes only for the users who really use these T-Codes, and delete them from users who don’t. This would get the job done well, and increase the security level. Great idea.

So now Step 1 (Update user authorizations so they match the T-Code changes) has become two sub-steps:

1a. Identify who really used the old T-Codes

1b. Update user roles and authorizations according to actual usage

Step 1a: Identify who really used the old T-Codes

How would this authorization manager know which T-Codes were in use, and by whom?

He could have used ST03N in order to identify the T-Codes that were recently used, but not only would that have taken him a significant amount of time, he would also have had to work hard on the raw data in order to get usable results for the project. Because he was using ProfileTailor Dynamics anyway, he was able to identify within a matter of minutes who really used the old T-Codes. He created an Activity Group “Old T-Codes” and produced the report called “Activity to Users (Real Use).” Since the software is based on user behavior analysis, the report showed him a list of users and the T-Codes they’d been using over the past year including the amount of use. He was able to see the most active T-Codes (see image below) and also the most active users with these T-Codes, so he could easily know where to put his focus.

Authorizations_Report_Pivot_Excel.pngThis report showing activities and their corresponding usage percentages allows the authorization manager to focus on the most active ones. The tabs at the bottom of the spreadsheet include the raw data.

 

Step 1a? Check.

Now the authorization manager is on his way to updating SAP authorization roles for the SAP support package upgrade.

Look for our next posts to see how he accomplished 1b and Step 2.

See how ProfileTailor Dynamics can help you put your authorizations in order.

Yoav Michaeli joined Xpandion in 2008 as a team leader, and in 2010 Mr. Michaeli began managing the entire Research & Development group of the company. Prior to joining Xpandion, Mr. Michaeli served in an elite technological unit of the Israeli Defense Forces as a team leader for various key military projects. Among other achievements, he was instrumental in pioneering the use of advanced .NET technologies for large scale distributed systems. Mr. Michaeli is an expert in programming, agile development, application security and specialized programming techniques.

Comments

  • Guest
    Punit Bafna 04/06/2014

    Hi Yoav, Good Article. Can we have a demo of the ProfileTailor Dynamics tool and how it can coexist with GRC10 and other tools in place.

  • Guest
    Yoav Michaeli 04/06/2014

    Hi Punit Bafna,
    Thank you for your kind words. Yes, I will ask our sales team to contact you.
    Regards, Yoav

Leave your comment

Guest 28/04/2017

Headquarters

+972-3-624-4245

157 Yigal Alon Street,

Tel Aviv 67443, Israel

info@xpandion.com

US Office

+1-800-707-5144

33 West 19th Street, New York,

NY 10011, USA

info.us@xpandion.com

India Office

+91-989-2546216

C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India

info@xpandion.com