SAP updates are frequent. SAP releases feature updates to its products but also new features or patch security.
SAP installations receive these updates less frequently. A SAP update task still requires a certain amount of work. Although SAP has recently reduced the volume of updates by favoring frequency. Precisely to limit the impact on customers.
Although updates are made to introduce new features or ensure support from SAP, security aspects are almost always underestimated and overlooked.
So what to do before and after a security upgrade?
During the various releases of the new packages SAP tracks the new features or changes made to the system.
Through the help.sap.com website it's possible in fact to see for every released update what are the new introduced functionalities è possibile infatti vedere per ogni pacchetto rilasciato quale siano le nuove funzionalità introdotte.
Reading the new features introduced for the reference component (e.g. BASIS area) from the departure release to the arrival release allows us to be ready to evaluate new Security SAP features introduced or understand any changes to existing features.
There are two types of SAP upgrades, technical or functional (sometimes the terminology can be different):
Of course the upgrade process in these cases requires different efforts and ways to address the project. In the first case, especially if the departure and arrival releases are very close, the efforts are much less, in the second case it is a real project.
in any case permissions and then roles need to be updated to take on the new features (even if not used).But what happens if it is not done?
As mentioned in the official documentation, one of the reasons not to use sap standard roles is due to system upgrades.
Sap standard roles can also be updated during release updates.
The direct use of these roles would therefore involve overwriting "our" roles with the newer ones.
That's why it's important, if you decide to use sap standard roles as your starting point, always make a copy in the customer's namespace (then Z or Y).
In upgrade projects, the effort to upgrade roles can be a few days or several tens of days. This depends on how technically the authorization roles are made.
If the authorization roles (commonly also known as SAP profiles) comply with SAP best practices, you can use the automatic upgrade tool (called the SU25 transaction) following the steps it proposes.
In this case, SAP will automatically do a lot of work. All you have to do is adjust the roles (the more roles there are and the more transactions they contain, the more likely you are to have to update them will go up).
It is advisable to clarify immediately what is the difference between HANA and S/4HANA.
What are the points of focus during upgrades to the HANA or S/4HANA database?
Access to S/4HANA applications is via FIORI's graphical interface, which includes tiles (tiles) that can correspond to transactions in SAP ECC.
Here it is necessary to define an authorization concept between the EDF and the BES by enabling the Odata services necessary for the operation of the application.
Blog post originally translated from: https://www.aglea.com/blog/gli-upgrade-di-release.-le-autorizzazioni-sono-spesso-dimenticate-perch%C3%A9