SAP Security

System Upgrade Checklist

Procedure Step by step for Support Activities for System Upgrades For
SAP Backend Systems (ECC, SRM, BI, Solman, PI and GRC- Backend)

Development Client - Pre System Upgrade Activities:

Task
No Task Responsible Team Status

Prepare a list of roles to be excluded during post upgrade

analysis by obtaining list of obsolete/unused roles (roles
1 Security
that exist only in non prod system and obsolete roles in all
systems). This will reduce the post upgrade effort.
Capture Backup reports of users, roles, user groups in
system using SUIM and SE16 obtain the following reports.
Reports:
USOBX_C, USOBT_C, ADP, ADR6, AGR_1251, AGR_1252,
AGR_1252, AGR_AGRS, AGR_TCODES, AGR_USERS,
RSPARAM_ERD, USR02, USR04. SUPC- report on all roles.
In PFCG- Utilities- Run overview status and save file.
2 Security
Enterprise Portal – Report of roles, group and user
assignment.
Files:
Enterprise Portal- Export file of all portal roles.
Backend System- Download all Roles (standard and
customized z*)

Ensure list of critical Auth Object documentation is up to

3 Security
date.
Obtain Upgrade Side Effect notes from Basis and
4 Security
perform analysis.

Development Client - Upgrade activities

Task
No Task Responsible Team Status
 Disconnect Child Systems from CUA
1 Security
Obtain from Basis team a list of userids (examples – SAP*,
DDIC,SAPCPIC) to be unlocked during upgrade activity.
2 Security
Lock all users except requested excluded userids.

Development Client -Post System Upgrade Activities:

Task
No Task Responsible Team Status

Using SUIM confirm the count of users, roles and user

group in current system is equal to count of users in old
1 Security
upgrade system

Perform SUPC to determine if any roles needs to be

2 Security
generated
Using SU25 Performing Step 2a to determine if there is any
Default value been compared with newly introduced SAP
3 Security
Values

Review the list of critical Authorization Objects to

4 determine if the changes proposed in SU25 will grant Security
unauthorized access to users in production.
Using SU25 Performing Step 2b to determine if there is
updates to previously maintained and newly introduced
SU24 updates. Review the tcodes to determine tcodes that
are flagged as “no” but currently recommended to be set
5 to “Yes” by SAP Default values. Review details with client Security
and if approved make updates to the tcodes. Changes will
be collected in a workbench transports. All tcodes shown
in report should be collected in transport to clean final
report produced in production.
Using SU25 Performing Step 2c to determine the roles
affected by new added or updated Authorization objects.
Document changes and review details with client.
6 If changes are approved, updates to the role should be Security
performed. Changes will be collected in a customizing
transport. All roles shown in report should be collected in
transport to clean all affected roles in production.
Using SU25 Performing Step 2d to determine the roles that
require to be added as replacement to old transactions.
Review these change to determine changes to process
6 Security
roles in production. Confirm tcodes are not added to more
than one role as a result of this change. Review changes
with client and make updates to the technical roles.

SAP Security Upgrade Documentation 2|P a g e

 Process roles menu needs to be regenerated to reflect
change. Profiles needs to be generated to make updates
to newly introduced Authorization objects. Changes will be
collected in a customizing transports All roles shown in
report should be collected in transport to clean all affected
roles in production.
Using SCC1 in test clients, move customizing transports to
7 Security
test environments.
Perform SUPC in Test environment to determine if any
8 Security
roles needs to be generated
Prepare Test details for role changes made via Step 2c and
Step 2d. Roles that did not have any changes performed
and FFID roles do not require testids. Send Test details to
Teams performing validation testing. If applicable for SRM
system - CheckOrg Chart Assignment and Complete
assignment on newly created testid.
9 Security
For Step 2c- Testids should be created for tech roles
affected

For Step 2d – Testids should be created for process roles

affected.

Perform a review to determine obsolete roles in

10 production. Role deletion can be performed during the Security
upgrade if approved.
11 Perform PFUD to perform user comparison Security
12 Connect new child system to CUA Security
13 Test to confirm a new user can be modified via CUA Security
In Child System test to confirm access to create a role is
14 Security
available.
Check CUA, GRC and BOBJ system to perform security
15 Security
activities validation.
16 Unlock Validation Users Basis
Confirm with PMO or Basis that Post Security Upgrade
17 Security
Activities is performed
Receive confirmation from Basis team to unlock all active
18 Basis
users
Communicate back to Basis or PMO that all active users
19 Security
have been unlocked in the system.
Perform Validation Testing of Affected Security team
20 Security
related transactions.
21 Fix all security errors received during validation testing Security
Run SOD Checks and compare with production to
22 Security
determine if there is any newly introduced SOD conflicts

SAP Security Upgrade Documentation 3|P a g e

Staging, QA, Training, Prod - Pre System Upgrade Activities:

Task
No Task Responsible Team Status

Perform a review of all roles that exist only in child

1 systems and delete obsolete roles. This will reduce the Security
post upgrade effort. (not performed in PROD)
Capture Backup reports of users, roles, user groups in
system using SUIM and SE16 obtain the following reports.
Reports:
USOBX_C, USOBT_C, ADP, ADR6, AGR_1251, AGR_1252,
AGR_1252, AGR_AGRS, AGR_TCODES, AGR_USERS,
RSPARAM_ERD, USR02, USR04. SUPC- report on all roles
2 Security
Enterprise Portal – Report of roles, group and user
assignment.
Files:
Enterprise Portal- Export file of all portal roles.
Backend System- Download all Roles (standard and
customized z*)
Confirm with Basis that a back up of user master record is
3 performed. This backup should only be performed for Basis
Users and authorizations
Disconnect Child Systems from CUA
4 Security
Ensure list of critical Auth Object documentation is up to
5 Security
date.
Create Testids required for Post upgrade activities in
6 Security
Staging environment
7

Staging, QA, Training, Prod - Upgrade activities

Task
No Task Responsible Team Status

Lock all dialog users except Basis and Security team

1 Security

Staging, -Post System Upgrade Activities:

Task
No Task Responsible Team
Status

SAP Security Upgrade Documentation 4|P a g e

 Using SUIM confirm the count of users, roles and user
group in current system is equal to count of users in old
1 Security
upgrade system

Perform SUPC to determine if any roles needs to be

2 Security
generated
3 Perform User Comparison - PFUD Security
4 Perform PFUD to perform user comparison Security
5 Connect new child system to CUA if required. Security
6 Unlock Validation Users Security
Unlock all Active Users and communicate to Basis or PMO
7 Security
when activity is completed.
Prepare Test details for role changes made via Step 2c and
Step 2d. Roles that did not have any changes performed
and FFID roles do not require testids. Send Test details to
Teams performing validation testing- Test performed in
development systems needs to be retested in every
environment. If applicable for SRM system - CheckOrg
Chart Assignment and Complete assignment on newly
created testid.
8 Security
For Step 2c- Testids should be created for tech roles
affected

For Step 2d – Testids should be created for process roles

affected.

Set validity dates for 3 months to decommission ids after

upgrade
Confirm with PMO or Basis that Post Security Upgrade
9 Basis
Activities is performed
10 Test to confirm a new user can be modified via CUA
In Child System test to confirm access to create a role is
11
available.(Not Required in production)
Check CUA, GRC and BOBJ system to perform security
12
activities validation.
Perform Validation Testing of Affected Security team
13 Security
related transactions.
14 Fix all security errors received during validation testing Security
15 Run SOD Checks Security
16
QA, Training, Prod -Post System Upgrade Activities:

SAP Security Upgrade Documentation 5|P a g e

 Task
No Task Responsible Team Status

Using SUIM confirm the count of users, roles and user

group in current system is equal to count of users in old
1 Security
upgrade system

2 In PFCG- Utilities- Run overview status and save file. Security

Perform SUPC to determine if any roles needs to be
3 Security
generated .Perform User Comparison - PFUD
Connect new child system to CUA if required. (not
4 Security
required)
5 Unlock Validation Users Security
Unlock all Active Users and communicate to Basis or PMO
6 Security
when activity is completed.
7 Test to confirm a new user can be modified via CUA Security
In Child System test to confirm access to create a role is
8 Security
available.(Not Required in production)
Check CUA, GRC and BOBJ system to perform security
9 Security
activities validation.
Perform Validation Testing of Affected Security team
10 Security
related transactions.
11 Fix all security errors received during validation testing Security
12 Run SOD Checks Security
13
14

SAP Security Upgrade Documentation 6|P a g e