Security Excel Report
The Security Excel Report includes the following spreadsheets.
Impacted Roles
This spreadsheet lists the roles impacted by the migration. These roles have authorization objects that have been either added or removed on the To-Be system.
Details
During an SAP installation, a table named USOBT is created, which contains SAP’s standard for associating authorization objects with SAP transactions. This table controls the authorization checks made by ABAP objects. During an upgrade, customers must perform a step which copies their existing profiles from the As-Is system to the To-Be system, adjusting any differences that the newer USOBT table may contain.
- There may be new authorization objects not currently associated with As-Is transactions, that are required for the new To-Be transactions.
- Authorization objects that are checked in the As-Is system may have been removed from the To-Be system.
After the copying step has taken place, each of the changed profiles on the To-Be system should be adjusted to meet the customer’s security standard. This usually involves significant effort, and must be given serious consideration when estimating the time and resources required for the migration.
The SAP HANA Migration Assessment App extracts the profiles from the specified As-Is and To-be systems, and performs a comparison of the used transactions and associated objects enabled by each of the profiles, excluding any universal or derived roles. The Impacted report lists each impacted profile, including its associated transaction code and the transaction code’s authorization objects. The status of each authorization object is also shown. REMOVED authorization objects exist on the As-Is system only; NEW authorization objects exist on the To-Be system only.
The Impacted report should be used as follows:
- The report’s contents should be compared to your list of critical roles, authorizations or authorization objects. While this report can be large, a quick review of the critical roles and transaction codes is beneficial. Any critical transactions identified should be added to testing scripts.
- Roles should be reviewed by SAP Security and each authorization object verified and compared with the ‘Unused’ report. If any roles are not used, removing them would reduce the size of the report and the scope of testing for future migrations.
System Info
This spreadsheet describes the As-Is and To-Be systems used in the analysis.