Updates & upgrades
Planning, coordination and installation of SAP Basis upgrades, support packages and patches
Due to the variety of tasks and the high complexity, I find my job extremely exciting. There are very many constellations of SAP systems and databases. Each installation, migration and update brings new aspects and challenges. It is precisely these challenges that are important to me, so that I can continue to learn and develop professionally on a daily basis.
A secure SAP system does not only include a good role concept. It is also necessary to check whether a user should (still) have a specific role. Regular verification of role assignment is called recertification. In this blog post, I'd like to introduce you to the need for recertifications and our own tool, EasyReCert. The need for recertification - scenarios: Example 1: The "apprentice problem" Imagine the following scenario: A new employee (e.g. apprenticeship or trainee) will go through various departments as part of his or her training and will work on various projects. Of course, an SAP User will be made available to your employee right at the beginning, which is equipped with appropriate roles. As each project and department passes, the employee repeatedly needs new permissions to meet the requirements. After the employee has successfully completed his or her induction and is now in a permanent position, he or she still has permissions that are not necessary to perform his or her duties. This violates the principle of "last privilede" and represents a potential security risk for your company. Example 2: The change of department The change of department is one scenario that probably occurs in every company. If a change of department does not automatically involve a complete reallocation of roles and the employee simply takes his old permissions with him, critical combinations of permissions can occur very quickly. For example, an employee who has permissions in accounts payable and accounts receivable violates the SoD ("Segregation of Duties") principle and poses a potential security risk to your company. Recertification as part of a revision: The two examples above show that a regular review of role allocation identifies potential security risks for your business and can be addressed.
A move is imminent
ABAP is therefore the tool of the trade for SAP developers. ABAP programs are executed on an SAP NetWeaver application server, which in turn is operated by SAP Basis employees.
To use all the features of the SAP Patch Manager, you need the following permissions: S_TRANSPRT S_CTS_ADMIN Both are in the S_A.SYSTEM permission profile. If you log in to the Mandant 000 and your user base contains the appropriate permission profile, then you can use all the features of the SAP Patch Manager. When you log in to another client or without the appropriate user profile, you can only use the display functions. Map this permission profile to the system administrator only. Only the system administrator should have permission to perform the following actions: Support Packages Download Support Packages Play Support Packages Confirm Successfully Recorded Support Packages Reset Support Package Status Support Packages eliminate errors in the SAP system or make necessary adjustments due to legal changes, for example. The affected objects will be replaced in your system. Each Support Package is valid for one release level (but for all databases and operating systems) and requires a precisely defined number of predecessors. The upgrade from the following release or revision level contains all support packages from the previous booths that were available until the upgrade was delivered. SPAM ensures that support packages are only played in the order specified. To avoid problems, play all support packages as they are deployed. This allows you to keep your system up to date.
"Shortcut for SAP Systems" simplifies tasks in the area of the SAP basis and complements missing functions of the standard.
PROJECT HISTORIES: THE SAP basis OF TOMORROW An entry in the Forum Infrastructure and Operations within the DSAGNet drew attention to the problem of the SAP basis as described above.
In order to drive innovation in the company, it is necessary to establish a team or a few experts whose recognised role is to promote research projects and PoCs, to continuously train themselves in this regard, to develop innovation proposals and to bring them into the committees.