Many of the discussions in the Security Forum relating to upgrades remain unanswered as the topic is huge and available information is distributed in bits & pieces in the various threads, which makes it difficult to search and find. This wiki is created to gather the useful information as one central reference, which can be built further by all who wish to contribute to it.
This wiki has its origins in the forum thread "Upgrade 46C to ECC 6 0 STEP BY STEP" --> http://forums.sdn.sap.com/thread.jspa?threadID=1022424&tstart=0. The thread also contains lots of useful information.
Before the upgrade.
- Role data often shows the symptoms of legacy security concept design and possible missing features in older releases. Most noticeable of these are roles which have lost their relationships to their menus (and all side effects...) caused by unmaintained SU24 data. An upgrade is often an opportunity as well to rebuild roles using more sustainable procedures. Reference: Search results: "opportunity AND upgrade"
- You must verify that the SU25 step 1 has been executed correctly in the Development system. This should have been done during the installation and should not be performed again unless you want to wipe out all your SU24 changes.
- You must compare your SU24 settings between DEV, QAS and PRD because sometimes these might not have been transported or the target systems were open(ed) and changed there.
- You should also verify whether any data was changed in SU22 (never change SU22!). Any mismatch needs to be consolidated in SU24 of your DEV system to restore it to be "ahead" of the other systems in the transport routes. If you have any systems out-of-sync, it makes sense to send through a transport of all SU24 entries to restore the system settings.
- Before starting to upgrade roles which you do not use, you can consider deleting the obsolete ones. You must prior check whether the role is not assigned to ANY USER in ANY CLIENT of the transport domain otherwise the import events will not allow it's deletion. There is currently only the possibility to delete roles manually in the system and you must remember to capture them in a transport beforehand. For information about mass deletion of roles (please be careful!) and generally about transporting roles see SAP note 313587 and 571276.
During the upgrade.
- Temporarily use the Central User Administration (CUA) to migrate the users to the new system. To be able to delete the CUA again, add the master system (source system in lower release) to itself as a child system. Reference: Copy User Masters from 4.7 to ECC 6.0
- In step 2B, please be careful of the button "SAP File" (Cope the rest of the SAP file). If you have made improvements to SU24 settings which are not included in the upgrade (i.e. you did not report them to SAP...) then this will perform a mass acceptance of all SAP proposals again for any transaction on the list. It is worthwhile to spend some time in step 2B and check in parallel which roles are affected, because in step 2C the roles are upgraded and you want to be able to do as much of that as possible in an (semi)automated way. I.e. via transaction SUPC.
After the upgrade.
- Verify the clean-up / disabling of connection data to the shadow instances. Reference: SAP_UPGRADE_SHADOW_SYSTEM - User and Shadow system
- Step 2D is unreliable and only as good as what the SAP developers maintained the table behind it. In honesty, it seems the marketing folks have access to SM30 and the developers don't know about this table... :-) Take a look at the suggestions and make adjustments manually after talking to your business units who use the applications. Please see SAP note 991377.
- Remember to transport all your SU24 changes through to PRD. This is necessary in case you do need to or accidentally do open a role in QAS or PRD and want the proposals to be the same and is necessary for the "No check" indicators otherwise the systems would behave differently for the same roles.
- After the upgrade steps are completed, it is advisable to verify in transaction SUPC that all the roles have current generated profiles. The execution of the SU25 step 2 tasks will in most cases have turned all the roles "red" and in need of regenerating the profiles.