Visibility and management of SAP Security roles for deprecated transactions in S/4HANA
When migrating from ERP 6.0 to S/4HANA, it is important to understand that many transactions in SAP have been deprecated in S/4HANA – this is all part of the “simplification” process which SAP underwent in the move from ERP 6.0 to S/4HANA. The full simplification list for the 2020 release of SAP S/4HANA, detailing all the changes from ERP 6.0 can be found here.
The difficulty with the simplification list is that it stands at 1075 pages long and covers all industry solutions and modules of SAP. As a result, much of the information will not be relevant for your SAP installation. So how to get the relevant information quickly for which transactions have been made redundant?
There is a way to do this by looking at a few tables in SAP. The first to view is table PRGN_STAT.
If you look at all the entries in this table, you can see which is the latest release you are on by looking at the SAP Release field. Do this in your old version of SAP and your new version which has been installed, to get the “from” and “to” releases.
Once you have these, enter these into table PRGN_CORR2. So, for example, if you are moving from an old 620 release to a new 752 release, add these entries into the table:
In this example, you can see that there are 386 transactions which have been replaced between these two systems.
Now you know which transactions you should focus on. These should be fed to your functional consultants to evaluate which ones are in use in your solution.
Once you know which new transactions are in scope for security purposes, you need to address the issues around this. The problems with this become apparent when trying to base your security roles on standard legacy SAP backend security roles. When trying to access the new transactions, the SAP legacy roles are not updated with the new transaction codes. There is, believe it or not, a good reason for this. The new transactions are not always the same as the old ones and therefore may not necessarily be a good fit for the security role. SAP has therefore left it up to the end client to make the decision and amend the roles accordingly.
However, it would be unfair of SAP to leave all this work in the client’s court without some functional help – as a result, there is a really useful ABAP program which can assist. You can use this program to view all the affected transactions, which roles they are assigned to, whether the transactions are redundant or replaced, and also update the roles to add the new transactions.
The program is called PROFGEN_CORR_REPORT_2 and can be run in transactions SE38 or SE80. This should be done by your security consultant in consultation with the functional consultant for the functional area in question.
The selection screen is as below, allowing you to run the report as open or run specific to individual roles, with the additional ability to select single or composite roles.
The roles are not updated to the new transactions automatically without following these next steps.
View the role first – in my example below, you can see that transaction XD03 is assigned to the role FIN_NWBC_DEMO, but that the XD03 transaction has been replaced by SAP transaction BP.
There are numerous ways to view the transaction assignments for a role but I like to use the User Information System cockpit available in transaction SUIM:
Select “Transaction Assignments” to show all the transactions assigned to this role.
As you can see, only transaction XD03 is assigned currently to the role – the replacement transaction BP is not assigned. This can be changed by running this program to update the role.
Return to your program and with the role highlighted in the list, select the “Automatically adjust menu” button:
Select “Yes” to the question:
The entry is now amended so that the status is green to show that the role has been adjusted. In the background, SAP has removed the old transaction XD03 from the role and replaced it with the new transaction BP. The Automatic Adjustment column has changed from “Entry will be replaced” to “Transaction has been replaced”.
To view this, return to SUIM and green-arrow back one screen and execute the Transaction Assignments for the role again. You will now see that the deprecated transaction XD03 has been removed and replaced by the new transaction BP.
This process should be executed for all the roles in the program which are used as templates for your own roles. To identify which roles are affected by the transaction changes, it is probably a good idea to export the full list from the program to excel. From there you can easily filter based upon the transaction code from your initial steps to identify the transactions. This allows you to identify which roles need to be updated.
So here are the steps in summary:
1. View table PRGN_STAT in the old and new versions of your system to identify the latest release and get the “from” and “to” releases.
2. Add the “from” and “to” releases into table PRGN_CORR2 to see the replaced transaction codes – take a copy of all the transactions and send to the functional analysts to identify which ones are used.
3. Execute program PROFGEN_CORR_REPORT_2 in full to see all obsolete transactions.
4. Export to excel and filter by the transactions you will use in your installation, to identify the role names.
5. Adjust the roles.
Once completed, you can copy the roles as normal and your S/4HANA system will be fully up to date with the corrected transactions.
Author: Jon Simmonds, Senior IT Architect
Stay tuned for more insights on Eursap’s Blog…
Please also check out Eursap’s weekly SAP Tips!