Dual Landscape - Maintenance

Similar Messages

• BI dual landscape for upgrades

  We recently built a dual / parallel landscape for our BI system to support a support stack upgrade.   I've used the dual landscape concept for many years when doing ERP upgrades, and it has worked very well.   We thought a dual landscape for BI would work also.   However, we did not consider the automatically generated objects in BI.
  What we found is that with 2 development systems, even though BI objects are created with the same logical name, the technical (generated) name will be different between the 2 systems.
  Has anyone successfully implemented a dual-landscape for BI?   If so, how did you syncronize the technical names of objects between development systems without transporting the objects from one development system to the other?   Note: I'm of the opinion that you need to be extremely careful transporting objects between systems with different release/support pack levels and therefore avoid it at all costs . . .  Note 1090842 + several bad experiences.   Therefore, I am very unlikely to consider transporting the objects created in PSD to RLD as a valid solution.
  The following is just an attempt to better describe the issue:
  Production support landscape looks like this:
  PSD  ->  BWP   (these systems have lower release/SP levels than the systems in the release landscape)
  Release landscape looks like this:
  RLD  ->  RLQ    -
  >  Changes will eventually go to BWP after release/SP upgrade in BWP
  Lets say queryA must be developed and transported to BWP prior to the release/SP upgrade in BWP.
  In PSD queryA is created and gets assigned technical name 123456 and is transported to BWP.
  In RLD queryA also gets created, but gets assigned technical name ABCDEF.
  Sometime after the release/SP upgrade, when you are back to a single landscape (RLD -> RLQ -> BWP), a change needs to be made to queryA.   When you transport queryA to BWP, you end up with 2 queryA's, one with technical name 123456 and one with technical name ABCDEF.

  Hey.  I worked for years in a dual landscape environment and at one point, some folks were actually looking at three paths all pointing to production.  The three path idea got squashed fairly quickly, but we had two landscapes for as long as I can remember.  So we essentially had:
  PAD --> PAQ --> Prod
  PBD --> PBQ --> Prod
  This was very helpful to be able to work on major releases and upgrades while still allowing weekly maintenance releases.  I never looked for a document that deeply discussed the concept and pitfalls to watch out for. 
  I will say the system synch-up could often become quite a pain.  This may sound a little crazy but we would transport from landscape A to landscape B but dual code from B to A.  This was because A was for the triannual major releases and upgrades and B was maintenance work.  There were times when we would transport both ways, but we tried to stay away from that (except for queries). 
  The idea was that anything that went to prod as maintnenance, out of B, should be dual coded in parellel in A.  Then once a tri-annual type release went from A, all those new transports and dual coding would be moved to B.  This is how we kept everything in synhc and it worked rather well.  You always had to be careful around the time of the tri-annual go live, but that's to be expected. 
  The only objects we had constant problems with werre queries.  I don't know of anything you can do about that.  We eventually decided to always transport queries between the two landscapes.  We would never manually dual code a query.  We would eventually get the duplicate query issue in production.  The pitfall here is if the same query is getting touched for maintenance and a major release... that was just something we had to workaround.  But we never had any major problems with transporting between the two landscapes.  The times it became a huge headache is when people would forget to dual code, or just plain to a bunch of prototyping in one of these environments when they should have been using a sandbox.
  Not sure if I have answered your question, but hope this helps in some way.  At least you know plenty of us feel your pain!

• Dual Landscape. Overwriting 3.5 queries with 7.0 version

  We have a dual landscape. The production path uses the 3.5 version of BEX analyzer and hence any queries that need to be moved to production have to be developed in 3.5. On the alternate path, we manually dual sync them in 7.0 version. What happens when the 7.0 queries eventually come into production.  Will they overwrite the existing 3.5 queries successfully. Anybody who has experience with this, please post your reply

  Thanks for your reply. Let me explain the process in steps to make it more clear
  Step 1 - A new query Zxxx was developed in the Dev_server_1 as a 3.5 Query and transported to Production server
  Step 2 - A similar query with the same technical name Zxxx was developed in the  Dev_server_2 (dual sync path) in version 7.0
  Step 3 - Zxxx to be moved from Dev_server_2 to Production server
  Will step 3 above work without problems? Is this the right way to do it? Are there better ways to handle this issue?
  Thanks in advance for any reply posts

• 5 system landscape for MDM?

  We are in the process to layout infrastructure for release 2 of our transformation project for ECC, MDM, PI, BODS. We are debating on possible solutions
  1) typical 5 system landscape like below.
  DEV->QA->PRD
  DEV2->QA2
  DEV2, QA2 are project landscape and others are maintenance landscape. After project testing, changes from QA2 will be moved to DEV, QA, PRD
  2) dual landscape
  Here, layout is same as option 1 but for go live changes will be moved directly from QA2 to PRD.
  I like to know what are the pros/cons of each approach.

  Hi Subin,
  The first approach is a lot easier to manage and involves lesser risks.
  Also as Vag rightly points that in case of different Vendors co-ordination is also an important point to consider before designing such a landscape.
  We too used the first approach and once our major change was done,we merged the systems which in your case are DEV2 and QA2.This was a much cleaner approach.
  Thanks,
  Ravi

• BW upgrade landscape

  Hi,
  There is no BW upgrade forum so I post my question here.
  We are going to upgrade SAP BW 3.5 to BI7 soon. Source systems are ECC 5.0 but we plan to upgrade ECC later. (please do not discuss why not upgrade ECC with BW).
  It was a 3 - 4 months project so we will use dual landscape, one for current production support and one for upgrade.
  Current BW:
  BWD --> BWQ --> BWP
  Current ECC:
  ECD --> ECQ --> ECP
  Upgrade BW landscape
  BD2 --> BQ2
  My questions:
  1) Is it necessary to have a dual system landscape for ECC?
  2) For upgrade BW landsacpe, can we still use BWD & BWQ for SID? (If so, we do not have to covert the logical system)
  3) The database size of BWP is 10G (Yes, very huge). and I am sure there is a little config diffience between BWD & BWP. I want to copy BWP BW 3.5 to BD2 then upgrade to BI7, then delete all transaction (or even master) data in BD2, so I can get a clean, samll BI7 development system. Does it work?
  Thanks for your comment.
  James

  HI,
  1) Is it necessary to have a dual system landscape for ECC?
  Its not mandatory and necesary , its upto you , but suggestion is to use atleaset one server as staging server which should be the copy of current PRD upgrade
  2) For upgrade BW landsacpe, can we still use BWD & BWQ for SID? (If so, we do not have to covert the logical system)
  Yes , ofcourse you are creating both as independent landscape so same SID can be used.
  3)
  The database size of BWP is 10G (Yes, very huge). and I am sure there is a little config diffience between BWD & BWP. I want to copy BWP BW 3.5 to BD2 then upgrade to BI7, then delete all transaction (or even master) data in BD2, so I can get a clean, samll BI7 development system. Does it work?
  Techinacally it wll work but how you will manage and identify transactional and master data.?
  Additionally standard way of upgarde is
  1) Create a staging server copy of PRD and perform test upgarde
  2) Upgarde DEV-QA-PRD in sequence.
  Hope it will help you.
  Regards,

• 2 Developement Systems (4 System Landscape)???

  Dear all,
  an Idea of a person in our project is (because he wants make make sure that nobody/no further project destroys - nonsense but reality) that we have to customize new objects etc. in a further development system AB2 an transport these into the original developmet system AB1.
  Does anybody could give me some points pro or cons or have experience in such a construction?
  Many thanks
  DiDi

  Pro:
  Provided access is limited in the new development system, the design should be stable and controlled
  If using a strict and unique naming convention, you can prevent collisions and overwriting
  Con:
  Expensive to allocate hardware/resource to configure new landscape
  If objects are transported with the same technical names, collisions and overwriting will occur
  I think every situation is different, but the most typical scenario and justification for a dual landscape is having one system to support break fixes in the current production environment and another system for new projects. Making a new system for each project introduces more complexities. If you have too many projects going on simultaneously, raise the issue to the program manager or someone who has visibility over multiple projects.

• BPM within SOLMAN: Contacts maintenance

  Hello!
  I am about to set up BPM within SAP Solution Manager (SPS 25).
  By doing so I get the problem to add a contacts.
  When I go to DSWP --> Solution Landscape Maintenance --> Contacts --> Contacts Maintenance
  no contacts can be added or choosed.
  Also from tcode solman_directory no Contacts can be added or choosed.
  Can some one help to solve this problem?
  I need BPM only for the monitoring of aborted jobs.
  Thank you very much!

  Hi
  Please look at the section 4.2 in the below guide for contact mainenance [BPM setup guide|https://websmp102.sap-ag.de/~sapdownload/011000358700006137532006E/BPMon_Setup_Guide.pdf]
  and this [guide|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/97d2e8b3-0b01-0010-b787-b8ce558a51c2?quicklink=index&overridelayout=true] for back ground job monitoring.
  Jansi

• Do your company use Retrofit function in ERP Landscape

  Hi Charm experts,
  I work in Vendor company and one of our customer plans to start using Retrofit during ERP Ehp upgrade project.
  We both  like to know does someone have experience how Retrofit works in real world. If you are using Retrofit could you share your experience:
  - does it help when you do dual development maintenance
  - does it save time?
  - Have you got problems with it?
  - Do you recommend it to us?
  - Who will use Retrofit, developer?
  Thanks very much if you have time to write you experiences.
  Best Regards,
  Leena Nissilä

  Hi Nilanjan,
  I tried it in Default logic and also in UJKT. Did you successfully use this function before? If so, can you please explain how you used it?
  Thanks
  Sankar

• Dual/ multi monitor

  I would like to see more options for dual monitor setups with Win7.  
  Here is my situation.  My primary monitor is 4:3 and my secondary monitor is widescreen.  I use the primary monitor for opening windows explorer and my secondary monitor for viewing.  When viewing movies, I like to set the secondary monitor to landscape mode and when viewing docments and browsing I like to set the monitor to portrait mode.  
  I've used ultramon with Vista but that has lots of problems.  Heres are some stuff that I would like to see implemented.
  - Be able to make monitor/display profiles with shortcuts in the taskbar (to switch from single to dual, landscape vs profile). 
  - Create a move window button to move open window from one monitor to the other. 
  - Be able to use different wallpaper for each monitor, would be nice if it can be attached to display profiles. 

  Hello,There has been talks of Multi Monitor support by Microsoft.  For information as to what was said refer to this Blog entry.
  As for a list of the useful HotKeys check out this topic here.  They have quite a few of the new hotkeys listed there.
  Regards, ~Alex T.~
  ~Windows Desktop Experience MVP~

• Solution Landscape: why Request Check-out button could get greyed out ?

  Hi,
  We are on SolMan 7.0, SP15, including Ent. Edition add on.
  In Solution Landscape maintenance, the Business Processes added to the solution (either directly or those borrowed from a Project) cannot be checked out to a maintenance project becasue the Request button is greyed out.
  A simplistic SU53 check did not come up with any authorisation problems.
  I am not able to switch on trace and take that route to detect now.
  Can you please suggest as to what could be the possible reasons for this to be greyed out; also, have you used the 'Adjust to Original' button to bring latest changes in Project to Solution Landscape ?
  Best regards,
  Srini

  Hi Rutger,
  Thanks for your kind reply.
  There is one problem - I am not able to see in my SolMan the 'tickbox' you have mentioned about.
  The only sub-sections I see in the Tab there are:
  (1) Monitoring
  (2) Knowledge Warehouse Information
  (3) Copy Criteria for Document
  (4) Session Languages
  (5) Assigned Maintenace Project
  If it's feasible for you, can you please let me have a look at your screenshot as to how the sections look like. I wonder if there is any component missing to be installed.
  Best wishes and thanks for your time.
  Srini
  Hi Rutger,
  Thanks for your pointer again. I got a screenshot from a different friend (on another SolMan instance). Came to know of where these check boxes should occur.
  Later, I found them in my instance too - the browsing scroll bar was the culprit. One had to go to the very bottom, move the scroll to the right extreme and then move further down. Really a silly mistake.
  But, without your help, I wouldn't have know that there were such check boxes at the first place
  Cheers,
  Srini
  Edited by: Srinivasan Radhakrishnan on Sep 17, 2008 11:47 AM

• Solution landscape is  blank in DSWP.

  Our tech. person configure the Solman of IMG and following
  1)Configured one new solution with id,cust no,lang. etc.
  2)Maintained system land landscape in SMSY.
  3)LANDSCAPE components were --server,db,systems,system components were created.
  4)Initial data transfer to IB52 was successful.
  When we go to DSWP,Select solution,the next screen displays ,on left side
  --Solution overview,operation setup,operations Buttons.
  But on right side nothing appears except blank white screen.
  Why items like solution land landscape,solution monitoring or
  service desk tabs or for that matter no Tabs appears.
  What is missing
  any ideas pl.?

  Hey there Ragh,
    You need to go into the Solution Landscape Maintenace and 'activate' the respective systems befoe they will show-up in the overall map (assuming that you have both assigned logical components to your landscape already and activated monitoring as per the manual for Solution Manager).
    In your landscape view - goto Operations Setup, then Solution Landscape Maintenance.  In the matrix of systems that are in the Landscape view, highlight the respective systems that you want monitored in the environment and hit the 'System' button (the one with the red and green ball in it).  The system icon should go green and now that system will show in your Solution Landscape.
    Question why this occured?  You probably choose Poduction as the lead role and didn't have a production system in the logical component that you assigned.
    Let me know if that helped with your problem.  If you don't have any systems to 'activate' then this is another issue all together.

• Maintenance Optimizer in SAP Solution Manager

  what is Maintenance Optimizer in SAP Solution Manager and what are its benefits

  Hi
  even this may be useful
  Ensure your Solution manager system is at the most recent Support Package Level, specifically ST 400 Patch 11, to reduce note application time
  Download from oss most recent step-by-step setup guide
  Oss note 1024932
  Oss Note 1008717 ( N/A )
  Relevant up to SP11 for Basis 700
  OSS Note 950975 support for IE7 ( N/A we are using GUI)
  Oss note 975510 – corrections for snote ( Via OSS not snote )
  Oss note 1004691 – corrections for snote *** Corrections for 975510 ( UP TO SAP_BASIS 11 ) N/A
  Common problem notes, but not critical for Maint Opt
  0998987: Maintenance Optimizer: Empty error messages
  1022072: Maintenance Optimizer: "No Data Available" message o See note 1025381 before applying 1022072.
  1020789: Maintenance Optimizer: Allow all systems to be selected
  1020802: Maintenance Optimizer List displays incomplete data
  1024105: Maintenance Optimizer: two "Cancel" buttons
  1025381: Maintenance Optimizer: Link to additional download files
  1029453: Maintenance Optimizer - Wrong status displayed
  1030405: Maintenance Optimizer: Browser opens in background
  1030498: Maintenance Optimizer - IBase is not active
  1032463: Maintenance Optimizer: Internet Explorer Script Error
  1042704: Maintenance Optimizer: Display only employee partners
  Partner Scenario SOLMAN4.0 Only
  Os note 1021275 ( RFC Destinations ) N/A ST 400 11
  Oss Note: 997780 ( N/A we are at 11 use note 939897 for ST400 SP11 Application )
  Relevant for ST400 SP09 ( N/A ST 400 11 )
  User:
  To setup you must have SAP_ALL
  General Users: ( Oss note 1032322 )
  Must be assigned to role SAP_MAINT_OPT_ADMIN
  Auth Object: D_SOL_VSBL ( visibility of solutions)
  Auth Object: CRM_ORD_PR ( for CRM stuff )
  /spro
  As of Support Package level ST 400 SP10:
  Call Transaction SPRO -> SAP Reference IMG ->SAP Solution Manager -> Advanced Configuration -> Basic Settings -> SAP Solution Manager System -> Change Management -> Set Up Maintenance Optimizer
  This IMG activity refers to the SAP Note 990534: Solution Manager Maintenance Optimizer: BC Set. Follow the instructions in this SAP Note
  N/A as of ST400 SP11
  Define a Solution:
  Solution_Manager – Select Solution Overview – New.
  Enter Descriptive Name ( Ex. GTS Landscape )
  Hit Continue
  Select Solution Landscape Maintenance
  Select System Groups & Logical Components on the Left hand Side
  Select Solution Landscapes and pick the one you created
  Define the solutions for that landscape
  Highlight each item and click Logical Component (You must have a valid license to set this up)
  Assign S-User
  Transaction: AISUSER
  Enter you user id and your SUSER ID for downloading
  Create another SAPOSS Connection called SAP-OSS with S-User assigned
  Call SOLUTION_MANAGER
  Select Solution Overview
  Select the solution you want to work with
  Select – Change Management – Support Package Stacks
  Click Maintenance Optimizer around middle of screen
  Select the solution you want to get Sp’s for
  Go to OSS and add the files to download basket
  When done return to screen and hit continue
  Select - Confirm files in Download Basket
  Error message comes if your sap user and your oss user are not setup in AISUSER screen
  Now go to SAP Download Manager ( On your local pc ) and download the files you just confirmed – of course using the same S-User id you just added them to the basket with
  Apply support packages via spam per normal process
  Return to the SOLUTION_MANAGER window select the landscape you are working on
  Hit Maintenance Optimizer List
  Choose the maintenance transaction you are working on
  You will see a list of the confirmed and downloaded sp’s you selected
  Once you apply these to the system using SPAM you will change the status of implementation to Completed and Hit Save
  This completes this activity
  If you wish to do more work you will have to create a new transaction.
  [Edit section] Add A New Instance to Maintenance Optimizer
  Sign into Solution Manager
  Ensure new instance has valid license installed and logical clients assigned
  Select Landscape Components
  Right Click Systems
       Select Create new system with assistant
  Enter
  SID / Description / Product Type / Installation Number ( Get this from SLICENSE in system you are setting up )
  Next enter Sys # & MEssgae Server and hit continue
  Next select Generate RFC Destinations & Assign Logical Components & Enter Client #
  I always get a problem saving since SLD is not setup – ignore and continue
  Highlight the system you just added under Systems – SAP Global Trade Services –
  Select Assignment to Logical Components
  Now add additional software such as Net weaver ABAP & JAVA if your primary setup was of another type ( ex. GTS )
  Highlight the system you wish to update under Systems and hit change
       Select Header Data
       Click Installed Product Versions
       In the product box add whatever you require for this system
       Select the version from the 2nd box and hit copy
  Ex. 
  If you cannot setup the trusted system here is a workaround:
  Create User in Target for Trusted System RFC from SM1
       User:      <Username>
       Pass:   <Pass>
       Type: Communication
  Use this when setting up the trusted connection, remove the trust and use this CPIC user info for the RFC.
  Generate RFC’s and ensure SMSY setup is done for SID in Solution manager
  Now Create a New Solution For your instance:
  Go to SOLUTION_MANAGER transaction
       Select NEW
       Give Descriptive name: ex. GTS Landscape
  Under Solution Landscape
       Select Solution Landscape Maintenance
       Select System Groups and Logical Components Tab
            Open Solution Landscapes
                 Select the one you just defined (GTS Landscape)
  SOLTION_MANAGER
  Select Change Management – Support Package Stacks
  Select Maintenance Optimizer
  Select the Product Version
       GTS 7.1
  Select the System Type – SID
  From here you will be prompted to go to service marketplace and add the items you wish to install. You can do this beforehand as well, be sure to use the same Suser you setup in AISUSER with your sap login
  It will ask you to confirm the basket, once you do that you install them normally.
  Download with sap download manager, ftp and apply

• Using Charm at cutover to handle deleted objects

  Hello experts,
  System landscape contains of dual landscap meaning one project ladnscape and one maintenance landscape.
  Project: D01>T01>Q01     ( no charm )
  Maint: DEV>QAS>PRD      ( charm is used )
  At project Go Live cutover is done från Project line Q01 to Maint DEV.
  All transports imported in Q01 is added manually to import queue of Maint DEV and imported.
  After that 1 WB request and 1 Cust. request is created via charm and all objects from the
  cutover transports imported are added to those chamr transports. Then charm handles the
  transport process through the maint landscape up to production.
  Problem
  =======
  If cutover transports contains deletion of objects, the transports are imported to DEV maint, object is deleted.
  When including all objects from cutover transports into the two charm transports it will then ofcourse fail during
  releae of the transports on the deleted objects as they no longer exist in DEV maint. This is of course not a specific
  charm problem but a TMS problem. Or not even a problem it is as it should be.
  Question
  ========
  Is there any way of handling this scenario, can charm in any way handle this ?
  Thanks,

  I checked the link you provided and that descibes as you say a dual landscape but i don't think it will solve this problem.
  As i understand you setup the retrofit process one-way and that would be Maint DEV -->  Project DEV.
  That is all fine keeping all changes done in maintenance landscape in synk with project landscape.
  But the cutover process is manual, as also the drawing states, meaning adding project landscape transports
  to Maint DEV system import queue and import them. But if a transport contains objects with the delete flag it will be
  deleted in the Maint DEV system. All fine that far. But when you then inlcude all cutover transports objects into a charm transport it will not check if object still exist in Maint DEV system ( wich it does not anymore ), it will include evertyhing that is part of the cutover transports. Meaning you include objects with delete flag on it. When you release this now in Maint DEV system what it does is to check if object exist in TADIR, it does not. You can fool this release process by manually create an entry in TADIR, release the transport, then delete the entry in TADIR. But if you have cutover transports with many deletions, then this is not the way to go.
  So please explain how the retrofit procedure would help in the scenarion at cutover and delete flag.
  Thanks.

• Just what is the solution

  Apologies in advance for my lack of understanding in this area, I have read a fair amount but cleary not everything I need as I am still confused.
  The landscape is something like this
  8 ECC6 systems for mainly HR work
  8 SRM 4 systems
  8 PI systems (dual)
  8 EP systems
  8 CRM ECC systems
  8 CRM EP systems
  8 CRM systems
  4 PI system (hopefully 6 soon)
  2 Solman
  2 CCMS
  2 NWDI
  The 8 systems consist of
  Dev,QA, pre prod and prod as a maintenance track 
  Dev and QA systems for project
  2 training systems
  I want to set up my solution(s) to suit both Oerations and Project IMG.
  I have read advice from people and they tend to fall into the following conflicting areas
  1. You should not have more than 10 sysytems in a solution due to performance
  2. You should have your solution across your components for project work
  3.  You should have each component in its own solution for operations
  Can someone please advise me of the correct solution(s) for my solution manager.

  Hi Graham,
  I have seen solutions with 100 systems in it. However, performance can be an issue with such big solutions. You should first of all put each tuple of 8 systems into one logical component. You will have 11 logical components at last. Now you must decide if you want to have monitoring and EWA for all systems or just for productive systems. If you need this only for productive systems, then create one solution with all logical components. Monitoring will be done only for production systems by default which is 11 systems. In this solution you can also setup Business Process Monitoring which you will do only in productive systems. This solution will have a very good performance and you will have all systems available still for your work in the process structure. If you need to monitor them all I would suggest to create additonally to the first solution which contains your proceses one solution for monitoring and EWA per product family and activate all systems with right clicking in the grid in the system landscape maintenance screen. For solman CCMS and NWDI I would define one solution.
  Regards
  Andreas

• Testing general help

  Hi Gurus,
  I am soon going to start testing on an SAP upgrade project. Whats the best way to get myself prepared for the same? I am currently studying the client's Buiness processes, however there are just too many docs and these are getting me confused. Also I am concerned that all this time studying the docs is not wasted. If you have been in a similar situation before, please let me know how do you go about it. testing will be Functional + integration.

  hi dave,
  pls see the below matter i think it gives you a solution.
  SAP R/3
  Security Upgrades
                                                                                  1.             overview
  The purpose of this document is to provide additional information that could be helpful with SAP Security upgrades, especially pertaining to 4.6C.
  This document is not aimed at replacing the SAP Authorizations Made Easy guidebook’s procedures, but rather to complement these based on lessons learnt from previous upgrade projects. 
  It is focused mainly on upgrades from 3.1x to 4.6x and covers the following:
  ·        Evaluation of the Security Upgrade approaches;
  ·        “Gotchas” to watch out for with SAP’s SU25 utility;
  ·        Transactions and authorizations that require special attention; and
  ·        Helpful reports, transactions, hints and tables to know.
  It is highly recommended that you review the chapter on upgrades in the Authorizations Made Easy guide before attempting the security upgrade.
  See OSS note 39267 for information on obtaining the Guide, or visit SAPLabs’ website at: http://wwwtech.saplabs.com/guidebooks/
  2.             Security upgrade objectives, Process and approaches
  2.1.               Objectives
  There are a couple of objectives for having to upgrade the SAP Security infrastructure:
  ·   Converting manual profiles created via SU02 to activity groups, as SAP recommends the use of Profile Generator (PFCG) for the maintenance of profiles;
  ·   Adding new transactions representing additional functionality to the applicable activity groups;
  ·   Adding the replacement transactions that aim at substituting obsolete or old-version transactions, including the new Enjoy transactions;
  ·   Adjusting the new authorization objects that SAP added for the new release; and
  ·   Ensuring that all existing reports, transactions and authorizations still function as expected in the new release of SAP.
  2.2.               Overview of the Security upgrade process
  Once the Development system has been upgraded to 4.6, the security team will need to perform the following steps as part of the Security Upgrade:
  ·        Convert Report Trees to Area Menus;
  ·        Review users (via SU01) to check for any new or changed fields on the user masters;
  ·        Convert manual profiles created via SU02 to Activity Groups (See Approaches below);
  ·        Compare SU24 customer settings  to new SAP default settings (SU25 steps 2A-2C);
  ·        Determine which new / replacement transactions have to be added to which activity groups (SU25 step 2D);
  ·        Transport the newly-filled tables USOBT_C and USOBX_C that contain the SU24 settings you’ve made (SU25 step 3); and
  ·        Remove user assignments to the manual profiles.
  2.3.               Approaches to convert manual profiles to Activity Groups:
  2.3.1.      Approach #1: SAP’s standard utility SU25
  SAP provides an utility for converting Manual Profiles to Activity Groups and to identify the new and replacement transactions that need to be added to each activity group.
  You can access this utility by typing “SU25” in the command box.
  If you do decide to use SU25 Step 6 to convert the Manual profiles to activity groups, you will need to watch out for the following “gotchas”:
  Naming convention (T_500yyyyy_previous name)
  All activity groups created before SU25 is run, are renamed to T_500yyyyy_previous name. 
  See OSS note 156196 for additional information and procedures to rename the activity groups back to their original names using program ZPRGN_COPY_T_RY_ARGS.  Carefully review information regarding the loss of links between profiles and user master records.
  Transaction Ranges
  Ranges of transactions are not always added correctly to the newly-created activity groups. Some of the transactions in the middle of the range are occasionally left off.  E.g. you have a transaction range of VA01 – VA04 for a specific manual profile.  After SU25 conversion, the new Activity Group only contains VA01 and VA04.  Transactions VA02 and VA03 were not added.
  It is important that a complete download of table UST12 is done prior to running SU25.  Once SU25 has been run, a new download of UST12 can be done to identify which transactions have been dropped off.
  The missing transaction codes will need to be added manually to the relevant activity group via PFCG.
  Missed “new” transactions
  The output of one of the steps in SU25 is a list of the new replacement transactions (e.g. Enjoy transactions) that need to be added per activity group.  E.g. transaction ME21N replaces ME21.  The list will identify each activity group that has ME21 where ME21N needs to be added to.
  In some cases SU25 does not identify all new transactions to be added.
  2.3.2.      Approach #2: Manual reconstruction of Profiles as Roles (Activity Groups)
  An alternative approach to SU25 is to manually create an activity group for each manual profile that was created via SU02.
  The advantage of this approach is that you won’t have any missing transactions that were “dropped off” with the SU25 conversion.  
  3.      Items requiring special attention
  3.1.   Authorizations
  Several new authorization objects have been added with release 4.6. Care should be taken when adjusting authorizations – carefully review all new defaults that were brought in. These are indicated by a Yellow or Red traffic light in PFCG.
  It is highly recommended that you first check the previous settings where new defaults were brought in, before just accepting the new defaults.  You can either use the existing 3.1x Production system or the UST12 and/or USOBT_C tables as reference.
  3.2.   ‘*’ in S_TCODE
  It’s recommended that all activity groups containing an ‘*’ in authorization object s_tcode are recreated via PFCG by selecting only those transactions required for that role.  Also, if you did previously add transactions to an activity group by manipulating the s_tcode authorization entries, it is recommended that the transactions are pertinently selected/added on the Menu tab. The object s_tcode should be returned to its ‘Standard’ status.
  3.3.   Report Trees
  Report Trees need to be converted to Area Menus using transaction RTTREE_MIGRATION..
  3.4.   ABAP Query reports
  Reports created by ABAP Query need to be added either to the activity group (Menu tab) or to an Area menu to ensure an authorization check on s_tcode level.
  3.5.   S_RFC
  The use of an authorization object for Remote Function Calls (RFC) was introduced to provide authorization checks for BAPI calls, etc. Authorization object s_rfc provides access based on the Function Group (each RFC belongs to a Function Group). Due to the potential prevalent use of RFC’s within the R/3 system, SAP has provided the ability to change the checks for this object via parameter auth/rfc_authority_check. It is possible to deactivate the checking of this object completely. However it is recommended to rather set the values as required, which makes testing even more important! 
  3.6.   Custom tables and views
  Custom views and tables that are customarily maintained via SM30, SM31,etc. will need to be added to an authorization group.  This can be done via transaction SE54 or SUCU or by maintaining table TDDAT via SM31.
  3.7.   User menus versus SAP menu
  A decision needs to be made once the first system has been upgrade to 4.6x as to whether the user menus or the SAP menu, or both are to be used.
  Most users find the new user menus confusing and unfamiliar due to duplication of transactions, etc. (if a user has more than one activity group and the same transaction appears in several, the transaction will appear multiple times). The majority of upgrades from my experience have opted to use a modified copy of the SAP menu by adding their own area menus (converted report trees).
  3.8.   Re-linking of user master records to profiles
  If you do not maintain the user masters in the same client as the activity groups, you will need to establish a strategy for re-linking the users in the QA and Productive environments when transporting the activity groups as part of the upgrade cutover. This might also be necessary depending on whether you decided to rename the Activity groups per OSS note 156196.
  Remember to thoroughly test and document all procedures and CATT scripts prior to the Production cutover.
  3.9.   Dual-maintenance
  With most current upgrades, the upgrade process will be tested on a separate environment set aside from the existing landscape. In a lot of cases a dual-landscape will be implemented where the existing landscape is complemented with an additional 4.6x test client(s).   The new 4.6x clients usually become part of the permanent landscape once the Production system has been cut over and all changes are then sourced from these ‘new’ Development and/or QA systems.
  It is imperative that all interim security-related changes are applied to both sets of systems to ensure that the ‘new’ 4.6x development source system is current with all changes that were made as part of Production support in the ‘old’ version landscape.  If not, you will have changes that were taken to Production when it was still on the older release, but are now missing after the switch is made to the 4.6x systems.
  It is thus advisable to keep changes during the upgrade project to a minimum.
  3.10. Transport of activity groups
  Changes to activity groups are not automatically recorded in 4.6x. When an activity group needs to be transported, it needs to be explicitly assigned to a change request via PFCG.
  SAP recommends that you first complete all the changes to an activity group, before you assign it to a transport request.   Once you’ve assigned the activity group to a request, do not make any further changes to it.
  You can also do a mass transport of activity groups via PFCG > Environment > Mass Transport.
  If you want to transport the deletion of an activity group, you first have to assign the activity group to a transport request before performing the deletion via PFCG.
  3.11. Client copies
  The profiles used for creating client copies have been changed, especially profile SAP_USER from 4.5 onwards. Activity groups are seen as customizing and the SAP_USER profile copies both user masters and activity groups.
  It’s recommended that the client copy profiles are carefully reviewed before the copy is performed.
  See OSS note 24853 for additional information on client copies.
  3.12. SU24
  Changes to check indicators that were made via SU24 might have to be redone as part of the upgrade.  Ensure that any resulting transport requests are noted and included in the detailed cutover plan.
  Check indicator changes done via SU24 will need to be applied for any new and replacement transactions.
  3.13. Composite Activity Groups
  Composite activity groups can be built in release 4.6x using individual activity groups.  A composite activity group does not contain any authorizations, but is merely a collection of individual activity groups.
  3.14. Central User Administration
  Central User Administration (CUA) simplifies user administration, allowing security administrators to maintain users in a single central client only.  The user masters are then distributed to other clients using ALE.  It is recommended that CUA is implemented post-upgrade and once the systems have been stabilized.  Carefully review OSS notes and the impact on the existing landscape, client copy procedures, etc. prior to implementing CUA.  It is recommended that the upgrade is kept as simple as possible – there are going to be plenty of opportunities to test your problem-solving skills without complicating the setup with new utilities!
  See Authorizations Made Easy guide for information on setting up CUA.
  See OSS notes 333441 and 159885 for additional information.
  4.      additional tips
  4.1.               OSS and Release Notes
  Review all security-related OSS and Release notes related to upgrades and to the release you’ll be upgrading to, prior to the upgrade.  It’s useful to review these before you define your workplan, in case you have to cater for any unforeseen issues or changes.
  4.2.               Workplan
  Given the amount of work and number of steps involved in the security upgrade, it is recommended that a detailed Workplan is defined at the startup of the upgrade project.  Key milestones from the security workplan should be integrated and tracked as part of the overall Upgrade Plan.
  Clear ownership of activities, including conversion of Report Trees, needs to be established.  This function is often perform by the Development team.
  4.3.               Standards and Procedures
  Naming conventions and standard procedures should be established before the manual profiles are reconstructed as activity groups.  Each team member should know how the new activity groups should be named to ensure consistency. Other standard practices for the construction of the activity groups should include:
  ·        Transactions are added via the Menu tab and not by manipulating s_tcode.
  ·        Ideally, no end users should have access to SE38, SA38, SE16 nor SE17. 
  Remember to keep Internal Audit involved where decisions need to be made regarding the segregation of job functions or changes to current authorizations are requested or brought in with new authorization objects / defaults.
  4.4.               Testing
  4.4.1.      Resources for testing
  Enough resources should be allocated to the security upgrade process as each activity group and profile will require work to some degree or the other.  It is important that key users and functional resources are involved in testing the activity groups and that this effort is catered for in the Upgrade Project plan.  Clear ownership of each activity group should be established not only for testing purposes, but also for ongoing support and approval of changes.  Ideally, the ownership and approval of changes should reside with different resources (i.e. the person requesting the addition of a transaction or authorization should not be the same person responsible for approving the request).
  4.4.2.      Test Plan
  The security team should also establish testing objectives (whether each transaction being used in Production should be tested, whether each activity group should be tested with a representative ID, etc.). 
  A detailed test plan should then be established based on the approach, to ensure each person responsible for testing knows what s/he should be testing, what the objective(s) of the test is and how to report the status of each test.  Both positive (user can do his/her job functions) and negative (user can’t perform any unauthorized functions) testing should be performed.
  The Reverse Business Engineering (RBE) tool is very useful in identifying which transactions are actually being using in Production.  This can assist with focusing on which transactions to test.
  The importance of testing all used transactions individually and as part of role-testing cannot be stressed enough.  TEST,TEST,TEST!
  Every menu option, button, icon and available functions for all critical transactions need to be checked and tested.  There are some instances where icons are grayed out or don’t even appear for certain users, due to limited authorizations.  The only way these type of issues can be identified, is through thorough testing.
  4.5.               Issue Management (tracking and resolution)
  Due to the number of users potentially impacted by issues / changes to a single activity group, a perception can quickly be created that the security upgrade was unsuccessful or the cause of many post GoLive issues.
  It is therefore recommended that an issues log is established to track and ensure resolution of issues.  The log should ideally also contain a description of the resolution, to aid with similar problems on other activity groups. 
  This log will be helpful during the entire upgrade process, especially where more than one resource is working the same set of activity groups, so set it up at the beginning of upgrade project!  You can also use this for a ‘lessons learnt’ document for the next upgrade.
  4.6.               Status reporting
  The security upgrade forms an integral part of the overall upgrade given the sensitivity and frustration security issues could cause.  It is important that key milestones for the security upgrade are tracked and reported on to ensure a smooth and on-time cutover.
  4.7.               Detailed cutover plan
  The detailed cutover plan differs from the overall security workplan, in that the detailed plan outlines the exact steps to be taken during each system’s upgrade itself.  This should include:
  ·        Transport request numbers,
  ·        Download of security tables prior to the upgrade, especially UST12, USOBT_C and USOBX_C,
  ·        A backup and restore plan, (e.g. temporary group of activity groups for critical functions),
  ·        The relinking of user master records, with details on any CATT scripts, etc. that might be used,
  ·        User comparison, etc. 
  The security team needs to ensure that enough time is allocated for each action item and that this time is built into the overall cutover plan.   The project manager is usually expected to give an indication to end users and key stakeholders as to when the Productive system will be unavailable during its cutover to the new release.  This downtime should thus incorporate time required to perform user master comparisons, unlocking of ID’s and all other action items.
  4.8.               Project team access
  The SAP_NEW profile can temporarily be assigned to project team members to provide interim access to the new authorization objects. This provides the security team the opportunity to convert and adjust the IS team’s activity groups.  It also eliminates frustration on the functional team’s side when configuring and testing new transactions, etc.
  4.9.               Training and new functionality
  Some support team members (e.g. Help Desk members responsible for reset of user passwords, etc.) might require training and/or documentation on the changed screens of SU01, etc.
  It is recommended that a basic Navigation & Settings training module is created for all SAP users and should cover the use of Favorites, etc.
  The security team should also review Profile Generator in detail, as several new functions have been added (e.g. download/upload of activity groups, etc.).  Remember to review all the different icons, menu options and settings on the authorizations tab, etc.
  Lastly, if your company / project does use HR as related to security (activity groups and users assigned to positions / jobs), ensure that you become acquainted with the new enjoy transactions, e.g. PPOMW.
  4.10.           SU53
  A new function with SU53 is the ability to display another user’s SU53 results.   (Click on the ‘other user’ button and enter the person’s SAP ID).
  4.11.           Post Go-live
  Remember to establish a support roster, including after hours for critical batch processes, to ensure security-related issues are resolved in a timely fashion.
  Dumps should be checked regularly (Objects s_rfc and s_c_funct like making appearances in dumps) for any authorizations-related issues.  Transaction ST22 can be used to review dumps for that day and the previous day.
  Avoid transporting activity groups at peak times, as the generation of activity groups can cause momentarily loss of authorizations.  It’s recommended that a roster for activity group transport and mass user comparison be reviewed with the project manager prior to the upgrade.  Exceptions should be handled on an individual basis and the potential impact identified, based on number and type of users, batch jobs in progress, etc. 
  And, don’t forget to keep on tracking all issues and documenting the resolutions for future reference.
  5.      helpful reports, transactions and tables
  5.1.               Reports and Programs
  ·           RTTREE_MIGRATION: Conversion of Report Trees to Area Menus
  ·           PFCG_TIME_DEPENDENCY: user master comparison (background)
  ·           RSUSR* reports (use SE38 and do a possible-values list for RSUSR* to see all available security reports), including:
  v     RSUSR002 – display users according to complex search criteria
  v     RSUSR010 – Transactions that can be executed by users, with Profile or Authorization
  v     RSUSR070 – Activity groups by complex search criteria
  v     RSUSR100 – Changes made to user masters
  v     RSUSR101 – Changes made to Profiles
  v     RSUSR102 – Changes made to Authorizations
  v     RSUSR200 – Users according to logon date and password change, locked users.
  5.2.               Transactions
  ·           SUIM : various handy reports
  ·           SU10 : Mass user changes
  ·           PFCG: Profile Generator
  ·           PFUD: User master comparison
  ·           SU01: User master maintenance
  ·           ST01: System trace
  ·           ST22: ABAP dumps
  ·           SUCU / SE54: Maintain authorization groups for tables / views
  ·           PPOMW: Enjoy transaction to maintain the HR organizational plan
  ·           PO10: Expert maintenance of Organizational Units and related relationships
  ·           PO13: Expert maintenance of Positions and related relationships
  ·           STAT: System statistics, including which tcodes are being used by which users
  5.3.               Tables
  Table
  Use
  UST12
  Authorizations and Tcodes per Profile
  UST04
  Assignment of users to Profiles
  AGR_USERS
  Assignment of roles to users
  USOBT_C
  Authorizations associated with a transaction
  USR02
  Last logon date, locked ID’s
  AGR_TCODES
  Assignment of roles to Tcodes (4.6 tcodes)
  USH02
  Change history for users (e.g. who last changed users via SU01)
  USH04
  Display history of who made changes to which User Ids
  USR40
  Non-permitted passwords
  i am also providing the url of sap  upgrade guide. pls check it out ok.
  www.thespot4sap.com/upgrade_guide_v2.pdf
  reward me points if it helps you
  thanks
  karthik