Switchable Authorization Check Security patches – implementation process
As you may know, implementing SAP Security Notes for ABAP systems sometimes requires manual activities. The recently released Note 2252568 Switchable authorization checks for RFC in Internet Service is an example of such patch. Let’s follow the process of the implementation.
We will use SAP Solution Manager 7.2 with BBPCRM Release 713 level 0009.
1. First, upload the Note into SAP CRM. It can be done in 2 ways:
- Upload a Note manually. Log in to the SAP Launchpad using your credential. To find a required SAP Note, you can use search functionality and then press the “Download for SNOTE” button.
The ZIP file will be downloaded. Unzip it (txt extension). Log into the SAP system, call for the SNOTE transaction, in the tab GOTO choose “Upload SAP Note”. Then in the window that appears, select the file and give permission to access the file.
The note is downloaded.
- Download via SNOTE transaction (if Remote Service Connections on SAP Support Portal is configured). To do so, log into SAP system, run the transaction SNOTE, click Download SAP Note on the tab GOTO.
In the window that appears enter the SAP Note number (2252568 or 0002252568) and press Execute. The Note will be downloaded automatically.
2. The downloaded Note will appear under the NEW category.
Double-clicking allows reading the note content.
To implement the note, press SAP Note Display and choose the “Implement SAP Note” option.
3. Some notes may require implementation of additional notes. If Remote Service Connections on SAP Support Portal is configured in your system, additional notes will be downloaded automatically; otherwise, you should download them (as described above). Such window can appear several times (depending on the number of required Notes).
4. Additional notes can also require manual activity.
After clicking on the “Implement All Instructions Correction Together”, a warning window appears to inform that manual action is required. If manual actions are complete, press ”YES” and go to step 6.
All manual actions are described in the SAP Note or you can find the instruction in the Correction window . Now we will log into the system under the current user or another one.
Step 1.1 To create authorization scenario definition, run the transaction SACF and check if the “CRM_ICSS_1” scenario definition exists. If it doesn’t exist, run SACF_TRANSFER transaction, select radio button “Upload”, select work area “Scenario Definition”, deselect work area “Productive Scenarios”, deselect “Test Mode”, and execute (F8). Then choose the file “CRM_ICSS_1.txt” and confirm upload.
Assign the scenario definition “CRM_ICSS_1.txt” to development package “CRM_ICSS”.
After that, the system will require creating or adding a transport request. You can either create a new transport request or add it to an existing one.
Check If scenario upload has worked.
Step 1.2 To create the authorization scenario definition in older support packages, repeat all the actions described in step 1.1 for CRM_ICSS_CR_1
After all the manual actions are complete, use the SACF transaction to ensure that the scenario is uploaded.
Step 2 To create the productive authorization scenario from the scenario definition, run the transaction SACF, select “Scenario Definition”, select the “Scenario Name” described above (CRM_ICSS_CR_1 and CRM_ICSS_CR_1), and execute (F8).
Double click on the scenario definition and press the button “Scenario” (or press F5) to transfer the scenario definition to a productive scenario.
As the Note allows choosing the scenario status, for CRM_ICSS_1 use the status “Active”, and for CRM_ICSS_CR_1 the status “Logging”. Also, the Transport Request appears here, you can use the one used before.
Using report RSAU_SELECT_EVENTS, identify users that require the authorizations. Analyze messages IDs DUO (Authorization check on object &A in scenario &B successful) and DUP (Authorization check on object &A in scenario &B failed).Step 3 Ensure that Security Audit Logging is activated and the required users are provided with the authorization checks in accordance with the new authorization scenario. The manual can be found in the SAP Note.
After you confirm that the Note is implemented, 2 notification of changes are displayed: the first about changed and inactive objects and the second about changed authorization objects.
Then the window appears, where you should confirm that the manual actions were done. Select Confirmed checkbox and press the check mark button.
Now the Note status is completely implemented.