I am new to SAP applications. We are at v.3.1 I_com and 3.1 H o/s and functionality. Now I would like to upgrade to v. 4.6. I have heard that the security is very different between the two versions, so can you give me some insight into what the differences are and how best I can make the transition without causing much pain for the users? Any suggested reading material would be greatly appreciated.
Sure, there are two big issues between the two. Technically, 4.6x versions have entirely new table structures and program code around how Roles and associated profiles are created, maintained and assigned. The 4.6x version introduces a menu structure that can be associated with each role, providing the basis for the assigned user's interface when logging in. Additionally, there are now composite roles, and the ability to link file folders, HTML addresses, and a number of other options to the role itself.
Philosophically, most 3.1x implementations did not focus on security, the focus was on implementing SAP and security got in the way. As a result, many implementations did not take advantage of the S_TCODE object that was introduced in version 3.1G. This choice means that many companies are secured using the authorization objects only, rather than identifying specific transactions for each profile. This dilemma creates considerable complications when auditing the system, ensuring appropriate controls and (most of all) upgrading to a 4.x version. Though it is not technically required to have Transaction code based security in versions 4.x, it is strongly recommended and ideal. In future versions of SAP (Portals and New Dimension) the reliance on menu-driven roles and transaction-based security will be paramount.