Authorization Roles Be Updated with New Authorization Objects Using SU25?

Why do we need to upgrade our SAP System?

The reason to upgrade the SAP system should be driven by “Business Needs”. Business should be well aware of the reasons why they need to upgrade their systems. It should know if the new release brings “desired functionalities”. This information can be found in the release note for the specific release. Care should be taken while upgrading the system because if the upgrade fails, it can affect business operations.

Let us discuss the SU25 steps for the SAP Security upgrade:

SU25 is a T code that is executed during the initial implementation of SAP and also during each time an upgrade takes place. There are 6 different steps in this transaction code, not all of which need to be executed each time SU25 is used. We will be discussing about these steps and also about when a certain step need to be executed. These steps are used to populate the customer tables of the Profile Generator the first time the Profile Generator is used or update the customer tables after an upgrade (to update check indicators and field values of SU24). The below screenshot shows the steps of SU25:

Step 1: Initially fill the customer tables – This step is used if the SU24 customer tables (USOBT_C and USOBX_C) need to be filled with SAP default values from the tables USOBT and USOBX. This is generally done when you use Profile Generator for the first time or when you want to overwrite SU24’s check indicator and field values with SAP default values.

Steps 2A to 2D of SU25 are executed if you have used a profile generator in an earlier release and you want to compare data with the new SAP default values after an upgrade.

Step 2 : Post-processing the settings after upgrading to a higher Release:

SU25 is a transaction code that is used during the initial implementation of an SAP system and for every subsequent upgrade. This transaction code consists of six different steps, but you do not have to process all of them. We focus exclusively on steps 2A through 2C, as shown in the screenshot above:

• 2A. Preparation: Compare with SAP Values
• 2B. Compare Affect Transactions
• 2C. Roles to Be Checked

When you execute step 2A, the SAP S/4HANA default authorization values are written to the SAP tables USOBT and USOBX. You then transfer the contents of these tables to the aforementioned custom tables USOBT_C and USOBX_C. To do so, you execute step 2B, which compares the standard SAP tables with the custom tables.

A red light indicates transactions maintained with different authorization objects in the ERP system. This view enables you to analyze deviations and edit them as needed.

Step 2C serves to identify the roles that are affected by the default authorization values you changed in the previous step. Here, SU25 shows you the roles that have to be merged again with the new authorization objects. In expert mode “Read old status and merge with new data”, you can load the correct default values?– as long as the transactions were added to the menu when the roles were created.

Please note that roles with deleted authorization objects receive new objects automatically after merging. You should set these objects to “Inactive”. Your roles now have the correct objects at the authorization object level.

However, the conversion to SAP S/4HANA not only requires changes to authorization objects, but also changes at the transaction level, which you can display by executing step 2D. Since this report does not take all modifications into account, we also recommend examining the table PRGN_CORR2.

Step 2(D): Display changed transaction codes: This step displays the list of those transaction codes that get replaced by one or more other transactions.This step is used to create a list of all roles that contain transactions replaced by one or more other transactions. The list includes the old and new transaction codes. You can replace the transactions in the roles as needed. Double-click the list to go to the role

Step 3 : Transport the customer tables – This step of SU25 is used for transporting the changes made in Steps 1, 2A and 2B. Complete customer tables get transported.