Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SU24 - Changing SU24 after many years.

Go to solution
Former Member

‎02-01-2010 11:29 PM

0 Kudos

Hello SAP Security Gurus,

We have never maintained SU24 in our systems (more than 10 years). Currently we have a requirement to update or maintain a custom auth object against standard HR transactions. Please let us know what are the implications of this change. Our concerns are as follows:

1. Once we check maintain the auth object for the standard tcodes, will all the existing roles having these tcodes go out of sync?

2. Should we make sure that SU24 is in sync in all the clients before changing it?

Please let us know if you have any inputs regarding this issue and do the needful.

Thanks,

Karthik Kiran

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎02-01-2010 11:55 PM

0 Kudos

Hi,

my inputs -

1. No, the roles will remain the same unless you want to change it in a future date. When you add a new transaction to one of these existing roles, or use the expert mode in pfcg, all changes from SU24 are updated in the role automatically and you need to maintain all required fields.

Note that SU24 changes for existing SAP transaction must be done only after careful consideration as not every existing role may need the modifications (depends entirely on business scenario), and you might unwittingly make changes to some critical roles.

2. Ideally SU24 should be in sync in all clients for the best possible system setup. It will still work if you only update SU24 in the development system only, if this is where all roles are created and then transported to QAS and PRD systems.

regards,

Sanju

9 REPLIES 9

Go to solution
Former Member

‎02-01-2010 11:55 PM

0 Kudos

Hi,

my inputs -

1. No, the roles will remain the same unless you want to change it in a future date. When you add a new transaction to one of these existing roles, or use the expert mode in pfcg, all changes from SU24 are updated in the role automatically and you need to maintain all required fields.

Note that SU24 changes for existing SAP transaction must be done only after careful consideration as not every existing role may need the modifications (depends entirely on business scenario), and you might unwittingly make changes to some critical roles.

2. Ideally SU24 should be in sync in all clients for the best possible system setup. It will still work if you only update SU24 in the development system only, if this is where all roles are created and then transported to QAS and PRD systems.

regards,

Sanju

Go to solution
Former Member

‎02-02-2010 9:34 AM

0 Kudos

SU24 is client independent .

Roles are client dependent .

Have you run any of the steps in SU25 over the past 10 years to update the SU24 data and your roles from new SAP data?

I would copy a role and open that one on expert mode to read the new data for the HR transaction, and then do a role comparison between the two.

The system also tells you how many authorizations were removed or merged if it did anything.

If it added or updated standard or maintained authorizations, then you will see these as "new" as well.

Cheers,

Julius

Go to solution
Former Member

‎02-02-2010 11:14 AM

0 Kudos

Hi,

SU24 is client - independent. Once you do changes in SU24 it will not affect the roles unless and until you use expert mode generation in PFCG transaction.SU24 is being used to display the authorization checks(whether authorization check is there or not) for the Transaction Codes. So roles will remain unaffected.

>Moderator: This reply is partly incorrect. Regarding the merge scenario in PFCG.>

Go to solution
Former Member

‎02-03-2010 8:04 AM

0 Kudos

Hi Karthik,

As already metioned,SU24 is client indpendent so if any of your system,say DEV environment,have multiple clients the updation in one should reflect in others as well.As per your question, if you wish to keep all your systems (DEV,QA,PROD) in sync with respect to SU24, which should bethe case, then you should capture the changes done in SU24 in a transport request while doing the changes in DEV and move the transport request across the landscape.

Bidisha

Go to solution
arpan_paik
Active Contributor
In response to Former Member

‎02-03-2010 10:21 AM

0 Kudos 
if you wish to keep all your systems (DEV,QA,PROD) in sync with respect to SU24, which should bethe case

This should be followed else tomorrow you by yourself will find dissimilarity in SU24 in DEV system with others. Further to that when you are doing some changes in SU24 it will update customer table called USOBT_C & USOBX_C. Where vanilla table USOBT & USOBX will remain untouched. So distribute the change accross the system.

Arpan

Go to solution
Former Member
In response to Former Member

‎02-03-2010 10:55 AM

0 Kudos

A transport might not be enough, as entries might have been added in PROD or SU22 changed there directly.

You first need to check those and add them to DEV and remove any possible conflicts.

Cheers,

Julius

Go to solution
Former Member
In response to Former Member

‎06-26-2014 11:55 PM

0 Kudos

This message was moderated.

Go to solution
Former Member

‎04-12-2010 9:49 PM

0 Kudos

Thanks for all the replies and it really helped

Go to solution
former_member725321
Member

‎01-11-2022 12:11 AM

0 Kudos

Hello Kiran,

Were you able to maintain the SU24, we also have situation. Can you let me know what are the steps you considered.

Thanks

Supriya kulkarni