Solved: Is it Mandatory to run SU25 steps after Upgrading ...

Former Member · ‎06-09-2010

Hello All,

I have few questions regaring Security Upgrade.

We recently upgraded to a new release. So, when I try to modify a role in Dev a pop up came "which states that need to run steps 2 a to 2 c in SU25" but when clicked on continue the pop up never came after that in any role.

My question: Is it really required to run SU25 steps after any upgrade? Is it going to affect any users if dont run the steps and continue?

Regard's

Former Member · ‎06-09-2010

the new checks that have come with the newer version wouldnt work.

For sure the system would force you to correct roles (if not today, tomorrow for sure because of the different validations on the new objects in the standrad code. so it is a good idea to do it today, rather than to suffer later

If it is a quick fix you need for short time (just after the new system has been commissioned) you can add SAP_NEW profile to counter for the new authority object checks

Former Member · ‎06-09-2010

the new checks that have come with the newer version wouldnt work.

For sure the system would force you to correct roles (if not today, tomorrow for sure because of the different validations on the new objects in the standrad code. so it is a good idea to do it today, rather than to suffer later

If it is a quick fix you need for short time (just after the new system has been commissioned) you can add SAP_NEW profile to counter for the new authority object checks

Former Member · ‎06-09-2010

I saw one thread relating to this issue.

But I have one question:

Before upgrade I have downloaded the table USOBX_C for comparision after Upgrade.

Is it feasible to use the older USOBX_C and compare with New USOBX_C table after upgrade?

Are the SU25 results perhaps stored in a table somewhere that we can query/dump to Excel?

Thank you !

Former Member · ‎06-09-2010

Lokanatha,

i would suggest that you carefully go through the documentation and discussion provided by Julius and Bernard in the top 3 posts you see on the forum

you can also search the forum with USOBX_C as the key field, you will get quite a few posts that you can read to have a better understanding

Former Member · ‎06-10-2010

Hi Rao,

Check t.code SU22 to download customer USOBX_C tables data . There are different option to download data

choose releavant one as per your need.

Secondly, SU25 is required to run after technical upgrade as it sink the system with new provided functionaly. Here I agree with Shekar.Go through inital document first and also check Julius Post on upgrade.

Hope this helps: )

Bernhard_SAP · ‎06-10-2010

HI,

have a look at tables usbx_cd and usobt_cd. In field TCODE enter SU26 to get the changes performed in SU25.

b.rgds, Bernhard

Former Member · ‎06-11-2010

Thanks Bernhard !

I want to make testing effort easier. Can we use these tables data and provide them to the respective functional teams to review the auths which got modified after upgrade ?

Regard's

Former Member · ‎06-14-2010

Hi All,

We upgraded to EHP, but per basis team they just upgraded the stack level and not picked anything more when EHP installer prompted for additional functionalities.

I recently came to know that step of SU25 are not mandatory to run after enhancement unless prompted by Basis team to check.

Please advise as I am unfamiliar with SU25.

Regard's

Bernhard_SAP · ‎06-17-2010

Hi,

with any support package and especially with every enhancement package new functionality or changed

funcitonality (means for instance changed auth.-checks) may be delivered. To have your existing roles up to date you should update them accordingly. SU25 is just a helpful tool for that, as it works semi-automatically, checking the changes and compare them to your esiting roles.

So not using su25 after an upgrade of the system (means also updating SP/EHP) may lead to authorization problems.

This must not happen but could.

It is therefore advisable to run su25->2 after each update of the system. In most cases not much or nothing will have to be done in 2b,2c, but if you do not do it and it will be necessary once, the effort will of course be much bigger as many roles will show up with the need to be updated.

So if you want to have an actual system, su25->2 should be run.

b.rgds,

Bernhard

Former Member · ‎08-03-2010

Hello,

I have a question regarding Step 2C (roles to be checked).

When I execute step 2C, I get a list of roles which are affected. I want to know if I can pick each single role and use PFCG and generate the role rather than going directly thru step2c by clicking the role and adjusting it.

What difference it will make if go separately with PFCG (picking each role from step 2C list) instead of going thru directly from step2c list by clicking and merging?

Regard's

Rao

Former Member · ‎08-03-2010

You are missing the purpose of the tool - namely Step 2B.

2B is the key to reducing your effort and building good roles in the first place when you enter 2C. If you get that part right, then step 2C is popcorn and watching the tele while your program runs (not a(n) (e)CATT script...). You can do this in standard if you are disciplined!

A special aspect is to choose the "Authorization Object" view which is available in SU24 but not in SU25. If you restrict the number of roles to few single roles (or series of them without derivation) which are intact then you can survive a release upgrade without toasting your roles or the SU24 data updates.

SU25 is very usefull for such role builds!

If you want all the lights to turn green then use SUPC and transport them through. God help anyone who used roles as menu's and deleted standard or maintained authorizations...

SAP security is a specialized task which touches all applications you use...

Cheers,

Julius

Edited by: Julius Bussche on Aug 4, 2010 12:24 AM

Former Member · ‎08-04-2010

Hi Julius,

Thank you for very valuable tips.

I did not got anything when i executed Step 2B (message came: "you do not need to maintain transactions). That's why, I manually picked each role from step 2c (as there are many roles affected). I processed some roles by going through PFCG.

Just to be cautious, will it affect anything if we adjust roles outside of Step 2C (without clicking and merging from step 2c) ?

Regard's

Edited by: lokanatha Rao on Aug 4, 2010 8:25 AM

Former Member · ‎08-04-2010

The "read old merge new" function did not always work when you call it directly, but other than that there is no difference as it shows the red status of the authorizations after you have run it the first time.

You will see the same in 2C as you would in PFCG and the same when you revert back to 2C if you make changes in either of them.

Cheers,

Julius

Former Member · ‎08-04-2010

thanks for the quick reply.

Last question:

I have created a workbench transport request for step 3. Please let me know if I need to first import this transport into QAS then import the mass transport request for roles ?

Many Thanks!

Former Member · ‎08-04-2010

As long as there isn't a "no check" indicator and you are not opening the roles in production, then it does not matter.

If it does, then send the transport with the SU24 data in it through first unless there was a "no check" indicator in the past which is now on "check" AND has a negative impact for the user (it generally should not happen though).

So, transport them at the same time to on the absolute safe side.

Cheers,

Julius

Is it Mandatory to run SU25 steps after Upgrading to new release