Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

EHP 7 - Recommended Security Approach?

This is my first experience with an Enhancement Pack implementation, so please forgive me if my questions are very basic. Our company implemented EHP 5 and is now moving to EHP 7 for ECC and I was not involved with EHP 5, but was informed that we did not run SU25.

My first question is whether or not it is recommended to run SU25 for EHPs? I've searched SCN and Google and cannot seem to find the right guidance yet. I understand that after an 'upgrade', it is recommended, but can someone please shed some light on whether or not an EHP should prompt running SU25 in our systems?

If not is not necessary, what is the recommended Security approach to an EHP installation to ensure our roles and profiles are updated appropriately?

I've searched through the EHP 7 release notes and forums, but still cannot find the guidance to give me peace of mind. Hoping the Security gurus here can at least give me a push in the right direction.

Thanks for your help,


HI Chris

As another consideration (may not apply to you) - if you have a SAP GRC component you need to run SU25 in the connected systems. There is integrated functionality for rule sets and role management that leverages SU24. Role build via GRC will fail is SU25 has not been executed.

I dont think I want to intruduce the risk of running SU25 at this point

next time you do EHPs or upgrade you will then be in the situation of, 'we haven't run it the past two times so I don't think I want to introduce the risk of running SU24 at this point'.

Step 2A will only update transactions that you have not yet modified. Your impact is if these transactions are used in any of your roles. You could look at all your transactions in menu (via AGR_TCODES) and compare against the USOBT* to see if you have any not modified before executing this step.

Step 2B will show you the differences for you to work your way through where you have made changes to SU24. If yours are highly customised you could ignore these ones. Although, at a minimum it might be worth identifying new auth objects and checking for them (compare TOBJ tables between Prod and Dev to locate them and then include those ones in SU24).



0 View this answer in context
Not what you were looking for? View more on this topic or Ask a question