In our last discussion, we saw that SU24 tcode is used to maintain all those authorization objects that are checked during the execution of a particular transaction. We also saw that for every authorization object that is in SU24 screen, there is a corresponding value for two fields – Check Indicator (Check/Do Not Check) and Proposal (Yes/No).
These values are stored in two customer specific tables – USOBT_C and USOBX_C. The “_C” in these table names indicate that these tables contain customer specific values which are maintained/changed via SU24 tcode.
If the Profile Generator is used for the first time, these customer specific tables are initially filled with SAP Default Proposed values. SAP Proposed values are stored in tables USOBT and USOBX. We can also have a look at these values via Tcode SU22. These values should NOT be manually changed. These get updated during upgrades.
While the SAP Proposed values (in tables USOBT and USOBX) get updated during future upgrades, the customer specific tables (USOBT_C and USOBX_C) ensure that values modified by customer are not overwritten to SAP default unless explicitly changed by user (via Tcode SU25 – step 1). We will discuss more about SU25 when we discuss about SAP Security Upgrade in coming topics.
Now lets come to the basic Question : What values are maintained in the USOBT_C and USOBX_C tables?
The USOBX_C table defines what authorization checks are to be performed within a transaction and what not, i.e. whether the check indicator field is set to “Check” or to “Do Not Check”. This table also defines which authorization checks are maintained (Proposal Value – Yes) in the Profile Generator.
The table USOBT_C is for those authorization objects for which the Proposal values is Yes in SU24. It contains Authorization values for the authorization objects which are defined to be maintained (Proposal value “Yes”) in profile generator.
Whenever any change in proposal value is made for any transaction code in SU24, the new values should be pulled to all those roles where that particular tcode is present in role menu. In this case, all such roles’ profile should be generated in Expert Mode for Profile Generation. The option to be selected is “Read Old Status and Merge with New Data”.