SU25 Steps


This post is about SAP Security Upgrade (SU25 steps in SAP).


Why do we need to upgrade our SAP System?

The reason to upgrade SAP system should be driven by “Business Needs”. Business should be well aware of the reason as to why it needs to upgrade its system. It should know if the new release brings “desired functionalities”. This information can be found in the release note for the specific release. Care should be taken while upgrading the system, because if the upgrade fails, it can affect business operations.

Let us discuss SU25 steps for SAP Security upgrade:

SU25 is a tcode which is executed during the initial implementation of SAP and also during each time an upgrade takes place. There are 6 different steps in this transaction code, not all of which need to be executed each time SU25 is used. We will be discussing about these steps and also about when a certain step need to be executed. These steps are used to populate the customer tables of the Profile Generator the first time the Profile Generator is used, or update the customer tables after an upgrade (to update check indicators and field values of SU24). The below screenshot shows the steps of SU25:


Step 1: Initially fill the customer tablesThis step is used if the SU24 customer tables (USOBT_C and USOBX_C) need to be filled with SAP default values from the tables USOBT and USOBX. This is generally done when you use Profile Generator for the first time or when you want to overwrite SU24’s check indicator and field values with SAP default values.

Steps 2A to 2D of SU25 are executed if you have used profile generator in an earlier release and you want to compare data with the new SAP default values after an upgrade.


Step 2 : Post-processing the settings after upgrading to a higher Release:


  • Step 2(A) : Preparation: Compare with SAP values : This step is used to prepare the comparison and must be executed first.


  • Step 2(B) : Compare transactions : If any change has been made to check indicators or field values in SU24, you can compare these changes with the new SAP default values. The tcodes which have undergone any authorization object level change in new release, will be shown with red traffic light. The authorization objects for those tcodes can be compared for their check indicators and field values. As per the below screenshot, the values are compared for those present in SU24 and those present in SU25 (i.e. proposed by SAP):


You can double click on the authorization object for which SAP proposed check indicators and SAP proposed values need to be assigned to SU24.

  • Step 2(C) : Roles to be checked : This step helps to determine which roles are affected by changes to authorization data. The corresponding authorization profiles need to be edited and regenerated. The affected roles are assigned the status “profile comparison required”. In case there is a very large number of roles that need to be modified and there is time constraint, the other option can be to assign the profile SAP_NEW. SAP_NEW contains authorizations for all new checks in the existing tcodes. The roles are assigned the status “profile comparison required” and can be modified as and when you get time or when any particular role needs some other change. But this option should generally be avoided and should be used only in case of emergency situations and the profile SAP_NEW should be assigned only to limited number of users.


  • Step 2(D) : Display changed transaction codes : This step displays the list of those transaction codes which get replaced by one or more other transactions.This step is used to create a list of all roles that contain transactions replaced by one or more other transactions. The list includes the old and new transaction codes. You can replace the transactions in the roles as needed. Double-click the list to go to the role.


Step 3 : Transport the customer tablesThis step of SU25 is used for transporting the changes made in Steps 1, 2A and 2B. Complete customer tables get transported.

Steps 4 to 6 are only required for upgrade version which is lower than 4.6C.

Step 4 : Check Indicator (Transaction SU24)Changes to the check indicators are made in this step. You can also go to step 4 by calling transaction SU24. Authorization check within a transaction can be changed from there. For more details about SU24 concepts, please refer to this link.

Step 5 : Deactivate authorization object globallyIn step 5 you can deactivate authorization objects system wide.

Step 6 : Copy data from old profilesThis step is used for creating roles from authorization profiles which you generate manually.