SU25 – A Discussion

There is already a post in this blog which talks about the SU25 transaction. However while recently working on a upgrade, it occurred to me that the information presented was too broad and might not answer a lot of the doubts that a security analyst might face when actually tasked to complete the full post SU25 execution. I do not claim that this post will answer all the question but it does go into more depth about the thinking that should go into the post upgrade activities. This is all the more important as when done wrong, the SU25 activity has potential to reduce the check indicators and roles for a SAP system to junk!

A service pack upgrade is a recurring event in any SAP project. Typically SAP introduces new applications as part of service packs. It is also possible that SAP re-writes the code around existing SAP applications. Any of these changes can introduce new security checks in the code and which need to be added into the security roles. The SAP provided tools for security upgrades are accessed by using the SU25 transaction.
Going into SU25 after an upgrade will reveal a screen similar to the one below

SU25 - Initial Screen
SU25 – Initial Screen

We never run Step 1 after an upgrade. Step 1 is only meant to be run after a new SAP installation and will copy all data from the SAP tables to the customer tables and overwrite everything.

For an upgrade, we start the SU25 activities by running step 2A. This compares the data in USOBT and USOBX with USOBT_C and USOBX_C. If SAP determines that there is no conflict between the SAP proposed values with the values maintained by the customer, it goes ahead and copies the data to the customer tables. For the transactions where it determines that SAP proposed values conflict with customer values, it proposes that we compare and manually adjust the values in Step 2B.

After 2A, we now run Step 2B and manually compare the list of transactions where the list of SAP proposed check indicator and default values is different from the values maintained by us. We go through all affected transactions one by one and either accept SAP proposed values or keep the values maintained by us.

SU25 - Step 2B
SU25 – Step 2B

In most cases, we would keep the customer values unless there is an overwhelming need to change it to the proposed values. The most important case would be to look for cases where SAP is proposing more security than what we have in the system (for example SAP proposal is for check whereas customer proposal is for do not check). Once we are through with the entire list of affected transactions we are ready to go into the next step 2C to look at the roles affected by the changes to SU24 data. At this point it is advisable to take a backup of the USOBT_CD and USOBX_C change log tables so that we have an idea of the values changed as part of SU25 activity.

In Step 2C, SAP provides us a list of all roles which have transactions in their menu which have SU24 data updated as part of the SU25 activity.

SU25 - Step 2C
SU25 – Step 2C

The Step 2D is optional and mainly meant to check if SAP has introduced new transactions in place of any existing transactions.

SU25 - Step 2D
SU25 – Step 2D

The last mandatory step in the SU25 process is to run Step 3 and transport the customer tables. This was the latest customer tables are transported into all the successive environments in the landscape. The transport of the tables should be followed by a transport for all the roles which were generated as part of Step 2C

Downloading/Uploading SU25 Data

As already discussed , the SU25 transaction over-writes the customer tables with SU24 data, USOBX_C and USOBT_C with the SAP provided data in USOBX and USOBT. As a precaution we would like to take a backup of the customer tables and also a backup of the SU24 data using the RSU22DOWN. The downloaded file from RSU22DOWN can be later re-uploaded into the SAP system to go back to the earlier customer defaults.

21 thoughts on “SU25 – A Discussion

  • July 17, 2013 at 4:52 am
    Permalink

    Hello Aninda,

    Which is really help full.

    Thank you for providing this valuable information.

    I have one more doubt which is there any way to mass upload the users?
    Please clarify me on the query.

    Thanks In Advance!

    Regards,
    Siva V.

    Reply
    • July 26, 2013 at 9:47 pm
      Permalink

      LSMW, SECATT, BAPIs

      Reply
  • July 17, 2013 at 4:53 am
    Permalink

    Is there any way to mass upload users?

    Regards,
    Siva V.

    Reply
  • July 24, 2013 at 6:23 am
    Permalink

    Hi Aninda,
    How does report RSU22DOWN helps in going back to earlier version? I ran this program in my system and ?I get nothing as an output.

    Reply
    • July 26, 2013 at 9:56 pm
      Permalink

      The RSU22DOWN program is meant to download the SU24 tables to a text file. If its not downloading you might not be following the correct steps. Do a web search. The SAP help article on how to use the program is in the first few search entries.

      Reply
  • February 2, 2014 at 10:05 pm
    Permalink

    Hi Aninda, There seems to be no difference between SU25 and SU26. Why is that we even have SU26 transaction? Thanks in advance.

    Reply
  • March 16, 2014 at 7:16 pm
    Permalink

    hi
    aninda
    what is the t-code su26
    pls give answer asap
    thanks

    Reply
    • June 5, 2014 at 8:55 am
      Permalink

      I have not had to use it yet. The functionality seems to be similar to SU25. Would be glad if someone who has had experience using it could comment.

      Reply
  • April 4, 2014 at 1:09 pm
    Permalink

    Hi Annada,

    Thanks for your information

    I have one doubt, are these roles need to be generated which are showing in RED status before transporting?

    Thanks
    Madhu

    Reply
    • April 10, 2014 at 11:18 am
      Permalink

      You should not transport roles with unmaintained values for authorization objects. So just ensuring that roles are green won’t be enough as a role with unmaintained values can still be generated.

      Reply
  • May 28, 2014 at 2:58 am
    Permalink

    Hi Aninda

    Need small info.

    I have executed tc.de Su25 Sepn 2A to 2D in ECC 6.0 system and then remediated the affected roles with user assignment generated from Step 2C in DEV box. Now the client says do not transport the changes ie Step 3 but transport the affected roles in QA system. My questions is will the remediated roles works in QA system without the customer table? Please reply

    Thanks

    Saur

    Reply
    • June 11, 2014 at 3:02 am
      Permalink

      Hey Man – Can you reply fast?

      Reply
    • June 13, 2014 at 4:44 pm
      Permalink

      The customer tables need to be transported as well. Otherwise the full impact of the SU25 changes will not be experienced in QA or Prod environments.

      Reply
  • May 28, 2014 at 4:44 am
    Permalink

    Hi Aninda

    Need one info.

    After executing SU25 Steps 2A to 2D in DEV box of ECC 6.0 system, I got list of affected roles. I remediated those affected roles and they are now ready to be transported in QA system. My question is that client asks us not to executed Step 3 and transport the customer table data in QA system. Is it ok to move the remediated roles in QA system without transporting the customer table data?

    Thanks

    Saur

    Reply
  • July 4, 2014 at 3:53 am
    Permalink

    Hi,
    Two questions regarding step 3. In ecc system we changed su24 table manually and moved the changes to quality but did not use step 3.Quality testing is almost completed should I transport changes through step 3 and if done it will impact in quality?
    Scenario-2 BW system no changes in su24 so so did not moved to quality.Testing in quality is completed should I move the changes through step 3??

    Reply
    • September 26, 2014 at 1:52 pm
      Permalink

      If already moved the custom tables manually, re-transporting them through SU25 is not necessary. You can verify that the latest changes are in QA by comparing the table values from DEV.

      Reply
  • July 8, 2014 at 9:13 am
    Permalink

    Hi Aninda,

    Great resource you have here!

    I just had a question about SU25 step2A. Would you happen to know if step 2A transfers data?
    After executing step 2A, it looks as though the data was altered in tables USOBT_C and USOBX_C. After doing some research, I thought 2A just compared the tables USOBX and USOBT with USOBX_C and USOBT_C.

    Any input would be appreciated.

    Thanks in advance!

    Nathan

    Reply
    • September 26, 2014 at 1:43 pm
      Permalink

      Step 2A is not a read only step but does write data into the custom tables. If after running the comparison between standard and custom table values, if SAP determines that there is a conflict only then are these are displayed in 2B, otherwise the updates occur in 2A. This post talks at length on what’s happening behind the scenes.

      Reply
  • September 23, 2014 at 5:59 am
    Permalink

    Hi Aninda,

    I am new to SAP HR security. Happen to view your post during google search. Your post are wonderful. I would like to clarify related to SAP HR. I am aware that HR and BASIS object cant be changed thru SU24. just want to know what happens to SAP HR object after an upgrade or patches takes place..

    Thanks in Advance

    Reply
  • December 3, 2014 at 6:58 am
    Permalink

    Hello,

    I need document on SCM APO implementation can anyone help me on this

    Reply
  • February 22, 2022 at 1:32 pm
    Permalink

    Thank you.nice explanation

    Reply

Leave a Reply to Aninda Cancel reply

Your email address will not be published. Required fields are marked *