Skip to Content

EHP 7 - Recommended Security Approach?

This is my first experience with an Enhancement Pack implementation, so please forgive me if my questions are very basic. Our company implemented EHP 5 and is now moving to EHP 7 for ECC and I was not involved with EHP 5, but was informed that we did not run SU25.

My first question is whether or not it is recommended to run SU25 for EHPs? I've searched SCN and Google and cannot seem to find the right guidance yet. I understand that after an 'upgrade', it is recommended, but can someone please shed some light on whether or not an EHP should prompt running SU25 in our systems?

If not is not necessary, what is the recommended Security approach to an EHP installation to ensure our roles and profiles are updated appropriately?

I've searched through the EHP 7 release notes and forums, but still cannot find the guidance to give me peace of mind. Hoping the Security gurus here can at least give me a push in the right direction.

Thanks for your help,

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Best Answer
    avatar image
    Former Member
    May 19, 2014 at 08:39 PM

    It depends on how broken the roles are and which design you had before.

    If your roles are intact, then searching for Su25 here on SCN is normally all that is needed.

    Doing an Su25 upgrade is very dependent on the state of the roles before hand.

    If all goes well and was in sync before, your can upgrade your systems in 1 day and combine authorization tests with integration / functional tests without any problems.

    If the roles are toasted from the start or you took the bait of implementing value roles, then you will need to start a project and man a helpdesk permanently....



    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Thanks for the reply !!!

      When I executed the SU25 2b I got only 6 transaction but I can see lots of transaction are customized by us earlier in SU24? Do you know what went wrong?

      Also I have selected both the boxes "Selection Includes SAP standard Application" and "Selection includes Customer and Partner Application" in Step 2a.

      SU25 Screen.jpg (37.6 kB)
  • May 17, 2014 at 01:28 PM

    Hi Chris

    You want to run SU25 when there has been a change in the Basis Release Level. I covered off a technical summary in the following thread:

    These are the key things i consider for EHP and upgrades:

    • possible checks on custom code (most likely covered through testing)
    • new authorisation objects
      • regeneration of SAP_ALL
      • update any non-production project roles, etc that may need the access
    • possible new transaction codes (normally each functional area will need to review their areas with SAP Notes providing details. Step 2D(?) in SU25 does a replacement transaction mapping but that assumes SAP maintained the PRGN_CORR2 table. This is useful is a transaction has become obsolete.
    • have a search to see if there is new security functionality (for example, security policies were created in a recent release)
    • ensure that the security roles are adequately tested as part of project so users do not have authorisation issues in Production

    If your system landscape is complex (e.g. two non-production streams for production support vs project) you will need to ensure a process to dual maintain security roles for the different version, etc. May not be an issue for you but it is another thing to consider.

    Depending on how old your system is, sometimes enhancement packs and upgrades is an opportunity to overhaul security.



    Add comment
    10|10000 characters needed characters exceeded

  • Jun 04, 2014 at 03:20 PM

    If you just want to compare the hard coded changes to the changes from SAP you could also compare the customizing tables via an RFC call and transaction OY19. Compare the relevant tables after the upgrade in the dev / sandbox system to the prod system in the old state.

    a sample procedure would be:

    OY19 - USOBT on EHP7    to    USOBT_C on "old" system

    The relevant tables are: USOBT (SAP proposals) USOBX (SAP check values) USOBT_C and USOBX_C are the customer equivalents.

    If you are using proposals for org.levels - see notes 727536 and 1624104.

    The listed modifications are the changes done by SAP. Good security developers will set a filter on the changes objects and know the impact on their security concept.

    - This is basically step 2b in SU25 but without starting the whole process. Above advises are to be considered too but sometime a simple comparison between the hard facts is more transparent than the SU25 tool by SAP.

    Add comment
    10|10000 characters needed characters exceeded

  • May 20, 2014 at 04:49 PM

    Hi Chris,

    I'd suggest you to review my post in the Security blog:

    When you should execute SU25

    There you'll find some remarks and the relevant notes for this case...

    Hope this helps.


    Felipe Fonseca

    Add comment
    10|10000 characters needed characters exceeded