Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SU25 after an SAP upgrade to EHP5

Go to solution
Former Member

‎06-07-2012 7:35 PM

0 Kudos

We have recently upgraded from SAP ECC 6.0 to ECC 6.0 EHP5.

We are in the phase of SPAU. In that our Basis Administrator told us to perform SU25 for authorizations update.

I have gone through the documentation abt SU25 in the SAP help portals, but have not yet clearly understood it.

Can you please help me answer some queries.

1. Since we were previously using PFCG, we have to skip Step 1 (Initial Filling of Customer Tables) and directly execute Step 2a ??

2. After executing Step 2a, will the new default values deliverd by SAP be copied into the customer tables (USOBT_C & USOBX_C)  or will it only compare the SAP delivered & customer tables and not overwrite the customer tables???

3. After the Step 2a to 2c is over, do we have to execute Step 1 (Initial Filling of Customer Tables)??

4. After the customer tables are populated with the new check indicators, do we have to manually go in to each and every role & add the additional checks or will they be automatically reflected in the roles & one has to just maintain values for them??

5. Once we copy the customer tables with the new SAP delivered values, is it possible to revert back to original values???

6. Is this the correct procedure to be followed for post processing?

I am doing it for the first time, so asking in details to avoid any mistakes.

Thanks in advance.

Cheers

Sagar

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎06-08-2012 7:30 AM

0 Kudos 
Sagar Bhosale wrote:
1. Since we were previously using PFCG, we have to skip Step 1 (Initial Filling of Customer Tables) and directly execute Step 2a ??

Hi Sagar,

You are right, Step 1 is only for newly installed systems where PFCG has not been used. You can start with step 2a in your case.

2. After executing Step 2a, will the new default values deliverd by SAP be copied into the customer tables (USOBT_C & USOBX_C)  or will it only compare the SAP delivered & customer tables and not overwrite the customer tables???

No. Step 2a only updates the SAP delivered tables USOBT and USOBX with the new objects and values of the upgraded version.

For any customization done to SAP default check indicator status/ values, i.e values stored in profile generator tables USOBT_C and USOBX_C, SAP gives you an option to either adopt the new suggested value or continue with the old check indicator status & values after doing a comparison. This happens when you run Step 2b.

3. After the Step 2a to 2c is over, do we have to execute Step 1 (Initial Filling of Customer Tables)??

No. It is only executed one time via DDIC when a system is newly installed or you are upgrading from a pre-3.1h SAP system where PFCG wasn't used.

4. After the customer tables are populated with the new check indicators, do we have to manually go in to each and every role & add the additional checks or will they be automatically reflected in the roles & one has to just maintain values for them??

Newly added/changed check indicator status/values for all SAP delivered transaction (added in PFCG role menu) are adjusted in the role & profile generated during Step 2c.

5. Once we copy the customer tables with the new SAP delivered values, is it possible to revert back to original values???

You will have to do it manually via SU24 or restore the system backup from a previous date which should be prior to running SU25 Step 2b.

6. Is this the correct procedure to be followed for post processing?

You will not have to revert the customer table updates if you perform Step 2b judiciously. Goodluck!

Hope this helps. Should you have any questions, please do let me know.

Thanks

Sandipan

6 REPLIES 6

Go to solution
Former Member

‎06-08-2012 7:30 AM

0 Kudos 
Sagar Bhosale wrote:
1. Since we were previously using PFCG, we have to skip Step 1 (Initial Filling of Customer Tables) and directly execute Step 2a ??

Hi Sagar,

You are right, Step 1 is only for newly installed systems where PFCG has not been used. You can start with step 2a in your case.

2. After executing Step 2a, will the new default values deliverd by SAP be copied into the customer tables (USOBT_C & USOBX_C)  or will it only compare the SAP delivered & customer tables and not overwrite the customer tables???

No. Step 2a only updates the SAP delivered tables USOBT and USOBX with the new objects and values of the upgraded version.

For any customization done to SAP default check indicator status/ values, i.e values stored in profile generator tables USOBT_C and USOBX_C, SAP gives you an option to either adopt the new suggested value or continue with the old check indicator status & values after doing a comparison. This happens when you run Step 2b.

3. After the Step 2a to 2c is over, do we have to execute Step 1 (Initial Filling of Customer Tables)??

No. It is only executed one time via DDIC when a system is newly installed or you are upgrading from a pre-3.1h SAP system where PFCG wasn't used.

4. After the customer tables are populated with the new check indicators, do we have to manually go in to each and every role & add the additional checks or will they be automatically reflected in the roles & one has to just maintain values for them??

Newly added/changed check indicator status/values for all SAP delivered transaction (added in PFCG role menu) are adjusted in the role & profile generated during Step 2c.

5. Once we copy the customer tables with the new SAP delivered values, is it possible to revert back to original values???

You will have to do it manually via SU24 or restore the system backup from a previous date which should be prior to running SU25 Step 2b.

6. Is this the correct procedure to be followed for post processing?

You will not have to revert the customer table updates if you perform Step 2b judiciously. Goodluck!

Hope this helps. Should you have any questions, please do let me know.

Thanks

Sandipan

Go to solution
Former Member
In response to Former Member

‎06-08-2012 8:55 AM

0 Kudos

Thanks Sandipan.

That really was helpful.

Few more questions:

1. If we don't adapt the new changes, will it affect the existing authorizations? because we have about 800 master roles created and 3000 derived roles from them. If we adapt the new check indicators, it would be takf of modifying the affected roles...

What should be done in this case.. Adapt the new changes or continue using the old authorization checks?

2. We have also created Z authorization objects, will Step 2a/b/c delete them???

Thanks in advance.

Best regards,

Sagar

Go to solution
Former Member
In response to Former Member

‎06-08-2012 9:13 AM

0 Kudos

Hello Sagar,

Sagar Bhosale wrote:
1. If we don't adapt the new changes, will it affect the existing authorizations? because we have about 800 master roles created and 3000 derived roles from them. If we adapt the new check indicators, it would be takf of modifying the affected roles...
What should be done in this case.. Adapt the new changes or continue using the old authorization checks?

Well, I would adopt any new check indicator suggestions for transaction codes but ignore any change in status or values for existing check indicators as far as possible.

Similarly for the roles, I would keep it in its original form (in terms of authorizations) unless its some basis object like S_RFC_ADM being introduced in step 2c. During the testing phase, new authorization objects (mostly non- basis objects ) which are really required will fail and can be added with exact values on a one to one basis based on system traces. Just my 2 cents!

It all depends on your timeline for the project and availibility of business analysts. In a perfect world, one should run trace for each business transaction and then adjust the roles in 2c.

2. We have also created Z authorization objects, will Step 2a/b/c delete them???

If you mean custom authorization objects that are check indicator for your Custom tcodes, then they will not be impacted by SU25. But make sure you have them tested, because there is a possibility that some underlying standard FM or programs related to your custom tcode might have changed after the upgrade.

Thanks

Sandipan

Go to solution
Former Member
In response to Former Member

‎06-08-2012 10:11 AM

0 Kudos

Thank you very much Sandipan.

I really appreciate your help.

If we dont execute any of the steps in SU25 and continue using the PFCG as it was earlier, will it result in any authorization issues for the users??

When do we have to execute Step 6 (Create Roles from Manually-Created Profiles) ?

Thanks

Sagar

Go to solution
Former Member
In response to Former Member

‎06-08-2012 10:26 AM

0 Kudos

As much as i know step 6 is optional , will depends on your need... let me know if i am wrong , please correct me or if its incomplete please complete the ans.

Go to solution
Former Member
In response to Former Member

‎06-08-2012 10:33 AM

0 Kudos

Hi Sagar,

For your first question, I would recommend you to go thru' this thread where your question has been answered.

For the second, Step 6 won't be required unless you are migrating from a 3.1F or earlier SAP release. Starting release 3.1G, manual profiles have been replaced by PFCG role.

P.S: Sorry for the typo in my earlier post!

3. After the Step 2a to 2c is over, do we have to execute Step 1 (Initial Filling of Customer Tables)??
No. It is only executed one time via DDIC when a system is newly installed or you are upgrading from a pre-3.1h pre-3.1G SAP system where PFCG wasn't used.

Thanks

Sandipan

Message was edited by: Sandipan Choudhury