https://forums.sme.sap.com/message.jspa?

messageID=6708384

SU25 - Upgrade Tool for Profile Generator

This transaction has 6 steps. This transaction is used to fill the customer tables of the Profile Generator
the first time the Profile Generator is used, or update the customer tables after an upgrade. The
customers tables of the Profile Generator are used to add a copy of the SAP default values for the check
indicators and field values. These check indicators and field values are maintained in transaction SU24. If
you have made changes to check indicators, you can compare these with the SAP default values and
adjust your check indicators as needed.

Step1: If you have not yet used the Profile Generator or you want to add all SAP default values again, use
the initial fill procedure for the customer tables.

If you have used the Profile Generator in an earlier Release and want to compare the data with the new
SAP defaults after an upgrade, use steps 2a to 2d. Execute the steps in the order specified here.

-Step 2a: is used to prepare the comparison and must be executed first.

-Step 2b - If you have made changes to check indicators or field values in transaction SU24, you can
compare these with the new SAP default values. The values delivered by SAP are displayed next to the
values you have chosen so that you can adjust them if necessary. If you double-click on the line, you can
assign check indicators and field values. You maintain these as described in the documentation for
transaction SU24.

Note on the list of transactions to be checked To the right of the list you can see the status which shows
whether or not a transaction has already been checked. At first the status is set to to be checked.
If you choose the transaction in the change mode and then choose save, the status is automatically set to
checked.
By choosing the relevant menu option in the list of transactions you can manually set the status to
checked without changing check indicators or field values, or even reset this status to to be checked.
If you want to use the SAP default values for all the transactions that you have not yet checked manually,
you can choose the menu option to copy the remaining SAP default values.

-Step 2c: You can determine which roles are affected by changes to authorization data. The
corresponding authorization profiles need to be edited and regenerated. The affected roles are assigned
the status "profile comparison required".

Alternatively you can dispense with editing the roles and manually assign the users the profile SAP_NEW
(make sure the profile SAP_NEW only contains the subprofiles corresponding to your release upgrade.
This profile contains authorizations for all new checks in existing transactions). The roles are assigned the
status "profile comparison required" and can be modified at the next required change (for example, when
the role menu is changed). This procedure is useful if a large number of roles are used as it allows you to
modify each role as you have time.

-Step 2d: Transactions in the R/3 System are occasionally replaced by one or more other transactions.

This step is used to create a list of all roles that contain transactions replaced by one or more other
transactions.
The list includes the old and new transaction codes. You can replace the transactions in the roles as
needed. Double-click the list to go to the role.

Step 3: This step transports the changes made in steps 1, 2a, and 2b.

Tailoring the Authorization Checks

This area is used to make changes to the authorization checks.

Changes to the check indicators are made in step 4. You can also go to step 4 by calling transaction
SU24.

-You can then change an authorization check within a transaction.

-When a profile to grant the user authorization to execute a transaction is generated, the authorizations
are only added to the Profile Generator when the check indicator is set to Check/Maintain.
-If the check indicator is set to do not check, the system does not check the authorization object of the
relevant transaction.
-You can also edit authorization templates that can be added to the authorizations for a role in the Profile
Generator. These are used to combine general authorizations that many users need. SAP delivers a
number of templates that you can add directly to the role, or copy and then create your own templates,
which you can also add to roles.

In step 5 you can deactivate authorization objects systemwide.

In step 6 you can create roles from authorization profiles that you generated manually. You then need to
tailor and check these roles.

=========================================================================

Hi George,
For security upgrade u need to do following steps :-

First run the SU25 2A, 2B ,2C, 2D steps successfully.

2A and 2B steps just compares the old system tcodes and new system tcodes.

Step 2C - shows the list of roles that are affected in upgrading.

Step 2D - shows the new tcodes introduced in new systems.

First complete the 2C step, click on one by one role it will get the screen of authorization objects , where
as u can see the new authorizations that are got addeded.
There are three types of new authorization objects get introduced while upgrading :-

Standard New - it is the standard authorization objects introduced for corresponding new tcodes.

Manually new - It shows the authorization objects which were manually added in old system. Some of the
values got updated for this also.

Standard Updated - Updated means , in old system if you have kept the standard values as it is, SAP has
updated these standard values( u can check this one in SU24 check indicators).
After maintaining all new authorization objects , you can save it and generate the profile.The back to
SU25 2C step shows it as green signal.
SU25, 2C step also contains the new SAP roles introduced.
After generating all profiles in SU25 2C step, you can jump to 2D step.

SU25 2D step-
If you execute these step, it will show the list of roles and old tcode and corresponding new tcode.
If business wants to use new tcode , then u can replace old tcodes by new one by clicking on
automatically adjust menu. Otherwise go to manually adjust menu and generate the profile.
The new tcodes are introduced in 2D step , this doesn't means the old tcodes are no longer exists in new
system. We have to check manually for each and every tcode.Some tcode does not exists in new
systems. FOr e.g. RZ02 is replaced by RZ20 in ECC6. RZ02 no longer existss in ECC6.

In any upgrade you should check the contents of the table PRGN_CORR2 that "drives" the SU25
process.

A> You will meet your task either way, for instance if you click the role with red light in Step:2C...it will
take you to Maintain 'Authorization' tab- Change Mode within PFCG. So either way you can Edit and
Generate role, but I would suggest you to dowload to local file and work 1by1 in PFCG so that you can
keep track of work and make some notes.
B>It depends on how your Basis defined Transport Route between clients, In our scenario role transport
from PFCG will move roles from DEV-QA-PRD..net..net..what I think is there is no need to run SU25
again.
C>If you follow above steps than I would suggest you to skip this step as PFCG role transport will take
care...However if you decide to Generate roles under Step:2C, its wise to perform step 3.