SU25-Profile upgradation

Why SU25 is required? In SAP security the two standered tables are USOBT&USOBX which contains SAP security type data. This is a single time activity.when you click on intially fill the customer tables option the data will be copied into customer tables USOBT_C ,USOBX_C from USOBT &USOBX. The table USOBT contains T-CODE Vs Authorization object. The Table USOBX contains checkindicators for USOBT table After upgrading SAP with the new release, you need to make adjustment to the all the roles and transaction codes.SU25 is the transaction code for upgrading profile generator. This has 6 different steps and the execution of these steps depends on whether you were already using profile generator in the last release.

This transaction has 6 steps. This transaction is used to fill the customer tables of the Profile Generator the first time the Profile Generator is used, it will update the customer tables after an upgrade. The customers tables of the Profile Generator are used to add a copy of the SAP default values for the check indicators and field values. These check indicators and field values are maintained in transaction SU24. If you have made changes to check indicators, you can compare these with the SAP default values and adjust your check indicators as needed.

Step1: If you have not yet used the Profile Generator or you want to add all SAP default values
again, use the initial fill procedure for the customer tables. If you have used the Profile Generator in an earlier Release and want to compare the data with the new SAP defaults after an upgrade, use steps 2a to 2d. Execute the steps in the order specified here. -Step 2a: is used to prepare the comparison and must be executed first. Step 2b - If you have made changes to check indicators or field values in transaction SU24, you can compare these with the new SAP default values. The values delivered by SAP are displayed next to

the values you have chosen so that you can adjust them if necessary. If you double-click on the line, you can assign check indicators and field values. You maintain these as described in the documentation for transaction SU24. Note on the list of transactions to be checked To the right of the list you can see the status which shows whether or not a transaction has already been checked. At first the status is set to to be checked. If you choose the transaction in the change mode and then choose save, the status is automatically set to checked. By choosing the relevant menu option in the list of transactions you can manually set the status to checked without changing check indicators or field values, or even reset this status to to be checked. If you want to use the SAP default values for all the transactions that you have not yet checked manually, you can choose the menu option to copy the remaining SAP default values. -Step 2c: You can determine which roles are affected by changes to authorization data. The corresponding authorization profiles need to be edited and regenerated. The affected roles are assigned the status profile comparison required. Alternatively you can dispense with editing the roles and manually assign the users the profile SAP_NEW (make sure the profile SAP_NEW only contains the sub profiles corresponding to your release upgrade. This profile contains authorizations for all new checks in existing transactions). The roles are assigned the status profile comparison required and can be modified at the next requir ed change (for example, when the role menu is changed). This procedure is useful if a large number of roles are used as it allows you to modify each role as you have time. -Step 2d: Transactions in the R/3 System are occasionally replaced by one or more other transactions. This step is used to create a list of all roles that contain transactions replaced by one or more other transactions. The list includes the old and new transaction codes. You can replace the transactions in the roles as needed. Double-click the list to go to the role. -Step 3: This step transports the changes made in steps 1, 2a, and 2b. Tailoring the Authorization Checks This area is used to make changes to the authorization checks. -Step 4.Changes to the check indicators are made in step 4. You can also go to step 4 by calling transaction SU24. -You can then change an authorization check within a transaction. -When a profile to grant the user authorization to execute a transaction is generated, the authorizations are only added to the Profile Generator when the check indicator is set to Check/Maintain. -If the check indicator is set to do not check, the system does not check the authorization object of the relevant transaction. -You can also edit authorization templates that can be added to the authorizations for a role in the Profile Generator. These are used to combine general authorizations that many users need. SAP delivers a number of templates that you can add directly to the role, or copy and then create your own templates, which you can also add to roles. In step 5 you can deactivate authorization objects system wide. In step 6 you can create roles from authorization profiles that you generated manually. You then need to tailor and check these roles.