Hi Yuksel,

SU22 is not meant to be used by customers, because this area will be updated by SAP after each upgrade. During upgrades the contents of tables USOBX and USOBT will be cleared and refilled by the new default values that are delivered by SAP as part of the new release. When starting SU22 you will also see the word SAP in brackets in the program title, which is a good indicator that you are on the wrong way.

Customers should only use SU24, because PFCG is merging the profile content against the corresponding tables (USOBX_C and USOBT_C) of SU24 and not SU22 (USOBX and USOBT). SU22 is the area, where SAP stores its default values for authorization proposals in context of menu objects like transactions or Web Dynpros etc.. After system setup the content of SU22 must be transfered to the customer area (SU24) by executing step 1 in transaction SU25. Afterwards customers are free to change these default proposals in context of menu objects via SU24 according to their customizing needs and processes. All changes in SU24 will have an effect on your menu based roles if you use the merge option in expert mode of PFCG. The merge option compares the proposal settings of SU24 with your current profile and if there is a delta, PFCG will pull it from SU24 into the profile - no SU22 is involved here.

Due to the fact that proposals may have been changed in SU24 during normal operations, there will be a difference between SAP's default values in SU22 and your own maintained values in SU24. Therefore you always have to check what is in SU24 and not SU22.

Best regards

Stefan

Hi Stefan,

When the system upgraded, the custom SAP role does not get affect until SU25 Step 1 & 2A is executed, right? Our Basis team said once the system is upgraded all of the custom SAP roles will be updated as well - which i don't believe is true.

Thanks you in advance.

Hi Dan,

when the system gets upgraded SAP standard roles will be replaced and that is the reason why no customer should use these standard roles from SAP productively. These roles are meant to be templates that can be used to create own custom roles as a copy of them instead of building roles completely from scratch.

Your custom roles are not automatically affected by the upgrade. It would be a big pain for customers if SAP would change automatically the content of roles during an upgrade, because business processes may then not work anymore. Therefore SAP provides step 2a and 2b in transaction SU25 in order to transfer the delta that changed in SU22 to your customer area in SU24. Performing step 2c in SU25 will check which roles are affected by the changes in SU24 that are coming from step 2a and 2b. You will get a list of roles where the role profile needs to be merged with your updated SU24.

This is the correct SAP standard way to update your custom roles after an upgrade. So your Basis team is wrong. But you can ask them if they know transaction SU25. Maybe they perform these tasks in the background to provide an excellent service and therefore they tell you, that all custom roles get automatically upgraded too. 🙂

Step 1 in SU25 should only be performed after system setup in order to copy standard authorization proposals that are deliverd by SAP in SU22 to your customer area in SU24.

Best regards

Stefan

Hi Stefan,

Thank you so much for the clarification.

Thanks,

Dan

Stefan,

On your response, should Step 1 be run only on a new system setup? Or it should be run everytime when the system is upgraded to a newer verison?

Thanks once again.

Dan

Actually in higher releases, once you have run step 1 the option is greyed out - for this very reason.

Cheers,

Julius

Hi Dan,

Yes, step 1 should only be executed once after system setup. Otherwise all your customer specific SU24 data, that you maintained over the past years, will be lost. As I described, step 1 copies the SAP standard proposals from SU22 to your customer specific area in SU24. As Julius mentioned correctly, SAP set this step in higher releases to display only to prevent customers from losing their data unintentionally when running step 1 without knowing what it does, but you can still start it from the menu if needed. Despite it is called step 1, normally you should never run it again if it was already executed once.

Best regards

Stefan

Thanks again for your claification! Everything in regard to SU25 make a lot more sense now.

Thanks,

Dan