When you should execute SU25
Whenever SAP delivers an upgrade or enhancement, the authorization defaults are significantly changed.
To transfer the new/updated authorization defaults from the SAP area (SU22) to the Customer area (SU24) you have to run steps 2a and 2b in SU25. With step 3 you can forward your updated default values to the other systems to get the right behavior in all following systems.
Step 2c in SU25 tries to find the roles which are affected by the change of the defaults. If you are in time pressure regarding your project and you are not able to check and update all roles you must not run that step.
Whenever you change a role regarding the menu, the comparison with the defaults will be done.
You’re encouraged to review the following FAQ-notes regarding that topic:
1539556 – FAQ | Administration of authorization default values
727536 – FAQ | Using customer-specific organizational levels in PFCG
419933 – FAQ | Maintaining change documents in user management
Hopefully this information will be helpful.
Hi Felipe,
I see what you're doing. Which is good 😛
Just one little advise: If you invested some more time into the contributions and make it something more than just a pointer to OSS notes, you will be loved and praised since not many blog on Security. Right now it is more in the direction "My dear diary, my favorite OSS notes are...". No offense, I am joking.
The point is that people who know what they don't know go actively looking for OSS or help.sap.com and they don't need these pointers. People who don't have a clue won't go reading OSS even if you point them there (or they implemented it wrong etc.).
If your contributions had a story going from A to B, I would find it far more fun to read and would happily recommend it to my contacts.
Keep going, we need to build more awareness about security!
Cheers Otto
Hi Otto!
Thanks for your comments, I'm kinda green in all this blog stuff, so it's great to receive some feedback. I'll try follow a different approach in my next contributions to make it more interesting.
Cheers, Felipe.
On a positive note I have never seen this "knowledge base articles" before stumbling upon yours. I am curious where this all takes us, maybe it is a new trend/ invention at SAP? Anyway, keep going, I meant well, I swear.
cheers Otto
Yeah, actually KBAs are not quite a novelty, but SAP has split notes into corrections (still delivered by notes) and KBAs (how-to's and explanations on system standard behaviors, usually written by people from Support, and not Development).
Cheers, Felipe.