When you should execute SU25
Whenever SAP delivers an upgrade or enhancement, the authorization defaults are significantly changed.
To transfer the new/updated authorization defaults from the SAP area (SU22) to the Customer area (SU24) you have to run steps 2a and 2b in SU25. With step 3 you can forward your updated default values to the other systems to get the right behavior in all following systems.
Step 2c in SU25 tries to find the roles which are affected by the change of the defaults. If you are in time pressure regarding your project and you are not able to check and update all roles you must not run that step.
Whenever you change a role regarding the menu, the comparison with the defaults will be done.
You’re encouraged to review the following FAQ-notes regarding that topic:
1539556 – FAQ | Administration of authorization default values
727536 – FAQ | Using customer-specific organizational levels in PFCG
419933 – FAQ | Maintaining change documents in user management
Hopefully this information will be helpful.