Clarity on when to use SU25

Question: Hi All

I read thru some of the posts related to SU25 and would just like some clarity please: Upgrade 4.6C to ECC6.0

1. Run 2A. which will OVERWRITE the customer tables? This step is compulsory to have all the new defaults in place?

2. Run 3. which will transport the customer tables to TST and PRD?

3. We have no customised check indicators so no need for SU24?

4. We'll pick up the additional checks for existing txns during full TST testing so no need to run 2B-D?

Thanks!
Jaynick
_________________
SAP Rules!!!

Answer:
1. 2A is run by DDIC during the upgrade
2. 2B-D should be executed in that order since that will align your SU24 with the new SAP defaults and help your accept/reject the changes for the new checks. It will also help to adjust your roles through one report
3. DO NOT depend on testing since that might still not catch all the reuired changes. It is always good to be pro-active and complete the changes rather be in a reactive mode fixing the problems.
In a nutshell, SU25 steps should always be completed after an upgrade.

Answer:
Thanks for the reply! I agree with being proactive except that one can't possibly know whether all the new values are indeed required or not. I don't want the result to give more authorisation than required which is why I'm leaning towards relying on testing. Agreed not all auths will be fixed but most should as our testing is quite thorough.

As mentioned DDIC runs 2A. in the DEV system. Will I be required to transport the customer tables to TST and PRD or will 2A. also be run automatically once these systems are upgraded?

This is obviously my first upgrade, your comments are much appreciated!

Thanks again!
Jaynick
_________________
SAP Rules!!!

Answer:
Jaynick,
The new values are always required and that is why those values are added.
By completing all steps in SU25, this is what you achieve

1. Align your SU24 tables with the correct check indicator defaults as suggested by SAP. You have the option to accept or reject a change. This will also make sure that when you add any transaction to roles, it will add the correct values for the authorization objects

2. Make sure all your new roles have picked up the new values for the new/old authorization objects. If you do not complete this step, all the roles will show up red if you have updated the check indicator defaults.

3. You should also use SU25 to effectively bundle all the changes from the upgrade.

4. Any administator who has done security for a while will tell you that testing will not necessarily catch all problems. If you are proactive, you can catch most of the problems in the dev system where the change can be done directly and transported. If the problem occurs in PRD, you will have to go through the process of transporting the roles everywhere and you never know how many of them turn into emergencies. With regards to giving more auth, you should always have your set of audit controls defined that you run frequently enough in DEV and PRD to catch any problems.

-- Mithilesh.

Answer:
Mithilesh, thanks for the replies!
Jaynick
_________________
SAP Rules!!!

Answer:
Hi All

One more thing I'm unsure about. Once I completed all the steps 2A-D must the customer tables be transported although we have no changes to tables USOBT-C & USOBX_C campared to SAP standard?

Thanks again!!
Jaynick
_________________
SAP Rules!!!

Answer:
nope
_________________
rgds
fish

Answer:
Its a good idea to transport the tables along with the role changes for consistency sake.

Answer:
Thanks again, assistance from this forum was great with getting me thru my first upgrade!
Jaynick

1 comment:

Terry said...

I mistakely executed the step 1 in sap upgrade. How can I correct the error? I has over written the cuatomer tables.

topics