SU25-Step:2C Roles to be checked

Hello All,
I searched old threads but didnot find answer for my question, appreciate your reply
My systems is going for upgrade from 4.6 to ECC 6.0, I performed SU25 on my sandbox(ECC) to see roles affected, its pulling up all the our Z roles affected status RED.
Is there a way to generate these profiles automatically, as I feel its really tedious to manually generate 100's of roles.
This is the first time I am involved in upgrade, want to play safe with security change.
And in "Display changed Trans." its showing huge list of tcodes changed I dont know its pulling up the accurate list or not....Most of the tcodes I see are like ME21(old) changed to ME21N (New)
Any thoughts on "N"...?
Extra info......
And also my company really never maintained SU24, they appended SAP default checks and manually maintained auth. fields in PFCG...
As per forum threads I backedup UST12, USOBT_C, USOBX_C...
Please suggest me guys...thanks in advance....

Hi,
SUPC will not work for that roles, as their status (of the profile) is 'to be compared'.
My opinion is, not to bypass the point of updating the profiles with the new authorization data. Sooner or later, this adaption will be necessary anyway.
If you perform the updates now in your test environement, you could save that roles (with the updated authorizations) in a transport. If you upgrade then your production, you will have the work already done. Simply import your role transport and you have the actual versions of the roles in your production.
So my recommendation is, to perform all steps completely in the testenvironement and not to bypass any point. It will foll back to you some when later on (latest in production, if some orles will not work anymore because of missing authorizations due to new/additional authority checks in the applications.
b.rgds, Bernhard

Similar Messages

  • SU25 step 2: tcodes from MENU or from S_TCODE

    Hi all,
    I am using SU25 step 2 a,b,c,d to migrate roles (3.1 to 4.6). The main logic of SU25 step 2 is that table USOBT_C is used to insert new auth values. To do this, transaction codes are used to SELECT entries from USOBT_C.
    Now the dilemma: which transaction codes are used ? The ones from AGR_TCODES (this means MENU ROLE) or from authorizations under S_TCODE of AGR_1251 (this means authorization tree).
    As I know, only the tcodes in MENU are considered but I have heard that the new SU25 (kernel 6.40 I suppose) is able to consider also the S_TCODE auths. I have done many checks (even using the SSM_CUST table with NEW_SU25_EXCHANGE ID and ssm_cust-path = YES), but only MENUS have been considered. Of course all this issue is relevant only if the MENU and S_TCODE are misaligned.
    One other dilemma is: if S_TCODES auths are used, what happens when ranges and jolly char (*) are used ?
    Many thanks for your help.
    Andrea Cavalleri

    Hi,
    I have never heard of SU25 being able to consider the S_TCODE entries.  Normally, SU25 only considers the tcodes assigned to the menu.  In my opinion, it would be a bad idea to consider S_TCODE entries that have been changed or manually inserted for a number of reasons.
    For logic on how SU25 handles each relating authorisation object in the role, check out the topic
    Auth Obj merging handling during upgrade

  • Is it Mandatory to run SU25 steps after Upgrading to new release

    Hello All,
    I have few questions regaring Security Upgrade.
    We recently upgraded to a new release. So, when I try to modify a role in Dev a pop up came "which states that need to run steps 2 a to 2 c in SU25" but when clicked on continue the pop up never came after that in any role.
    My question: Is it really required to run SU25 steps after any upgrade? Is it going to affect any users if dont run the steps and continue?
    Regard's

    You are missing the purpose of the tool - namely Step 2B.
    2B is the key to reducing your effort and building good roles in the first place when you enter 2C. If you get that part right, then step 2C is popcorn and watching the tele while your program runs (not a(n) (e)CATT script...). You can do this in standard if you are disciplined!
    A special aspect is to choose the "Authorization Object" view which is available in SU24 but not in SU25. If you restrict the number of roles to few single roles (or series of them without derivation) which are intact then you can survive a release upgrade without toasting your roles or the SU24 data updates.
    SU25 is very usefull for such role builds!
    If you want all the lights to turn green then use SUPC and transport them through. God help anyone who used roles as menu's and deleted standard or maintained authorizations...
    SAP security is a specialized task which touches all applications you use...
    Cheers,
    Julius
    Edited by: Julius Bussche on Aug 4, 2010 12:24 AM

  • In iTunes I'm having problems changing the "Media Kind" with a number of playlists in the OPTIONS menu from "music" to "audiobook". After going through the steps, the next time I check the items have reverted back to "music". What step am I missing?

    In iTunes I'm having problems changing the "Media Kind" in the OPTIONS menu from "Music" to "Audiobook". After going through the steps, the next time I check, the items have reverted back to "Music". What must I do to save it as an "Audiobook"?

    After more digging in the Support section here and some Google work, I turned off iTunes Match and lo and behold!  I can change the media kind to Audiobook!  So, it looks like iTunes Match locked the files up somehow and for some reason.
    I went into iTunes Store > iTunes Match > "No, Thanks" to disable it on the local PC.

  • Itunes match stopped in step 2 3188 of 4525 checked. how do i recover?

    itunes match stopped in step 2 3188 of 4525 checked. how do i recover?

    You've tried tapping on the Collections button at the top of the bookshelf to see if they are in a different collection ? If not then do you have a copy of them in the Books part of your computer's iTunes library (though PDFs aren't iTunes purchases, if you've done 'transfer purchases' whilst they were on the iPad then they should have copied over) ?
    ibooks and PDFs aren't included in a device's backup, so if they aren't in your computer's iTunes library and/or you don't have your own backup copy of them then they won't be on your computer (for info there isn't an iBooks app/program for a Mac or PC).

  • User role and Authority-check ?

    Hello,
    Could you please let me know how are the differences between User role and Authority-check. In a program I do not use Authority-check , And The user is not assigned to user role which contain this transaction ( for this program), Can the user execute this transaction OR he must be assigned to user role which contain this transaction to execute it . Supposing that we do not use any Authority-check in then program.
    Thanks in advance

    Hello Martin,
    I think this answers the OP's question about user not being assigned the role which contains the trxn code. As you have explained in this case the default auth. check for S_TCODE will fail & user cannot execute the trxv. (If i remember correctly the tables for this are AGR_USERS & AGR_TCODES)
    Anyways just to add to the OP's query. Auth. objects are added to profiles which in turn assigned to roles. So if you implement the auth. object in your program the user must also subscribe to the role containing the auth. obj. profile to be able to execute it.
    @OP:
    The transactions PFCG & SUIM might interest you. Also the tables dealing with these stuffs begin with AGR*. You can check the tables for better understanding.
    BR,
    Suhas

  • SU25 - Step 2B Missing changes

    Dear All,
    We are upgrading our system from R/3  Enterprise to ECC6.0. After the upgrade in the development system, I have run SU25.
    In Step 2B, the transaction SM59 was not showing in the list of affected transactions but during the testing we found out that it would require S_RFC_ADM which has proposal as yes and the object is start as well.
    Need your help to find out ways of finding this kind of changes. Thanks for your help.
    Regards,
    Aswin

    Because of this, as you can imagine, SAP are very carefull with removing proposals.
    You must put a lot of thought into adding proposals and often it is best to make some "mass decisions" locally in the implementation (in SU24 you can also choose the "authorization object" tab to perform mass maintenance - tip: document the ones you tune here as it is easier to do it here than in SU25 in some cases).
    Unfortunately SAP GRC was to lazy to work out for themselves what all the transaction's capabilities are, so they bolted onto SU24 field values as a capability indicator. Very stupid decision in my opinion, as it forces SU24 to make field value proposals for a transaction where you actually want to make the decision in the role you are building.
    Classic examples are SU01 and PFCG. They can also be used in display mode and many ABAP list reports offer navigation into them, but they propose excessive activities simply so that analysis works.
    What I mean to say is that if SAP proposes something silly (such as activity fields for transactions which are multi-activity capable) then you should report it to SAP and ask them to remove it.
    Probably they wont. but irritate them none-the-less because they know that you are correct... 
    Cheers,
    Julius
    ps: In your specific example this is coming from SE93 for SM59 (table TSTCA). You need to at least be able to display in SM59 otherwise starting the transaction does not make sense. But proposing actvt '03' makes no sense as it is not re-usable nor can the decision be made in the role anymore. On the other side of the coin, proposing '03' makes a '*' less likely. SU24 is an art-form.... 

  • I'm trying to create my icloud account with my apple id but in the first step it tells me to check my e.mail and there is no message in my inbox. What is happening ?

    I'm trying to create a icloud account but I can't go on from the first step. The sistem ask me to check my e.mail and when I go to my inbox there is nothing. And it keep saying that I dind't verify my e,mail. What is happening please.

    No-one seems to know, or have any idea how to solve the problem!

  • Link is not working for one role. how to check please guide.

    Hi Expert,
    I have a simple question but as don;t aware of some of the techincal area not able to understand where to check.
    I have a link under document flow in offer( opportunity) where for one role sales support user the link is not happening. I have checked for other role its working fine.I understand that for this role the link  will not work as per the role maintianed.
    But where this link got maintained and how i will be able to check which link is tagged to which profile.
    rolewise mappeing with link.
    Please guide.
    Prem.

    Hello Prem,
    Please check the navigation bar profile from your business role.
    Then go to the navigation bar profile settings, you can find the details settings there.
    If it is a link under some work center, you need to start from the work center.
    If it is a direct link, then start from the derect link group.
    Hope this could be helpful.
    Best regards,
    'Maggie

  • Error when a TS step has a condition to check for custom variable. Variable is set on the collection.

    SCCM Version = SCCM 2012 R2 CU3
    Background
    I would like to setup some sort of safety check to help prevent accidentally sending and OSD out to all the servers managed by SCCM. The solution I am trying to use is making the TS do a check for a custom variable. If the variable is NOT set to TRUE
    then it should reboot the machine back to the currently installed OS.
    The variable is called "AllowOSD"
    AllowOSD is set correctly on my "Test Servers" collection
    I'm using the built in "Reboot Computer" step in the TS
    The condition on the Reboot Computer step is very basic - "Task Sequence Variable AllowOSD is not equal TRUE".
    I am testing the TS on a VM guest (Hyper-V)
    I'm deploying via PXE for these tests...
    The Issue
    As soon as the TS starts I get the annoyingly generic 0x80004005 error - smsts.log posted on github -
    smsts.log-A
    Possibly related issue:
    I have a vbscript that prompts for, and sets, the computer name. This works fine if placed after the format disk step, but if I place it before the format disk step then I get error 0x800700A1. If I format the internal HD first then I don't get an error
    and it all works fine.
    smsts.log posted on github - smsts.log-B
    Be aware VM_1 and VM_2 have unformatted disks (vhdx). I don't want them to be formatted before checking that the task sequence should really be running in the first place. As already mentioned, I am trying to prevent someone wiping out a bunch of servers
    by accident.
    My Task Sequences are based on the defaults created by the wizard. Here are the step I'm using...
    * Reboot if AllowOSD is not TRUE
    Restart in Windows PE
    * set Computer Name
    Partition DIsk 0 - DIOS
    Partition Disk 0 - UEFI
    Install Operating System
    Apply Windows Settings
    Apply Network Settings
    Setup Windows and Config Manager
    * = steps I have created.
    All other steps are defaults as created by wizard.
    Please note the "Restart in Windows PE" step does a conditional check on "_SMSTSInWinPE" without any errors. it is looking like the use of custom variables is not supported until the local HD is formatted and mounted. Can
    anyone confirm this behaviour, or what I can do to get around this problem.
    I have tried using a vbscript but triggering a reboot from VB does nothing, hence using the Reboot Computer step in the TS.
    Thanks
    "Well I'm all out of ideas." - 85

    As others have stated, your options are limited the moment you rely on PXE and WinPE but I think all you need to do is refine your collection target a bit.
    Why not instead of deploying your TS to All Systems (which is what I'm guess you're doing) and trying to put a condition in, deploy to a collection that is based on a workstation collection then include unknown computers?  Then any "known workstation"
    will have a MAC stored and thus be permitted to use the TS, unknown machines will be as well ... but "known servers" will be blocked?
    COnsidering the PXE looks for permitted MAC addresses this should work (Ill try it in my own lab).
    Tested and verified:
    Simply create a collection with a parent collection of all systems.
    Add a workstation query:
    select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System where SMS_R_System.OperatingSystemNameandVersion LIKE "%Workstation%"
    Then "include" unknown computers.
    End result is any machine that has "server" in it's version that has already been deployed will not be able to use the deployment.  If you'd rather base existing computer on an OU or group membership just modify the first query how you see fit.
     This will let known workstations (or whatever) and unknown machines get deployed to ... but known machines NOT in that collection will be skipped.

  • How to do Role and Authorization check in report program

    Hi Friends,
    Please provide me your guidance on how to add or give coding to check role authorisation of a particular field, input from selection screen.
    My requirement is,
    If the Fund center filed in my select option parameter has been filled, then I have to check the role authoriszation(which was created already) in the At selection-screen event to check and give access to the user to run the process further.
    Say my Fund center is "SH'
    and my Role authorisation to be settled to all users 'ZMM_BXI'.
    How to implement in report program, Please advise.
    Thanks & Regards
    Babu.

    Sorry SDN,
    Posted in a wrong Forum page.
    Please excuse.

  • How to maintain a role who can check all SC belong one company.

    hi experts
       we use SRM7.0 standalone scenario.
       there are many plant and each plant has supervisors who need to check all SC belong to themselves plant.
       my solution is assign authoriztion that can use 'SC monitor' in PFCG Role ,and restrict  'Organization level' = plant.. in PFCG .
      now they can check  every plants' SC .
      how to fix it?
        thank in advanced.
          claud

    Hi,
    What do you mean by "need to check all SC belong to themselves plant"?
    Thanks and Regards,
    Abraham

  • Role of Availability check during order settlement

    Dear Gurus,
    I would like to ask your help to better understand what is going on.
    I have set up an availability check only over material, but when an order is already open due to costing settlement I do not know why the job scheduled go in abend and does not continue just posting a new line into the log as this prg do SDV03V02.
    Could somebody help me?
    Thanks
    Gianluca

    hi PSK,
    my apologies for the understanding, but what is an MTO?
    By the way in an easier way.
    When the availability check runs if a user is performing action over it the job (PPIO_ENTRY) goes in abend instead of write a line into a log and proceed.

  • SU25 after an upgrade - should you complete step 3?

    Excerpt I found that helped somewhat
    You must perform the following steps after an upgrade, if you were already using the profile generator before the upgrade.
    u2022 Choose steps 2A to 2C if you made a large number of modifications in transaction SU24 in the last release. Step 1 (Initial Filling of Customer Tables) should only be executed in transaction SU25 if you made no changes in transaction SU24 in the previous release. The system overwrites tables USOBT_C and USOBX_C (Customer u2013 or our custom objects) when it executes step 1, and the values that you maintained in the last release are lost. In steps 2A and 2B, a synchronization procedure is performed.
    My question is about transporting in Step 3, exactly what does it transport, I believe these two are a given
    USOBT_C
    USOBX_C
    but our BASIS person thinks these may go as well
    PRGN_STAT
    TCODE_MOD
    Do we want to create a transport in DEV and move to QA/PROD, or just run the steps 2A to 2C manually in QA/PROD?
    What is best practice? thanks

    In an initial task (before any of the 2 or 3 steps in SU25) you should verify that the system's SU24 data is in sync (Do not run step 1!). Release all transports relating to it through and if need be synchronize them manually after consolidating what is correct. Also check in tcode AUTH_SWITCH_OBJECTS whether anything is globally OFF or inconsistent in the landscape. Believe me... these steps are worth while to do!
    After step 2 (be carefull in 2b if you have made many changes! Do not mass accept the "SAP file" otherwise your job in 2C will be hell...) you should run step 3 to transport the new entries through the landscape.
    This will also transport PRGN_STAT to let the other systems know that PFCG was upgraded and TCODE_MOD so that if you do happen to have other roles being maintained in QAS or even TEST then they can be upgraded there as well  - because they will only exist there usually.
    Do NOT run SU25 steps in QAS or PROD. You do not need to and this will very easily toast your roles, check indicators or turn everything red all over again...
    Cheers,
    Julius
    Edited by: Julius Bussche on Sep 28, 2010 10:52 PM
    (Do not run step 1!) added, just incase some basis admins find this thread

  • Checking user roles in FI Module

    Hi,
    Please let me know the points to be considered while checking the security and authorization in FI modules based on a user role.
    Thanks,
    Sridevi

    Hi,
    While defining the security roles, as a first step Composite roles, Single Roles are created. Transaction codes are attached to Single roles. A group of Single roles are attached to a Composite roles.
    Based of Business requirements / Orgnaization structure in the Company  in the sense VP. Finance / Controller / Sr.Manager / Manager etc., the composite roles and single roles are assigned to the positions. For example Vice President Finance will have full authorization to all composite roles.
    Some of the users require only display authorization, in which case a role is created only incorporating transaction codes which display documents.
    Thanks
    Murali.

Maybe you are looking for

  • How can I set Excel Data In LabVIEW

    Hi, There is an example about  how to use LabVIEW and ActiveX to programmatically read in Excel data. It uses Range and then by reading Value2 it is possible to read excel values in that range in a specific sheet. http://www.ni.com/example/28409/en/

  • How can I detect and eliminate duplicate photos in iphoto?

    I am looking for help. I have many duplicates in iphoto and would would like to detect and eliminate them. Any suggestions?

  • Trackpoint disabled when docked PS/2 mouse is added

    I have a Lenovo T60 that when undocked the Trackpoint and touchpad work as expected.  My docking stations has an older Logitech TrackMan "track ball" plugged into the PS/2 port.  When I dock my laptop neither the trackpoint or touchpad will work.  I

  • Have a problem opening e-mail attachments

    Hi, i'm having a problem with opening e-mail attachments. I received an e-mail from a friend, and it had the little paper clip on it. (I believe she was sending an article. But she also sent me a photo in a separate e-mail, neither worked). But I cou

  • My 7520 won't print on 5 x 7 paper. Says wrong size.

    My Photosmart 7520 prints nice 4 x 6 photos but will not accept the 5 x 7 paper. Says wrong size. Any ideas ?