COCEPT OF SU24 Transaction SU24 maintains the USOBT_C and USOBX_C tables.

These tables hold the relationships between the particular transaction and its authorization objects. It is possible to add or subtract the chec s per!ormed in the transaction b" chan#in# the appropriate !la#. The bene!it o! transaction SU$% occurs when transactions are added to or deleted !rom &ole 'roups usin# the (ro!ile 'enerator. )hen new transactions are added* the (ro!ile 'enerator will add all authorization +alues maintained in SU$% !or the transaction,s-. )hen deletin# transaction the (ro!ile 'enerator will remo+e all authorization +alues that are maintained in SU$% !or the transaction. .cti+ities per!ormed/ Chec 01aintain .uthorization 2alues .ddition o! .uthorization Object to tcode 3eletion o! .uthorization Object !rom tcode

Check Ind. Proposal Chec 4S

Meaning Chec 01aintained

Explanation The object will be inserted alon# with the +alues in the role. The object will be chec ed alon# with the +alues durin# runtime o! the transaction. This object will not be inserted into the roles. . chec on the object alon# with the +alues will be done durin# the runtime o! the transaction The object will not be inserted into the roles and there will not be an" chec per!ormed durin# runtime o! the transaction

Chec

5O

Chec

3o not Chec

5O

3o 5ot Chec

Status Texts or authori!ations Standard" .ll !ield +alues in the subordinate le+els o! the hierarch" are unchan#ed !rom the S.( de!aults

Maintained" .t least one !ield in the subordinate le+els o! the hierarch" was empt" b" de!ault and has since been !illed with a +alue Changed" The proposed +alue !or at least one !ield in the subordinate le+els o! the hierarch" has been chan#ed !rom the S.( de!ault +alue. Manual" 4ou maintained at least one authorization in the subordinate hierarch" le+els manuall" ,it was not proposed b" the (ro!ile 'enerator-. E ect o SU24 changes in #ole $roups .uthorization objects are maintained in SU$% !or a particular transaction code. )hen a transaction code is added to role* onl" the authorization objects ha+in# check as chec indicator +alue and %es as proposal +alue* maintained !or that tcode will be added into the role #roup. &' (dding Tcodes to a role When a new Tcode is added to a role )hen a new tcode is added to a role* #oin# in either change authorization data or expert mode pro+ides the same result. .ll the authorizations maintained !or the tcode at SU$% le+el is added to the role. The pro#ram adds new standard authorizations !or objects in the roles I! the authorization de!ault +alues contain objects that were pre+iousl" not e6istin# Or onl" had authorizations in the status Changed or Manual . new standard authorization is not included i! the authorization !ields contain identical authorizations in the status Standard in both authorizations* and the !ields maintained in the old authorizations are empt" in the new standard authorization. I! there were alread" authorizations in the status Maintained ,acti+e or inacti+e- or Inactive Standard be!ore the mer#e* the pro#ram compares the +alues and the maintenance status o! all authorization !ields to determine whether new standard authorizations must be e6tended. Changing SU24 values for a tcode I! the authorization data is chan#ed !or an" tcode in SU$% and tcode is alread" present in the role* then #oin# in the e6pert mode with option 7read old data and compare with new data8 will onl" re!lect the additional chan#es. Change authorization data will not pull the new data !or the tcode maintained at SU$% le+el 2' #e)o*ing Tcodes ro) the role

)hen "ou remo+e transactions !rom the role menu* this has the !ollowin# e!!ect on the authorizations. . standard authorization !or which the associated transaction was remo+ed !rom the role menu is remo+ed durin# the mer#e* unless at least one other transaction that remains in the menu uses the same authorization de!ault +alue. This applies both !or acti+e and inacti+e standard authorizations. .uthorizations in the statuses Changed and Manual are not a!!ected b" the mer#e. The" are there!ore alwa"s retained. The table USOBX_C de!ines which authorization chec s are to be per!ormed within a transaction and which not ,despite authority-check command pro#rammed -. This table also determines which authorization chec s are maintained in the (ro!ile 'enerator. The table USOBT_C de!ines !or each transaction and !or each authorization object which de!ault +alues an authorization created !rom the authorization object should ha+e in the (ro!ile 'enerator. +,E- TO USE SU24 To correct authorization objects that are not lin ed to transaction codes correctl" To correct authorization objects that ha+e unacceptable de!ault +alues. To chan#e de!ault +alues to ones that will alwa"s be appropriate !or all roles that will e+er use the transaction. This means ha+in# blan !ields where "ou need to allow di!!erent roles to ha+e di!!erent +alues. SU22 ./S SU24 SU$$ displa"s and updates the +alues in tables USOBT and USOBX* while SU$% does the same in tables USOBT_C and USOBX_C. The _C stands !or Customer. The pro!ile #enerator #ets its data !rom the _C tables. In the USOBT and USOBX tables the +alues are the S.( standard +alues as shown in SU$%. )ith SU$9 one can ,initiall"- trans!er the USOBT +alues to the USOBT_C table. Usuall" the sap standard tables USOBX and USOBT are not allowed modi!ications so that we cop" the customized tables !rom these tables so in order to cop" the tables we need to #o the transaction su$9. su$$ displa"s and update the +alues in standard tables USOBT* USOBX. su$% displa"s and update the +alues in customizin# tables USOBT_C*

USOBX_C. +h% SU20 is re1uired2 .!ter up#radin# S.( with the new release* "ou need to ma e adjustment to the all the roles and transaction codes.SU20 is the transaction code !or up#radin# pro!ile #enerator. This has : di!!erent steps and the e6ecution o! these steps depends on whether "ou were alread" usin# pro!ile #enerator in the last release.

This transaction has : steps. This transaction is used to !ill the customer tables o! the (ro!ile 'enerator the !irst time the (ro!ile 'enerator is used* or update the customer tables a!ter an up#rade. The customers tables o! the (ro!ile 'enerator are used to add a cop" o! the S.( de!ault +alues !or the chec indicators and !ield+alues. These chec indicators and !ield +alues are maintained in transaction SU$%. I! "ou ha+e made chan#es to chec indicators* "ou can compare these with the S.( de!ault +alues and adjust "our chec indicators as needed. Step&" I! "ou ha+e not "et used the (ro!ile 'enerator or "ou want to add all S.( de!ault +alues a#ain* use the initial !ill procedure !or the customer tables. I! "ou ha+e used the (ro!ile 'enerator in an earlier &elease and want to compare the data with the new S.( de!aults a!ter an up#rade* use steps $a to $d. ;6ecute the steps in the order speci!ied here. 3Step 2a/ is used to prepare the comparison and must be e6ecuted !irst. 3Step 24 3 I! "ou ha+e made chan#es to chec indicators or !ield +alues in transaction SU$%* "ou can compare these with the new S.( de!ault +alues. The +alues deli+ered b" S.( are displa"ed ne6t to the +alues "ou ha+e chosen so that "ou can adjust them i! necessar". I! "ou double<clic on the line* "ou can assi#n chec indicators and !ield +alues. 4ou maintain these as described in the documentation !or transaction SU$%. 5ote on the list o! transactions to be chec ed To the ri#ht o! the list "ou can see the status which showswhether or not a transaction has alread" been chec ed. .t !irst the status is set to to be chec ed.I! "ou choose the transaction in the chan#e mode and then choose sa+e* the status is automaticall" set to chec ed.B" choosin# the rele+ant menu option in the list o! transactions "ou can manuall" set the status to chec ed without chan#in# chec indicators or !ield +alues* or e+en reset this status to to be chec ed.I! "ou want to use the S.( de!ault +alues !or all the transactions that "ou ha+e

not "et chec ed manuall"* "ou can choose the menu option to cop" the remainin# S.( de!ault +alues. 3Step 2c" 4ou can determine which roles are a!!ected b" chan#es to authorization data. The correspondin# authorization pro!iles need to be edited and re#enerated. The a!!ected roles are assi#ned the status 7pro!ile comparison re=uired8. .lternati+el" "ou can dispense with editin# the roles and manuall" assi#n the users the pro!ile S.(_5;) ,ma e sure the pro!ile S.(_5;) onl" contains the subpro!iles correspondin# to "our release up#rade. This pro!ile contains authorizations !or all new chec s in e6istin# transactions-. The roles are assi#ned the status 7pro!ile comparison re=uired8 and can be modi!ied at the ne6t re=uired chan#e ,!or e6ample* when the role menu is chan#ed-. This procedure is use!ul i! a lar#e number o! roles are used as it allows "ou to modi!" each role as "ou ha+e time. 3Step 2d" Transactions in the &0> S"stem are occasionall" replaced b" one or more other transactions. This step is used to create a list o! all roles that contain transactions replaced b" one or more other transactions. The list includes the old and new transaction codes. 4ou can replace the transactions in the roles as needed. 3ouble<clic the list to #o to the role. Step 5" This step transports the chan#es made in steps ?* $a* and $b. Tailorin# the .uthorization Chec sThis area is used to ma e chan#es to the authorization chec s. Chan#es to the chec indicators are made in step 4. 4ou can also #o to step 4 b" callin# transaction SU$%. <4ou can then chan#e an authorization chec within a transaction.<)hen a pro!ile to #rant the user authorization to e6ecute a transaction is #enerated* the authorizations are onl" added to the (ro!ile 'enerator when the chec indicator is set to Chec 01aintain.<I! the chec indicator is set to do not chec * the s"stem does not chec the authorization object o! the rele+ant transaction. <4ou can also edit authorization templates that can be added to the authorizations !or a role in the (ro!ile 'enerator. These are used to combine #eneral authorizations that man" users need. S.( deli+ers a number o! templates that "ou can add directl" to the role* or cop" and then create "our own templates* which "ou can also add to roles. In step 0 "ou can deacti+ate authorization objects s"stemwide. In step 6 "ou can create roles !rom authorization pro!iles that "ou #enerated

manuall". 4ou then need to tailor and chec these roles.