SU25 – Copy Check Indicator Values
The SU25 transaction is needed during the initial installation of SAP and during each subsequent upgrade. Its main utility is to copy the SAP provided check indicator defaults from the USOBT and USOBX tables to the corresponding customer tables, USOBT_C and USOBX_C. These two sets of tables are needed so that the customer changes are not over-written by SAP delivered values during a future upgrade. The initial screen of the tcode is shown below.
As can be noted, the SU25 transaction is organized as a sequence of actions which need to be executed in order during installation/upgrade depending on requirement. For example, the first step (1) is to initially fill the customer tables (USOBT_C and USOBX_C) is ONLY executed during initial installation of SAP. Executing this step during a future upgrade will over-write all customer changes to check indicators.
The next set of steps compare the customer values with SAP delivered values. We have the option of accepting one or more of SAP proposed values while keeping the customer values for the rest of the objects. Since any change to check indicators for a transaction will impact all roles with it, a change during SU25 should be thorough analyzed and backed up by rigorous testing of the affected transaction.
The SU25 initial screen also has options to transport the new values for the customer tables, modify and generate roles which are affected by changes made for check indicators or even branch to SU24. Its also a good practice to document all changes performed during SU25 to help in future decision making around security.
Hi Aninda,
In a new implementation SCM system – i see that the SU25 steps don’t have any execution dates in Step 2a, 2b 2c & 2d. However, the customer tables USOBX_C & USOBT_T are already having values. I thought these tables should be empty and will be filled up only after i execute those steps. The number of entries in USOBT is 35,333 whereas the number of entries in USOBT_C has only 34,912.
1. Why do we have values in USOB*_C tables when SU25 steps have not been run yet?
2. Should i run these steps for new implementation ?
Thanks.
N.
Hi Naveen,
For a new installation, you should only need to execute step 1 – “Initially fill the customer tables”. This is the step which pulls data into USOB*_C tables. Are you sure no one has this yet? The fact that there is already data in the USOB*_C tables seems to indicate so. The difference in number can also be explained if some support packs were installed after running Step1. I think you can Step 1 again if you want to do a sync with the current SAP delivered data. You don’t need to run the rest of the steps.
Remember that in future upgrades, you don’t run Step 1 but start with Step 2 onwards.
Regards,
Aninda
Hi Anindya,
Thank you for your email :
Since i cannot show you the SU25 screen shot here i am writing down the screen prints.
Installing the Profile Generator 00:00:00
1. Initially Fill the Customer Tables 05/10/2010 17:43:48 DDIC
————————
Postprocess the Settings After Upgrading to a Higher Release
2A. Preparation: Compare with SAP values 10/17/2005 17:32:31 DDIC
2B. Compare Affected Transactions ____00.00.00 _____
2C. Roles to Be Checked _________00.00.00 ________
2D. Display Changed Transaction Codes ___ 00.00.00 ________
Transport Conn.
3. Transport the Customer Tables_____00.00.00 ________
Since the dates are showing as old 2010 & 2005 – IS it possible they are having old Tcodes and authorizations and thus it becomes imperative to run SU25 ?
Hi Naveen,
In a fresh installation, the only thing to ensure is to check that the client tables are filled up. Rest of steps are not needed. I would think just running step 1 would would work for you. However, if you want to go ahead and run the rest of them its fine too. Just make sure that you do this in a pre-production environment, generate the affected roles and transport the new SU24 entries once you are done.
Regards,
Aninda
Dear Aninda,
Could u please provide detailed steps of sap security upgrade 4.7c to ecc 6.0 along with the post processing activities ?
Unfortunately I cann’t provide you detailed steps to look up. Some things to keep in mind for an upgrade are
– New auth objects introduced in the SAP version
– Perform the steps in SU25
– Test security thoroughly that everything works as per design
hi aninda,
thanks for the information.
the first step is very clear. can you please elaborate the discussion for the remaining steps in detail.
thanks,
dhanunjay
aninda your post were too good.
I had doubt that i had changed authorization obj value in tcode SU24. after that i need to execute SU25 in that step 2A & 2B to make necessary changes in Usobt_c,usobx_c is it so.
Wonderful Web site. Simply Amazing.
Hi Gurus,
I we have fresh installation on HR system, I am trying to execute su25 1 step, but it is in display mode, and not allowing me to change, how to go to change mode and run the su25 first step(initally fill the customer tables)
I have also tryied running from ddic client 000
thanks
Surya