SU25 - Upgrade Tool for Profile Generator This transaction has 6 steps.

This transaction is used to fill the customer tables of the Profile Generator the first time the Profile Generator is used, or update the customer tables after an upgrade. Thecustomers tables of the Profile Generator are used to add a copy of the SAP default values for the checkindicators and field values. These check indicators and field values are maintained in transaction SU24. If you have made changes to check indicators, you can compare these with the SAP default values andadjust your check indicators as needed.Step1: If you have not yet used the Profile Generator or you want to add all SAP default values again, usethe initial fill procedure for the customer tables.If you have used the Profile Generator in an earlier Release and want to compare the data with the newSAP defaults after an upgrade, use steps 2a to 2d. Execute the steps in the order specified here.-Step 2a: is used to prepare the comparison and must be executed first.-Step 2b - If you have made changes to check indicators or field values in transaction SU24, you cancompare these with the new SAP default values. The values delivered by SAP are displayed next to thevalues you have chosen so that you can adjust them if necessary. If you double-click on the line, you canassign check indicators and field values. You maintain these as described in the documentation for transaction SU24.Note on the list of transactions to be checked To the right of the list you can see the status which showswhether or not a transaction has already been checked. At first the status is set to to be checked.If you choose the transaction in the change mode and then choose save, the status is automatically set tochecked.By choosing the relevant menu option in the list of transactions you can manually set the status tochecked without changing check indicators or field values, or even reset this status to to be checked.If you want to use the SAP default values for all the transactions that you have not yet checked manually,you can choose the

menu option to copy the remaining SAP default values.-Step 2c: You can determine which roles are affected by changes to authorization data. Thecorresponding authorization profiles need to be edited and regenerated. The affected roles are assignedthe status "profile comparison required". Alternatively you can dispense with editing the roles and manually assign the users the profile SAP_NEW(make sure the profile SAP_NEW only contains the subprofiles corresponding to your release upgrade.This profile contains authorizations for all new checks in existing transactions). The roles are assigned thestatus "profile comparison required" and can be modified at the next required change (for example, whenthe role menu is changed). This procedure is useful if a large number of roles are used as it allows you tomodify each role as you have time.-Step 2d: Transactions in the R/3 System are occasionally replaced by one or more other transactions.This step is used to create a list of all roles that contain transactions replaced by one or more other transactions. The list includes the old and new transaction codes. You can replace the transactions in the roles asneeded. Double-click the list to go to the role.Step 3: This step transports the changes made in steps 1, 2a, and 2b.Tailoring the Authorization ChecksThis area is used to make changes to the authorization checks.Changes to the check indicators are made in step 4. You can also go to step 4 by calling transactionSU24.-You can then change an authorization check within a transaction.-When a profile to grant the user authorization to execute a transaction is generated, the authorizationsare only added to the Profile Generator when the check indicator is set to Check/Maintain.-If the check indicator is set to do not check, the system does not check the authorization object of therelevant transaction.-You can also edit authorization templates that can be added to the authorizations for a role in the ProfileGenerator. These are used to combine general authorizations that many users need. SAP delivers anumber of templates that you can add directly to the role, or copy and then create your own templates,which you can also add to roles.In step 5

you can deactivate authorization objects systemwide.In step 6 you can create roles from authorization profiles that you generated manually. You then need totailor and check these roles.=============================================== ==========================Hi George,For security upgrade u need to do following steps :-First run the SU25 2A, 2B ,2C, 2D steps successfully.2A and 2B steps just compares the old system tcodes and new system tcodes.Step 2C - shows the list of roles that are affected in upgrading.Step 2D - shows the new tcodes introduced in new systems.First complete the 2C step, click on one by one role it will get the screen of authorization objects , whereas u can see the new authorizations that are got addeded.There are three types of new authorization objects get introduced while upgrading :-Standard New - it is the standard authorization objects introduced for corresponding new tcodes.Manually new - It shows the authorization objects which were manually added in old system. Some of thevalues got updated for this also.Standard Updated - Updated means , in old system if you have kept the standard values as it is, SAP hasupdated these standard values( u can check this one in SU24 check indicators). After maintaining all new authorization objects , you can save it and generate the profile.The back toSU25 2C step shows it as green signal.SU25, 2C step also contains the new SAP roles introduced. After generating all profiles in SU25 2C step, you can jump to 2D step.SU25 2D step-If you execute these step, it will show the list of roles and old tcode and corresponding new tcode.If business wants to use new tcode , then u can replace old tcodes by new one by clicking onautomatically adjust menu. Otherwise go to manually adjust menu and generate the profile.The new tcodes are introduced in 2D step , this doesn't means the old tcodes are no longer exists in newsystem. We have to check manually for each and every tcode.Some tcode does not exists in newsystems. FOr e.g. RZ02 is replaced by RZ20 in ECC6. RZ02 no longer existss in ECC6.In any upgrade you should check the contents of the table PRGN_CORR2 that "drives" the SU25process. A> You will meet your task either way, for instance if you click the role with red light

in Step:2C...it willtake you to Maintain 'Authorization' tab- Change Mode within PFCG. So either way you can Edit andGenerate role, but I would suggest you to dowload to local file and work 1by1 in PFCG so that you cankeep track of work and make some notes.B>It depends on how your Basis defined Transport Route between clients, In our scenario role transportfrom PFCG will move roles from DEV-QAPRD..net..net..what I think is there is no need to run SU25again.C>If you follow above steps than I would suggest you to skip this step as PFCG role transport will takecare...However if you decide to Generate roles under Step:2C, its wise to perform step 3.