
Last change 02/02/2016.
Note for the readers: I am updating the list of SU24 related OSS notes at the end of this blog. If you know about notes relevant to the subject, please let me know/ comment on the article.
I have opened several OSS notes with SAP Support about missing SU24 proposals recently. I would like to share my experience. It is overall positive, so this blog should server multiple purposes:
Side-note: the purpose of SU24 and SU22 data:
I am building menu based roles in PFCG. I create a role and first create a menu structure and populate this menu with transactions (and other possible menu objects) I want to authorize the user for. Then when you go to authorization tab and click on “Expert Mode for Profile Generation”, SU24 proposals are pulled from SU24.
Example: I put PFCG into the role menu…
…and authorizations tab of the role gets populated for me:
That works because there are authorization proposals for transaction PFCG maintained in SU24 (where they loaded/ copied from SU22 data delivered by SAP). Go to transaction SU24 and put transaction PFCG. You will get a similar picture to the following.
Side-note: when you install a new system. SU24 transaction is empty (the table USOBT_C behind the transaction is empty). You first need to copy SU22 data delivered by SAP to the customer data and that is then maintained in SU24. This thing you do in transaction SU25. Do it only once! Do it after the system installation. Do not do it again! Otherwise you delete everything you`ve ever maintained in SU24 customer data and replace it with SAP standard proposals. If you want to disable step 1 completely so you AND NOBODY else can start that step (via the button which is too obvious, you can still do it via the menu, but then there is an extra warning), you can apply OSS note 1691993.
You must also be careful with the upload function in SU24. If you pick the wrong upload option… BOOM! But that is another story (per default there is a button called “Replace Instead of Insert/ Modify” checked. If your selection in the upload is the *, then it drops all the content for every object that fits into the selection. BOOM! For star it drops everything).
So now we should all be on the same code-page, right? (Security ninjas and old wolves forgive, we need to be all on the same code-page here and pointing to the documentations does not always work).
So you can now answer some easy questions for me, right?
That`s for the motivation.
I said this should be a positive case that should motivate the Community members to report the missing proposals (Ideally with the values that should be maintained so the criticism is constructive. Being constructive is a very important point!). To make the whole thing easier for you and the SAP support I must warn you that not everything you see in the trace belongs to SU24.
I will make it short here just to give you the idea: (sorry for black & white simplification here, but it`s faster and shorter this way). Some AUTHORITY CHECKs always happen. You cannot perform the activity you want without having that authorization (example: S_PROGRAM to start a program: you need to be authorized for the authorization group the program belongs to and authorized for the necessary activity, like SUBMIT). In that case it is this one exact authorization. It`s something like “always true” or “always there”. Without it the program cannot be started.
Some authority checks differ in different situations. You want to create a business partner. The authorization is different from the one when you want to delete an existing business partner. Let`s say the transaction you`re using for it (I believe there are multiple options) is capable of doing both. Then you don`t put all available options into SU24 (and then either leave the list which is effectively same as * = all access OR change it in the role = then the authorization has status “Changed” = ugly!! Don`t try at home kids). You need to authorize different roles for different activities in the transaction, so you defer the decision about the activity to the role. Maintaining SU24 for activity makes sense for reporting programs for example. The report is functionally capable of reading and displaying data (ACTVT = 03) and that cannot change, the report is not CAPABLE of doing anything else. Then you can put the value into SU24.
Conclusion: SAP must quality check the proposals before putting them in despite the reporters conscience is clear and OSS message is opened with good intentions. Same applies on me. If you ever catch me reporting a missing proposal which is debatable and I cannot justify it, reject me!
Same applies for the reports: be disciplined, report always true (when you find it missing) or report debatable (typically too excessive proposals which are “checked” at runtime, but not needed by the tool to functionally work).
Example: you can often see checks that functionally don`t change anything in the transaction. The user does not have to be authorized for the object and value combination to be able to use the tool. For example S_DOKU_AUT check in SU21. Same case for S_CTS_ADMI and other well-known folks.
I am often asked how to check what I am reporting in the system. Here come the clues:
When I report something as missing, it means that the combination does not exist in SU24 (SU22 in SAP system data). Go to SU24, provide the transaction name and check the proposals. Let me reuse the SU24 screenshot from above here to explain that the fact that you can see the object in the list does not mean everything is ok. You need to see “YES” value in the “Proposal” column and when you double-click the line, you should see proposals (those that will be pulled into PFCG). See screenshot below: proposed values for object PLOG in PFCG proposals.
Saying that complaining about SU24 data makes no sense, since SU24 data are customer data and SAP has nothing to do with it is not an “answer” to my request. My SU24 data are based on SU22 data delivered by SAP, it is up to date (SU25 upgrade steps) and if I want to remove something, I am not reporting it to be missing afterwards.
Generally it is better to add to SU24 than to remove from it. That also reminds us again about self-discipline of the reporters and quality check need before SAP maintains the values in SU22 data.
Please also don`t try funny tricks like customer could maybe even want to put the reports (for S_PROGRAM for example) in their own groups. Then we – SAP – cannot maintain the S_PROGRAM otherwise customer cannot do this anymore (or customer is limited in doing it or anything similar). THAT IS NOT TRUE!! I want you to maintain standard value for standard transaction which needs that value in SU24 to work in the default configuration. If customer wants it differently, ok, fine. The customer must be ready for overhead in maintenance and must know what to change and where to make it work in the new configuration. But that DOES NOT MEAN YOU DON`T MAKE IT WORK IN THE STANDARD CONFIGURATION. Data from SU22 you COPY to SU24 (post installation and during upgrades). If a customer wants to try something special here, he will not accept SAP proposal during the upgrade.
Generally this idea sound like because there could be a customer that wants it A way, we cannot maintain it in the B way for all the others (to make it work for them by default) so we don`t close the door for A. This is not how it works. Thank you.
Last but not least: When you check the proposals in the system, please don`t try to convince me that if the “Proposal” (!!!) column says “NO”, it means that the check is not performed. That is defined in the column one the left. As mentioned above: if the “Proposal” is set to “NO”, nothing is pulled into the role because no values are maintained here that could be pulled in.
Be nice although you feel the person on the other side does not understand you. Be nice regardless of a training difference. First level support must be able to juggle zillions of different topics (I believe) and SU24 could be like 0,00001% of their daily business. So they don`t have to be on the same code page from the beginning. When you`re nice, SAP support people are also very nice.
I`ve been pointed to two existing OSS notes about the topic: missing SU24 proposals. As an example I can mention them here: (my proposals are supposed to be integrated into these notes).
Note 1496056 - Revised authorization objects for transactions
Note 1730692 - Workflow Reporttransaktion Berechtigungsvorschlag S_PROGRAM
Note 1050458 - Missing authorization default values (added 26.6.2012)
Note 1733734 - Berechtigungsvorschlagswerte für Auswertungen (component: EHS/ Abfallmanagement) (added 24.7.2012)
Note 1050458 - Missing authorization default values (added 13.08.2012)
Important to read: the FAQ OSS notes about SU24 related problems/ questions: (added 28.6.2012, credits: Dieter Goedel)
Note 1539556 - FAQ | Administration of authorization default values
Note 727536 - FAQ | Using customer-specific organizational levels in PFCG
Note 1434284 - FAQ | Authorization concept for generic table access
Also check notes: (about S_PROGRAM) (added 28.6.2012)
Note 338177 - Authorization check when executing programs
Note 7642 - Authorization protection of ABAP/4 programs
Authorizations upgrade/ SU25 (added 4.11.2013)
440231 - FAQ|SU25 - Upgrade postprocessing for profile generator
In case you use SE97 (TCDCOUPLES), please also check notes:
1870622 - SE97|Optimizing maintenance environment
1901606 - SE97|Navigation error in dialog
1680501 - SMT1 SMT2 : No authorization for object S_ADMI_FCD (added 01.04.2014, Gretchen Lindquist)
Open the OSS note in the component the transaction you`re reporting belongs to. Every component (or organizational block similar to the component) has its own team. SU24 proposals are not maintained centrally.
Be nice. They are also nice.
IMPORTANT!! Things take time. Even if get a correction note, you`ve not won yet. Well, you could get proposals (and proposals reported by others too) immediately into your system. But consider you will be upgrading the system sooner or later. If you upload a text file (SU24 upload feature imports text files with special format) into your SU24, it is a change in customer data. With the next upgrade you will get the same data into your SU22 and you will have to click through it again (I assume you perform SU25 and authorization/ roles upgrades carefully and think about what you`re clicking away).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
2 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |