SU24 and SU25: Default values and profile generator for SAP authorizations

How to use transactions SU24 and SU25 to reduce the administrative effort involved in assigning authorizations and to increase the security of roles at the same time

deduction_IBsolution

Reducing the effort when upgrading SAP systems

Group of People IBsolution

Checking roles for manual and changed authorizations

IBsolution_security

Increasing security through where-used lists

 

Frequently asked questions

Why it is worth using transactions SU24 and SU25

SAP authorizations are often developed without the adjusted default values of transaction SU24. As a result, the profile generator (SU25) cannot develop its full potential. The profile generator offers administrators a number of advantages for efficient and secure role creation.

The biggest advantage of the authorization default values with regard to SAP S4/HANA is the reduced effort required for reworking the authorizations of the roles.

If SU24 is used consistently and adapted in such a way that no authorizations are changed or added manually, the necessary rework is kept to a minimum. It can be carried out almost exclusively in the profile generator (SU25) via the modification adjustment of the authorization default values. The roles are automatically merged with adjusted SU24 values without having to revise each role individually. As feature updates in SAP S4/HANA cannot be postponed forever, upgrades are more frequent than in the SAP R/3 ECC system.

Due to the reduced effort involved in reworking the roles in the case of a maintained SU24, the benefits of the authorization default values quickly exceed the increased effort involved in the initial creation of the default values.

The SAP authorization default values (SU 24) and the profile generator (SU 25) provide valuable tools for role creation and are considered important components for the SAP authorization management.

 

We take care of your SU24 default values

Whether it is a redesign or the adaptation of an existing concept – SU24 can always be filled and adapted. When redesigning, the proposals are updated during role building. When adapting an existing concept, manual and modified objects are transferred to SU24 and expanded. Customization is also possible independently of an upgrade. Finally, you also benefit from optimized authorization management in day-to-day operations.

Together, we check your roles for manual and modified authorizations and develop a solution to use and adapt SU24 efficiently. After just a short time, you will be able to benefit from the numerous advantages of the profile generator.

We not only support you with the initial implementation of SU24, but also provide you with the necessary know-how. You will then be able to maintain and manage the authorization default values and the profile generator on your own. Or you can entrust us with future adjustments: We call this Customer Success.

We take care of the following topics for you:

  • Adaptation of SU24 during redesign and role building

  • Deconstruction of existing roles into the standard

  • Efficient use of the profile generator and authorization default values during the upgrade

  • Transfer of roles to SAP S/4HANA

Your contact person

Marius_Carl_neu_400x400px

Marius Carl

marius.carl@ibsolution.com

+49 7131 2711-3000

 

Maintaining the authorization default values for the profile generator simplifies role maintenance, makes it transparent and helps to keep roles clean. At the same time, you ensure that the authorization concepts can be audited at any time.

Authorization default values of SU24 support role building

If a transaction is added to a role, the automatically stored SAP authorizations are often not sufficient for the individual processes of companies. Administrators then quickly change the SAP proposal and add authorization objects manually. If the transaction is also used in another role, this procedure must be repeated.

SU24 provides a central location for adapting authorizations and storing variants for transactions. In PFCG, individual fields only need to be defined to prevent the changed objects from being overwritten with the default values during an upgrade. In addition, the definition of authorizations is generally accelerated.

Authorization default values should always be stored, especially for custom developments. These are based on the authority checks built into the program code. This means that the Z transactions in the PFCG roles are always provided with the necessary authorizations and do not have to be laboriously added manually.

 

Where-used lists increase the security of roles

If no authorization default values are used, no reference to a transaction is possible for manually added objects – a security risk, especially for old and extensive roles. After removing transactions, manual objects are not taken into account by the profile generator and remain in the role. This can result in critical combinations and over-authorizations.

Thanks to the where-used lists, unpleasant questions from auditors and accountants about manually inserted objects can be avoided, as a reference to transactions can always be established.

More information on authorizations in SAP systems

SAP S/4HANA and authorizations | IBsolution
Blog

What changes in authorizations with SAP S/4HANA

SAP S/4HANA brings with it various new processes and technologies that did not previously exist in this way in SAP ERP. In addition, there are also differences in the authorization concepts between SAP S/4HANA and previous ERP versions from SAP that must be taken into account to ensure smooth user access.

Read more
SAP Authorization Management | IBsolution
Control user access options

SAP Authorization Management

The authorizations in SAP systems form the basis for Identity & Access Management. They give users access to the applications they need to carry out their activities. As technical and organizational requirements are subject to change, SAP authorizations must be regularly checked and updated.
Learn more
Redesign of SAP authorizations | IBsolution
Modern and efficient authorization concepts

Redesign of SAP authorizations

We examine your existing authorization concept and analyse possible fields of action. Depending on the results and the status of your authorization structure, we develop an individual roadmap to transform your roles into a modern and sustainable authorization concept.
Learn more
SECMENDO.audit | IBsolution
Adjustments to authorizations

SECMENDO.audit

The architecture and database structure of SAP S/4HANA also have an impact on the authorization system. Working with Fiori apps requires changes to roles and the associated authorization objects. As a first step, an authorization check provides information on where exactly your company needs to start.

Learn more
Avoiding conflicts in authorizations | IBsolution
Blog

How to avoid conflicts and risks in authorizations

SAP Access Control and SAP Cloud Identity Access Governance (IAG) address the management of users and authorizations in compliance with rules and with as little risk as possible. While SAP Access Control is an on-premise solution, SAP IAG is available as a cloud service on SAP Business Technology Platform.
Read more

Would you like to find out more about transactions SU24 (authorization default values) and SU25 (profile generator) and optimize your authorization assignment?

For more information, simply complete the form and submit it. We look forward to receiving your inquiry.

A selection of our customers