The advantages of optimizing SU24

by

Optimizing SU24 helps you to increase the robustness of your SAP roles, reduce the risks caused by manual or changed authorizations in your roles and identify the challenges involved in a role redesign project.

Learn more about our SU24 optimization service

SU24 – authorization default data

The SU24 transaction allows you to control the default values for authorization objects, making it possible to maintain proposed values for authorization objects of standard and “custom” transactions easily. SU24 proposals are automatically inserted into the authorization profile when an associated transaction code is added to the role menu. This interaction means that SU24 serves as a basis for robust and efficient role creation, and is, therefore, one of the most important SAP-Security transactions. The use and maintenance of SU24 are recommended as SAP best practices to ensure the sustainable and clean administration of authorizations.

Example – FD15

Below is an example of how SU24 Optimization works with the Xiting Authorizations Management Suite (XAMS) using transaction FD15 – Transfer customer changes: send.

SAP delivers FD15 with the following proposals:

With the proposed SU24 authorization objects a user can start transaction FD15, due to authorization object S_TCODE. However, to use FD15 additional authorizations objects are required. Without those additional authorizations, a user would get the following error upon starting FD15:

With the help of the Xiting Role Profiler, you can analyze each transaction and automatically detect authorization objects and values that are hard-coded in the report or program and are therefore required to start the transaction successfully. The Role Profiler can not only analyze these objects and values, but it can also automatically update SU24 proposals and values with a simple double-click on the Update button.

Xiting Role Profiler

On top of the “find and update” functionality, Xiting also delivers a list of SU24 proposals that are not hard-coded in the system, but that are required to run a transaction and that have been verified by our customers.

After updating the SU24 directly from the Role Profiler, you can see the new authorization object S_PROGRAM with the hard-coded value F_001 in field P_GROUP as follows:

When you now create a role and add transaction FD15, the system will automatically propose S_PROGRAM, and you only have to choose the right value for P_ACTION, as follows:

Once maintained, the transaction FD15 can be started successfully:

In case SU24 is not properly maintained, an authorization administrator would have to analyze the authorization trace to figure out what authorization object is required or missing.

Conclusion

Manually tracing failed authorizations is time-consuming for both the authorization administrator as well as the business user or tester. Xiting therefore strongly recommends optimizing SU24 to smoothly build and maintain SAP authorizations. Our SU24 optimization service is a recommended pre-requirement for each authorization redesign project to save manual effort during a project.

Learn more about our SU24 optimization service

Johannes Kastner

Johannes is a SAP Security Consultant at Xiting GmbH in Germany with a strong focus on SAP Access Control (GRC) and Xiting Authorizations Management Suite (XAMS).

Latest posts by Johannes Kastner (see all)