If you’ve ever worked with SAP roles and authorizations, you've likely heard about SU24 — but what exactly does it do, and why is it so important during PFCG role creation?
Let’s break it down.
📌 What is SU24 in SAP?
Transaction SU24 is used to maintain authorization check indicators for transactions. It defines which authorization objects are proposed automatically when roles are created or maintained using PFCG.
This streamlines role design and helps avoid unnecessary authorization prompts during runtime.
🔍 How SU24 Affects Role Generation in PFCG
When you create or update a role in PFCG, SAP looks at SU24 entries to decide:
-
Which authorization objects should be included by default
-
Whether a check is mandatory, optional, or not required
Here’s how it works:
-
Objects in USOBX_C (check indicators) determine if an object will be shown in the role.
-
Objects in USOBT_C (object proposals) are automatically added with default values.
So, if an object is set to “not checked” in USOBX_C, it won’t appear in your role — even if it exists in the transaction.
🗃️ Key SU24 Tables You Should Know
| Table Name | Purpose |
|---|---|
USOBT_C | Customer-specific table for proposed authorization objects |
USOBX_C | Customer-specific table indicating if checks are mandatory, optional, or not checked |
USOBT | SAP-delivered table of proposed objects |
USOBX | SAP-delivered check indicators table |
🔧 Customizing SU24: Why and When?
You can modify SU24 entries to better align with your business needs. For example:
-
Want to skip certain checks during role creation? Set them as “Not Checked” in USOBX_C.
-
Need to add a missing object to a transaction proposal? Add it in USOBT_C with default values.
Changes made via SU24 will only affect roles created or modified after the change. Existing roles will remain the same unless manually regenerated.
🧩 SU24 vs SU22 – What’s the Difference?
| SU24 | SU22 |
|---|---|
| Used by customers | Used by SAP developers |
| Updates USOBT_C & USOBX_C | Maintains USOBT & USOBX |
| Customizable | SAP standard, not editable in production |
✅ Summary
-
SU24 controls which authorization objects are proposed during PFCG role generation.
-
It reads from USOBT_C (proposals) and USOBX_C (check indicators).
-
Customizing SU24 lets you streamline and control role maintenance.
-
Use SU24 to improve authorization accuracy and reduce manual effort in role creation.
💬 Final Tip for SAP Consultants:
Always review SU24 entries before creating roles in PFCG — especially for custom transactions. Proper setup here ensures smoother role builds and fewer authorization errors at runtime.
.%20The%20image%20fe.webp)
%20Workflow%20in%20SAP%20GRC%20for%20simplifying%20access%20request%20manage.webp)
Posts
No comments:
Post a Comment