Common Consultant Issues, Transport Process, and How to Handle New or Custom Transactions
In SAP security projects, SU24 maintenance is one of the most important yet misunderstood tasks. Many authorization problems originate from incorrectly maintained SU24 proposals. If SU24 is not properly configured, roles built in PFCG may contain unnecessary authorization objects or miss critical ones.
Security consultants often face repeated questions during audits and implementation projects related to SU24. Understanding how to maintain SU24 correctly and how to coordinate with functional teams can prevent many authorization issues.
This guide explains how SU24 works, common consultant challenges, how to maintain SU24 entries, transport management, and what to do when new or custom transactions are introduced.
What SU24 Is and Why It Matters
SU24 stores authorization default values for transactions. When a transaction is added to a role in PFCG, SAP automatically proposes authorization objects based on the SU24 configuration.
If SU24 is maintained correctly, role building becomes much easier. If it is not maintained properly, roles may include unnecessary objects which increase authorization risks.
For example:
A transaction may require only 5 authorization objects, but if SU24 is not maintained correctly, PFCG may propose 20 objects.
This leads to:
Unnecessary authorizations
Increased audit risks
Complex role maintenance
Therefore, SU24 maintenance is essential in a controlled SAP security environment.
How to Maintain SU24 Properly
To maintain SU24, follow a structured approach.
Step 1
Open transaction SU24 and enter the transaction code.
Step 2
Review the proposed authorization objects.
Step 3
Check the following fields:
Check indicator
Proposal status
Authorization object relevance
There are three important proposal indicators:
Check Maintain
Check
Do Not Check
Check Maintain means the object will appear in PFCG and values must be maintained.
Check means the object is checked during authorization but not proposed for maintenance.
Do Not Check means the object will not be checked.
Security consultants should analyze which option is appropriate based on the business requirement.
Common Issues Faced by Consultants
One common issue is too many authorization objects appearing in PFCG.
This happens when SU24 proposals are not optimized.
Consultants often copy roles from older systems without reviewing SU24 configuration. As a result, unnecessary objects are included in the role.
Another common issue occurs during system upgrades or S4HANA migrations. New authorization objects may appear, which require SU24 review.
Sometimes SU24 entries are maintained directly in production, which is not recommended.
All SU24 changes should follow the proper transport process.
Transport Requests Used in SU24
SU24 changes are configuration changes and must be transported through the landscape.
The transport type used is typically a customizing transport request.
When a consultant maintains SU24 entries in the development system, the changes are captured in a transport request.
The transport then moves through the system landscape:
Development system
Quality system
Production system
It is important to document the reason for SU24 changes before releasing the transport.
Security leads or architects should review these transports because SU24 changes affect role design across the system.
Handling Custom Transactions
When custom transactions are created, SU24 entries are usually missing.
In such cases, the security consultant must analyze the underlying program.
Steps typically include:
Identify the program linked to the custom transaction.
Check authorization objects used in the program.
Review SU53 traces or authorization trace tools.
Discuss with the functional consultant who owns the business process.
Functional teams understand what business actions the transaction performs, while security consultants determine which authorization objects should be proposed.
This collaboration is critical because incorrect SU24 configuration can cause authorization failures later.
Who Should Be Involved When Maintaining SU24
SU24 maintenance should never be done in isolation.
The following stakeholders should be involved:
Functional consultant
Security consultant
Technical developer
Security architect or lead
The functional consultant explains the business process.
The developer explains the technical authorization checks in the program.
The security consultant determines the appropriate proposal indicators.
This collaborative approach ensures accurate SU24 configuration.
What to Do When New Transactions Are Released
When SAP releases new transactions or when systems are upgraded, SU24 configuration must be reviewed.
A common approach is:
Run role comparison reports.
Identify new authorization objects appearing in roles.
Check whether SU24 entries exist for the new transactions.
If SU24 proposals are missing or incorrect, they must be updated in the development system.
Consultants should also verify that the new transaction does not introduce additional segregation of duties risks.
How to Identify Missing SU24 Entries
Consultants can identify SU24 issues in several ways.
The most common method is during role maintenance in PFCG.
If a transaction proposes too many authorization objects or none at all, it may indicate incorrect SU24 configuration.
Another method is reviewing authorization traces when users face access errors.
If an object is checked during execution but not proposed in SU24, it should be analyzed and possibly added to the SU24 proposal.
Periodic review of SU24 configuration helps maintain a clean role design.
Best Practices for SU24 Maintenance
Security teams should follow several best practices.
Maintain SU24 only in the development system.
Always transport changes through the system landscape.
Document the business reason for each change.
Review SU24 proposals during role design workshops.
Collaborate with functional teams when maintaining custom transactions.
Perform SU24 review during system upgrades.
These practices help ensure that authorization proposals remain accurate and aligned with business requirements.
Final Thoughts
SU24 maintenance plays a critical role in building efficient and secure SAP roles. When maintained properly, it simplifies role creation, reduces authorization errors, and minimizes audit risks.
Many authorization problems seen in SAP projects can be traced back to incorrect SU24 configuration. By following a structured maintenance process, using proper transport management, and collaborating with functional teams, security consultants can significantly improve the quality of role design.
Understanding SU24 is not just a technical skill. It is a key capability that distinguishes experienced SAP security consultants from beginners.
.%20The%20image%20fe.webp)
.png)
.%20The%20image%20features%20a%20structured%20layout%20showcasing%20key%20con.webp)
%20Workflow%20in%20SAP%20GRC%20for%20simplifying%20access%20request%20manage.webp)
,%20Quality%20Assurance%20(QA),%20and%20Production%20(PROD).%20The%20diagram%20.webp){kind=spacer}
No comments:
Post a Comment