If you have been an SAP security professional for any length of time, chances are good that you are aware of the importance of doing your SU24 maintenance, so that the Profile Generator brings the right authorizations into the role, with the correct values or open fields per your system configuration to support your security design. And the longer you have the been doing SU24, the likelier it is that you have experienced the frustration of launching SU24 to do an update to a standard SAP transaction, and the authorization object needed to enable that transaction is not there.

 

You have not seen that yet? Trust me, eventually you will, sad to say.

Here is an example. Just yesterday, I picked up a security request to add ME97 to a role, and the ticket specified that the MM team's testing of that transaction determined the values that would be needed for the S_DATASET authorization. Great, how lucky can I get,  to know exactly what is needed for this role, right? Wrong. I added ME97 to the role menu, and a new authorization for S_DATASET did not come in. I launched SU24 to change the value to Check,

SU24 4-1-2014 8-25-27 AM.png

and it wasn't there. Grr. It's annoying to have to maintain this for SAP, and even more annoying to realize that SAP customers around the world will have to discover this error and fix it themselves.

 

So what does a good security professional do in these cases? Report it to SAP Support in an Incident. It won't help you right now, but once the Correction is issued, it will help other customers. If you are not sure how to do that, I recommend this blog post by my SAP Mentor colleague Otto Gold.

SU24 related OSS notes with SAP Support | SCN

Otto just updated that post with several recent SU24 related Corrections, including one that was the result of one of my own SU24 Incidents.

This is your chance to pay it forward to SAP customers around the world and take the SU24 lemon to make lemonade.