Show TOC

Checking for Changes in Authorizations After UpgradesLocate this document in the navigation structure

After an upgrade compare the default check indicators and the field values of the previous and new releases. Run the comparison with Profile Generator: Upgrade and First Installation (transaction SU25).


Between releases SAP can deliver new or modified authority checks in existing roles. To ensure that your business processes are not affected by these changes, check for these changes and their impact on the values you set in your system.

You must check for changes in each client of your SAP NetWeaver Application Server.


  1. Start Profile Generator: Upgrade and First Installation (transaction SU25).
  2. Execute the steps in the profile generator.
    Action When to perform

    1. Initial fill of customer tables


    Only carry out this step for new installations or source releases before R/3 3.0B.

    2a. Automatic Comparison with SU22 Data

    Always. Mandatory.

    2b. Modification adjustment with SU22-data

    Always. Mandatory.

    2c. Roles to Be Checked

    Highly recommended. This step enables you to see what roles you must check and modify for the new authorization concept.


    Because changing the authorization concept can take time, generate the role SAP_NEW and assign it to the users affected by the changes. This enables your business processes to continue uninterrupted until you have finished your changes. Once you have updated the affected roles, remove any assignments to SAP_NEW.

    For more information about the individual steps, see the online help in the application.

    See also the following SAP Notes.
    • SAP Note 440231 Information published on SAP site: Upgrade postprocessing for profile generator

    • SAP Note 727536 Information published on SAP site: Using customer-specific organizational levels in PFCG

    • SAP Note 1539556 Information published on SAP site: FAQ Administration of authorization default values