Hi Chris
You want to run SU25 when there has been a change in the Basis Release Level. I covered off a technical summary in the following thread: SU25 UPG ENHP : how to find modified roles?
These are the key things i consider for EHP and upgrades:
- possible checks on custom code (most likely covered through testing)
- new authorisation objects
- regeneration of SAP_ALL
- update any non-production project roles, etc that may need the access
- possible new transaction codes (normally each functional area will need to review their areas with SAP Notes providing details. Step 2D(?) in SU25 does a replacement transaction mapping but that assumes SAP maintained the PRGN_CORR2 table. This is useful is a transaction has become obsolete.
- have a search to see if there is new security functionality (for example, security policies were created in a recent release)
- ensure that the security roles are adequately tested as part of project so users do not have authorisation issues in Production
If your system landscape is complex (e.g. two non-production streams for production support vs project) you will need to ensure a process to dual maintain security roles for the different version, etc. May not be an issue for you but it is another thing to consider.
Depending on how old your system is, sometimes enhancement packs and upgrades is an opportunity to overhaul security.
Regards
Colleen