Hi Silver Surfer
Is it advisable to upgrade the Production now and perform the SU25 in DEV later and promote the roles to Production after proper testing in QA?
Do you mean - is it okay for EHP6 to be applied to Production and fix the security later? If so....
Your risk is if new authorisations checks have been introduced to existing transactions that are in design then users may start to receive authorisations errors. If you are willing to risk a flood of annoyed users complaining of lack of access it is technically possible.
Though, if you are moving from EHP4 to EHP6 was security testing along with functionality testing? If so, you may have covered a large portion of the risk.
As far as SU25 goes, it is to assist with fixing up SU24 values based on SAP proposals. Once you need to make changes to SU24 you need to adjust the roles (As per you Step 2c). I've been at places where they made the decision to execute Steps 2a and 2b and then go into PFCG for each impacted role and deactivate the new proposals (i.e. SU24 updated but PFCG remains unchanged from authorisation perspective). This approach enabled them to "technically" complete the security steps and move a transport through to test environment. However, they were relying on security testing of the roles to identify authorisations issues. If issue was identified, they would then fix the role.
Whatever your approach with SU25 is.... security roles need to be tested as part of an upgrade.
Regards
Colleen