Hi all, please kindly comment following job role design:
(1) transaction role:
Keep transactions in single job role to represent business processes in different application areas, e.g.MM: maintain PR, PO, OA. CO: maintain cost center, internal order HR: maintain org structure, personnel management.
The single job role will only keep role menu, object S_TCODE and inactivated all other application related authorization objects.
(2) authorization role
Keep application component related authorzation objects except S_TCODE in single job role by different application area, e.g. Objects of MM_B, MM_E, MM_G in MM role. Objects of K_CCA, K_CSKS_SET in CO role. Objects of HR in HR role.
Then maintain org level of MM, CO, HR roles for different companies, e.g. Company A MM role, company A CO role, company A HR role, company B MM role.;....
User will be assigned transaction role + auth object role. For example, user of company A to perform MM and CO functions will be assigned
with MM transaction role + company A MM role + company A CO role.
Please let me know the pros and cons of above design. Thanks.
Regards,
Donald
* I can see the disadvantage of this design is during SAP upgrade (SU25), revised of authorization object will not reflect in authorization role