Jonathan,

As you have probably already realized, the GRC discussion forum is *not* the right place for ECC security role design questions, but I will try to get you on the right path. I'm not sure why the moderators let your question be posted here, but that is another issue altogether.

I suggest reviewing the transaction(s) which the end user will be running via transaction SU24 to see which authorization objects are securing it/them, and check each of those objects to find those which have a field for groups.  This is basic SAP role design; if this is unfamiliar to you, check with the security analysts who do your role build/ admin. Alternately, you can run a system trace on the transactions to see which objects were checked, but trace results can be unreliable and should be verified through testing.

If you are unfamiliar with SU24, ST01, PFCG and security related tables and reports, I encourage you to do some searches and reading on security basics before trying to tackle this question, or defer to your role admins.

In the future, post questions about security in the Security discussion forum, if you are still stuck after doing your research per SCN usage guidelines. I encourage you to close this question ASAP so that the SCN members interested in SAP GRC are not further spammed with this discussion which has nothing to do with SAP GRC.

Good luck!

Gretchen