We do not use the SAP-supplied roles in our QA and PRD systems - which is best practice. We need them in DEV, but not in the remaining systems. As the SAP Security Analyst, I want to delete them to reduce overhead and unnecessary risk. However, if they are just going to be reinstalled during the next upgrade, my work will be a moot point and a big waste of time. Does the Basis team have an option to not install these roles into systems other than DEV during an upgrade? I don't remember them being in a QA or PRD system at any previous employer.
We are currently running ECC Netweaver 7.5 and have plans to upgrade to S4/HANA starting next year.
And if we have that choice, will there be any effects on SPDD/SPAU changes during the upgrade if the roles are not installed?