Security design issue

Hi,

In the R3 enterprise implementation (enhancement to an existing production system) project we are working on, the development team has a technical specification to assign all custom programs an auth group.

The roles are process based, and we have a set of standard roles which are assigned to all end users along with their designated process based roles. What I have discovered is the standard roles have full (*) access to S_PROGRAM!!

By this, then there is no point in restricting the programs by auth groups, cause the standard roles are going to give access to them anyway!!

What has happened as a result of this is, no SU24 updates were made to the custom Tcodes(associated with the custom programs) for S_PROGRAM, since this object never failed during testing. There must be so many Tcodes which now might need an SU24 update with the proper auth group.

Though we say SE38/SA38 are not to be assigned in Production, we all know it is not always the case. It will be Christmas for anyone having knowledge and access to this kind of security!

Though I feel an object like S_PROGRAM is not the best of objects we need to give all full access, I just want to brainstorm what impacts could it have.

Appreciate your response.

-Abhishek