We have roles that allow the display ony of the SPRO configuration in our production system. (can be used by Competency Center to validate config is the same in Prod as in Dev.)
But in our the main user job roles, we have security that limits any one who is not a US citizen from seeing "technical data" such as BOM's and Routings that can tell how to "build" a US military part.
Because we have never gone through and checked, or proven, that no SPRO (IMG) sub-nodes link to the display of actual data base "data" that could be ITAR restricted, we can not give the SPRO display roles to the members of our project or our global support staff that are not US citizens.
Does SAP have documentation that SPRO transactions do not display (or link to) actual technical data that needs to have resticted access. As long as the link takes you to a seperate t-code, and that t-codes security applies, then it is ok.