Skip to Content
author's profile photo Former Member
Former Member

How practical is it to build new roles based on the Function tcodes?


Julius wrote in another thread about implementing RAR for 2500 users:

"9 times out of 10 you will be better off building new single menu roles from cratch, in which case the ability to analyse a role for SOD's is more usefull than a user based entry."

Just wondering if anybody had tried creating single roles based on the contents of each function in RAR?

Function MM06 would contain material master data tcodes, maybe using the permissions that it contains to build from the ground up? I vaguely remember a demo of doing this in ERM.

At a previous client we ended up copying and copying and copying lots of singles to remediate which was a complete mess 😊


MM06 MM01

MM06 MM02

MM06 MM06

MM06 MM11

MM06 MM12

MM06 MM13

MM06 MM16

MM06 MM17

MM06 MM41

MM06 MM42

MM06 MM46

MM06 MM50

MM06 MM71






MM06 MR21



MM06 S_ALR_87003972

MM06 S_ALR_87004117



Edited by: David Berry on Oct 25, 2010 9:38 AM

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • author's profile photo Former Member
    Former Member
    Posted on Oct 25, 2010 at 09:28 AM

    in my four yr interaction with GRC customer (when i was in SAP ...... ) , never saw single customer do that......

    not a bad idea, however you may end up in mess.......



    .... my 2 cents ... 😊

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Oct 26, 2010 at 08:38 PM


    I wouldn't recommend this approach. Your roles should be built with the guidance from Business and Functional teams. You can run the roles against RAR to make sure there are not intra-role SoD violations.


    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi Qalid

      Thanks for your input, I can see there are some downsides to this approach!

      If you start with lots of small single roles assigned to groups of users you end end, after remediation, with a vast number of copied/copied/copied singles have been created with the various conflicting tcodes separated as you hit different reports for different users who started with the same single role 😔

      I don't like new builds for remediation - you end up with an ongoing support burden, but, if you did have to 'go for it' then it would either be a case of building large user group job roles (no composites Julius - dog's breakfast 😉 ) to avoid cross user group auths errors or maybe build based on functions. If the business has already modified the ruleset to their needs then using the remaining values for the new build was why I asked. It's not ideal - agreed but it may give some benefits?

      I'm working at a client where SU24 was never maintained so the values in the ruleset may provide some basic default objects and values to save subsequent teesting/auths issues.



Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.