My Security team and I are being asked to contribute to a role revision for our ME54N approver role. Currently M_EINK_FRG is set with * in both release code and group. Most of our approvals are via the email workflow which is attached to a table where each users limits (company code, group, and authority limits) is maintained. However a couple users have logged into the system to run ME54N rather than approve via email workflow. A couple have figured out how to approval any PO within their limit across the org, not good.
Internal audit and SOX requires me to limit user access via both methods. Can I have the roles also use the same workflow? If so how? Right now the direction from my functional consultant is to create a role for each approver with their limits attached. This will be an administrative nightmare. How have others handled granting approver authority?