We use only Z-roles(copy of std) which are large in number that might have access to infotype 0009 bank details using the authorization object P_ORGIN. We also use structural authorization in our security setup.
Now business decided to remove the access of IT0009 from everywhere except from portal roles and create 2 new SAP roles exclusively for IT0009 that grants read and write access respectively.
> What is best and safe way to identify and remove the access of IT0009 from all Z-roles?
> How to create a new "Bank details maintainer" role must have access to the same personnel areas and employee groups as another data maintainer and give full access to infotype 0009 (create, change, display, delete, etc)
> How to create another new "Bank details displayer" role must have access to the same personnel areas and employee groups as another data maintainer and give display access to infotype 0009.
> The two new roles must be created with maximum attention to future maintainability. I.e. the master roles must contain as much as possible, so that inheriting roles can be easily updated in the future.
> Any development required to acheive this?