Hi JC. Thanks for your response.

The values I was talking about were Org. Values and other values. E.g.: a user has to account to a document type but can only see another type, and/or for a company given, can use a Profit Center....

I think that's why I'm so confused.

I can't believe the Authorization Module is so complicated.

There is no other way than create multiple roles for the same transactions? Can't I create one role, and then assign this role to different people (same functions), and assign too a profile copied with different authorizations? I was hoping I could creat profiles manually.

Thanks in advance,

Jose Pinedo

Yes, you can try that approach. Either create a role or profile with just

the tcodes and then another role or profile with the auth object values,

but at the end of the day as long as you have 10 people with different

auth object value requirements you'll end up with 10 roles or profiles.

Also - this approach will become very difficult to maintain long term since

you are "detaching" the linkages that profile generator provides you by

associating the tcode with the auth objects.

Yes - security can be complex - it depends on your design and your company's

requirements. I always tell people - if you want easy maintenance, give

everyone SAP_ALL and there's little to maintain from a security perspective,

but no one ever takes that route since giving SAP_ALL would be ludicrous.

Yes, the approach with auth. obj. separated will mean a role for every person, and as you mention, detach the generator with the objects, as mentioned in other posts.

Thanks a lot for your info.

I'll keep looking for a good approach specially for IT personnel.

Jose Pinedo

Additional note of caution when creating additional

ORG levels values is that the you have to be certain

that the fields you define will only impact the auth. objects

that you want. For example, defining authorization group would

be an issue since there are many auth objects with this field.