Hello Experts,

We recently implemented GRC 10.1 ARM, ARA and EAM. One of the issues we found was that even though a user had a role granting only view access in a TCODE, it was conflicting with other TCODES as if they had create/change access.

we had built multiple roles with a standard SAP TCODEs, but we changed the authorization object field values to accommodate different access.

For example the TCODE F110 was in three different roles. In the role for those that could process the payments and run the proposals the values for authorization object F_REGU_BUK the values were

02, 03, 11, 12, 13, 14, 15, 21, 23, 25, 31

the next role was for those that could only run the proposals so the values were

02, 03, 11, 13, 14, 15, 23

and the last was for support staff that would only view so the values were

03, 13, 23.

We were told that this was completely wrong and that we should have created custom TCODES for secondary roles where the values were not the same as the 'default' values we should have created custom TCODES.

Most standard TCODES require some type of update to the authorization object field values. Something like SP01 requires an update to authorization object S_SPO_DEV field SPODEVICE or the user cannot even print a report. This seems that we would have hundreds of custom TCODES and some 'standard' TCODES would never be used.

Is there any best practice guidance around these practices?

Your insight is greatly appreciated.

Cheers,

Susan