Number of Txns per Role

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

Post Reply
Posts: 36
Joined: Fri Apr 28, 2006 12:43 am
Location: New Zealand

Number of Txns per Role

Post by MikeNZ » Thu Dec 13, 2007 5:38 am


We just had a review performed of our Global Role Template.

One of the comments that came back was
"As a rule no individual role should contain more than ten transactions when building for a global template"

Basically - they are asking us to review our role design and change any roles with more that 10 Txns.

Can someone with experience of deisgning global role templates - please comment on whether a rule of only having 10 Txns per role in relevant?


Auke Visser
Posts: 275
Joined: Thu Jul 13, 2006 8:25 am
Location: Kropswolde, Holland

Post by Auke Visser » Thu Dec 13, 2007 6:08 am

see answer given in SAP developers forum

Posts: 5694
Joined: Sat Oct 26, 2002 6:18 pm
Location: barolo barrel

Post by thx4allthefish » Thu Dec 13, 2007 7:20 am

i agree with auke in SDN. His best practise is mine also. we have attached our CUA to HR-Org, so the overall-master-plan-of-life is: one role per position thus describing all the activities of that position.

of course it comes down to philosophy in the end but let me assure you that 'my' way of doing it minimizes the time and effort to be spent on user-maintenance (we've got > 1000 users and i'm doing the job alone and only part-time).
curiousorange wrote: I give up. Humanity isn't worth saving. Why is there never a Vogon Constructor Fleet around when you really need one?

Posts: 36
Joined: Fri Apr 28, 2006 12:43 am
Location: New Zealand

Post by MikeNZ » Fri Dec 14, 2007 6:21 am

Thanks,... I agree with you on all fronts.

I can't see the point in having a massive number of single roles - if users are just going to have them assigned back together anyway. Just increases maintenance and add another layer of complexity to some thing that should be simple.....

At the end of the day the design should fit the needs of the users and the organisation you are working in. So rules are for fools!

If SAP Security was as simple as my auditor friend suggests... we would all be out of a job !

Posts: 3216
Joined: Fri Oct 17, 2003 5:41 am
Location: Oil Patch, Scotland

Post by ib » Fri Dec 14, 2007 6:59 am

This approach is suitable where there are large numbers of users as this will usually mean that they will have more concise 'jobs', but with a smaller organisation with less users you find that many users are isolated in small organisanal units and have to fulfil many functions.

In this case setting 'roles' to be more 'activities' with consequently fewer transactions will be the only way you can achieve the required control over function and segregation of duties.

It's horses for courses .......

Like all things in SAP, there are no rules ... it's what works best for you ......
SAPFans help those who help themselves !

Post Reply