We have found that a few of our SAP roles are mapped with multiple profile names. Is it possible to have multiple...
profiles to a single role? Note: These roles are derived roles, not composite roles and not the composite profiles.
Here are some examples which may provide a clearer view of what I mean.
|Roles and Profiles||User ID|
(Profiles ##: T-D3060077, T-D30600771)
(Profiles ##: T-D3060644, T-D3060076)
Before SAP had roles, they had SAP profiles. Because of the data design, a profile could only have a limited number of authorizations. Roles are still only a technical layer on top of profiles, and profiles still have the original limitations.
Consequently, when a large role has too many authorizations for one profile, a second profile is generated and assigned. This is merely a technical feature. Your auditors should focus their evaluation on the roles assigned. There are other technical considerations, but this answer should be sufficient for almost all situations.
Dig Deeper on SAP security
Related Q&A from Corwin Slack
A SearchSAP.com reader wants to know how to grant a user access to cost centers, as well as access to one cost element across all cost centers. Continue Reading
Learn how to stop SAP users from displaying HR table contents in an SAP table without restricting access to an SE16N transaction. Continue Reading
A SearchSAP.com reader who stores user email addresses within the SAP SU01 transaction code and wants to know where to locate the data. Continue Reading