Our company never had anyone to manage the roles of the users. When user request access to certain transactions, we simple just added the transaction in one of the roles we thought it would fit the best based on description.
At this point , multiple roles for that user have the same authorization objects.
I got a request to restrict the transaction based on a cost center. Restricting the authorization object on K_CCA for the role that contains the transaction doesn't work because K_CCA can be found in other roles for the user. We can restrict all the K_CCA objects we find for that user in all the roles but this doesn't seem to be the right solution or is it?
what is the best solution for such scenraios? Should be restructure roles so all the transactions that use the same authorization objects are under the same role? or create a program enhancment and programmatically set a authorization based on user and cost center?
any ideas would be welcomed
thanks