Composite Roles, opinions sought.

Time for a discussion on Composites. All opinions welcome

I don't believe composite roles provide a good solution to most of the problems they are used to fix


Composite roles were delivered to help deploy security more quickly. Task based methodologies mean that funkies are great identifying the tasks but someone has to put them together. As one of my clients puts well: "people perform processes". Unfortunately this part is usually left until too late. It means security has to build early to stand a chance.

So they are a solution to a problem that shouldn't exist?



Access represented by 1 role. Build can start earlier if there is limited input

Business can pick and choose the roles which users need to perform their role

We have a GRC solution, it is really smart so it doesn't matter what the build looks like as "the computer says yes"

Useful for creating cross system roles in a CUA master (my one situation where I find they can save time).


Complexity: Change a single role and you need to analyse all the composites underneath it.

Object Duplication: The more single roles you have in a composite (or assigned to a user in general) the more authorisation duplication you have. If you have an auth value as control relevant then the more instances = more chance of a mistake.

Typically requires more role variants to give the flexibility of assignment


Taking the design up a level: Someone has to define jobs. A job should represent everything that a real person should be performing in SAP. Use the tasks that have been defined to get all requirements of a job & then build that as a single role.

Another approach is to build 1 role to contain all the access for a job (e.g. Accountant) and then to have an another one for "extra's" such as regional differences, special responsibilities.

Better system performance for security tasks (try reporting when you have 70000 large roles). Easier application of authorisation controls. Maintenance is easier and quicker. Fewer authorisations in the user buffer. Fewer role assignments. Quicker analysis and remediation of control issues.

Over to the floor