Hi Patrick,

1) It is recommended to run a FULL analysis initially, covering all systems and selecting "*" for all options.

Yes, a full sync is required for this first time to get the risk database updated completely, and the management views/reports to be updated completely.

2) A full analysis may require an extensive amount of time and resources, hence it is advisable to exclude certain objects (roles, users, profiles).

Yes and ofcourse it depends ont he amount of users, roles, and profiles that you have and also depends on how well you manage your roles. But, a full sync and analysis will always takes more time and resources. Normally the SAP delivered roles, profiles and users such as service, batch (those who can't login in dialog mode) can be excluded.

3) Roles and profiles could be excluded using the "Exclude Objects" function during job scheduling, or by defining them as critical roles and profiles and excluding critical roles and profiles from the risk analysis via the corresponding configuration option.

Exclude objects is the best approach as per my knowledge.

Which approach to you usually take? Which objects - say on a standard SAP system on which you only want to analyze customer-specific roles - do you exclude? How do you determine which profiles to exclude?

I recommend not leaving any objects (if you mean authorization objects). All of them should be uploaded to the RAR system. As mentioned, SAP delivered roles and the roles that doesn't have any user assigned can be excluded.

But remember, you may need a clean-up of the ones that are not used any more Just a good practice.

Hope this helps!!

Regards,

Raghu