Hi,

I updated my report for [security role analysis|http://wiki.sdn.sap.com/wiki/display/Security/QAMetricsforRoleDesign]. I added two new columns: number of change documents for security role and number of users who modified security role. Again, I got inspired by software development metrics. Usually in software development, most of source code files are not touched very often but there is a small group of files where most of changes occur (20/80 rule). These files cause most of the problems. So I am wondering if something similar is common for security roles. Most of the roles are not changed during their lifetime but there are some that are changed very often. What is interesting is that the files that are changed quite frequently have usually higher complexity (in case of source code it means longer methods/routines/functions). So my first question is how would you define complex role? The report gives you number of items in menu as well as number of authorization objects. These two fields are good indicators if role is complex or not. Do you have a better idea how to measure role complexity?

I just run this report on one system and it seems that roles with higher number of changes are usually more complex such as role for basis support. Can you see similar pattern? Any comments on relation between role complexity and number of changes? Should we try to minimize complex roles?

Implementation note:

I ignore archived change documents. So if you archive these docs then the results will not be correct. I also exclude change documents for role assignment to user. I really don't want to include these as changes to role. Because of this requirement I have to go to item table CDPOS. This is causing heavy load on the system. So I put a checkbox on selection screen that you need to tick to display these new 2 columns.

Cheers