Hi Zeeshan Ahmed.

The approach you should take when creating roles in the different clients must be based on a coordinated effort between you "the security admin" the functional consultants and the key users "the process owners". both groups should provide you with functional specs for the given authorization strategy to be implemented company wide.

On the other hand, if you want to restrict IMG access, at different organizational levels in client 100 the objects that should be maintained are:

S_IMG_ACTV, J_1I_IMG and S_IMG_GENE

As far as transactional data and customizing goes, you have to specify a client within your DEV environment for customizing and sandbox (transactional data) roles.

Hi Zeeshan,

Ideal thing is not to restrict authorizations just on basis of customizing or transactional data.

Rather keep these as two big divisions under which you will have more divisions. What it means is that under customising section create several different roles for different modules and sub modules. Same for transactional data domain.

Anyways getting back to your point. If you are interested in just one role for customising then gather the transaction details from your functional guys and incorporate them in a role. Same for transactional data related transactions.

Next assign appropriate values in auth objects.

The imporatant thing is that as a security adminsitrator you can create/change rolels but the decision as to what goes in which role can be taken in due consultation with functional/technical guys only.

Please award points if the answer was useful.

Regards.

Ruchit.

you have to create appropriate roles using PFCG and needs to assign to appropriate users. follow url : http://help.sap.com/saphelp_nw2004s/helpdata/en/52/671285439b11d1896f0000e8322d00/content.htm

cheers,

-Sunil