SAP authorization work is sometimes reduced to role creation and user assignment. That view is too narrow. A role is only the visible result of process responsibility, organizational boundaries, control requirements, and support rules.
PFCG, SU24 proposals, authorization objects, derived roles, and S/4 changes all matter, but the first question should still be business-oriented: who is allowed to do what, for which company, plant, sales organization, or cost object, and under which control principle?
Governance points
- Define role ownership before building large role sets.
- Separate daily operation roles from emergency and support access.
- Treat authorization changes as controlled process changes, not only technical tickets.
Good authorization governance reduces both business risk and support cost. It also makes later upgrades and process changes easier to manage.