well if the risk is in the role itself, then you have only two choices: mitigate the role (awkward) or redesign the role as you suggested. If soD is important to your client then they should move to a task-based approach where roles provide only SoD-free tasks. Whenever users or job functions require multiple tasks (or tcodes) assigned, stop adding Tcodes to SAP roles and instead add role assignments to users or create virtual composites of task roles in an identity system to achieve this consistently (if you have one). Then the risks properly move up to the user level where they can be mitigated. Mitigating role definitions is not advisable as it can hide real SoD at user level and gets confusing.
↧