I also wonder if in the HCM solution it was more than likely ESS/MSS and they were relying on P_PERNR to exclude user activity on own account. Still sounds like a headache to restrict PLOG and P_ORGIN* objects to differentiate between read and write
Role maintenance aside, in other modules, split role concept is a headache when users can jump between transactions via menus. Run a report for Vendor line items and then drill into Vendor Master Data. You are further relying on an S_TCODE restriction!
Was split concept something pre-PFC when minimising profile build and it's just hung around in some areas? My exposure to it was due to a non-SAP group claiming they could do SAP. I just thought they tried to apply their own product specialty's security model to SAP. It was easier to completely rebuild the security then work our how to clean it up. Part of the issue, they never designed the security to factor in system growth. They build the security around one specific module and then suddenly they expanded functionality on the system and the model was no longer appropriate.
Cheers
Colleen/Mikki