Hi Julia,
with any authorisation design, best approach is to go with least privilege. The basis team should be able to provide you what they are required to access. the access should also fall in to two buckets.
1. Daily monitoring support (day to day access)
2. Exceptional support (fire fighter access)
A starting point you can go is list out the transactions in the following range and discuss with the basis team on which ones they need and any other specific transactions that are required.
Transactions
AL*
DB*
RZ*
SC*
SE*
SM*
SP*
ST*
SW*
WE*
Pay special attention to the auth objects in the following object classes
AAAB
BC_A
BC_C
BC_Z
For Java, look in to roles with
*NWA*
*admin*
as starting points.
Regards,
John