Hi Martin,
Yes, I noticed that as well when debugging. Assigning a target system to the role attempts to import the menu of the role from the source system into the role in the target system as the authorization will actually be needed there, and not in the client system where the user clicks on the menu.
Sort of makes sense, because the user must be authorized for the tcode in that target system, but technically in the call it does not have to come from that role as the target system knows naught about the client system role - only the SMT1 trust must be setup.
The gotcha in the thing however is that if you set it up like that between a CRM and ERP system, then the client system pushes the role menu. The transaction to be called in the target system must also exist in the client system - which is often not the case if that step involves processing for a transaction which does not exist in CRM -> you cannot build the role, user menus must be turned on, the role names must contain a logical system identifier and activating redundancy compression with a well thought out menu structure is not avoidable.
I can understand the theory of this, but would be curious to know whether anyone ever did this in a system landscape and survived to tell the tale? :-)
As a side note: I would also like to draw folks attentions to S/4HANA platform from SAP -> the component type systems are relaxed and the data model is revised and runs on SAP's HANA database. Basically you have all components in one box (ERP, CRM, SRM, SOLMAN, BW) so it eliminates all the integration programming and external RFC because everything in in the same real system and not a bundle of separate logical systems with the same identity from a trust perspective. So client = target. This seems like a much better idea and the centralization of authorization administration, monitoring and strategy to keep it secure is a much better approach than crowd sourcing security in many managed systems.
But I would still be curious to know whether anyone actually used this (target system assignment of single roles and building composite roles which have different subsystem assignments)?
Cheers,
Julius