recently I started noticing that in S/4 the Export Mode of the profile generator is behaving differently than it used to in legacy ABAP environments or ever older HANA environments, but am being told my SAP Support that this is perfectly normal behavior in my OSS request.

If it is then I cannot for the life or me understand how I missed seeing this for the last 20 years and would like some community input.

Issue:
have a role that has already been built via standard security process adding the Tcode to the role menu and then using the profile generator in export mode to "edit old status and merge with new" option.

When using that option now I am noticing that it is now taking "Active" standard authorization objects and if they match an inactive standard object it is merging the active ones into the inactive ones thus disabling the object and turning off the access for the user.

We only started noticing this when users started complaining that they were losing access in our productive environment and we went back to development and compared it to our sandbox system and noticed auth_object numbers were missing in development but were there in sandbox and the missing objects were now combined into one big disabled object.

so to correct this I used the "add authorization defaults" from the parent tree of the authorization values and added back the auth_objs and values for the Tcodes I wanted active and saved the role to turn them back on.
The tcode started working again with only the authorization objects allowed so that other access was not given inadvertently.

Then just to see if it was a fluke I used my expert mode again and to my surprise it again merged all of my active objects into inactive objects thus disabling the access again.

Finally just to see if the whole merge process worked like this i re-added my required objects which made them active, then selected the "merge" option under the authorization parent and ONLY the ACTIVE objects that shared standard activity values merged.  (this is what I expected and how it worked in legacy systems)

I saved the profile and backed out and then went back in and used "expert" mode and it then again combined all of my "Active" standard objects into the "Inactive" object, thus turning off access.

I tested this in a legacy system and it is not doing this using Expert mode there.


I opened up an OSS note and the reply from them was to link the document on how authorization object comparison works with the profile generator as the solution and them pretty much saying this is now working by design.

If this is now how the merge process works (taking active auths and combining them with inactive auths) then why would we every use the merge process in export mode every again and is there a way to disable/hide expert mode in the profile generator so that new security people do not accidentally disable productive access when it merges into a inactive object for some reason?

how do we get around the 100 object limitation in a profile if our only 2 options are to activate ALL similar Standard values (thus potentially granting access not required by the user for objects that are shared by the different Tcodes) or leaving the standard objects deactivated and then having to Manually add the ojects (big no no) OR go into SU24 and change SAP Standard values which would increase security work during upgrades and our SU25 process?


Thoughts?    Anyone else seeing this issue (or in SAP's response) Non-issue?