The Background: SAP Security Best Practice
SAP Best Practices for SAP Security encourage the PRODUCTION systems to keep only Security roles that are used for executing job duties in that system. SAP Roles that are provided during an ‘Upgrade’ or a new installation are to be copied and re-named with the customer’s naming convention.
“SAP's recommendation is to copy the standard roles into your own name space and make modifications to the copies as needed”
The standard roles need only exist in the DEV system. This would be the ‘BASE’ to copy the Standard roles needed by the Business, and re-name those roles and modify them to the business needs. This also would be a ‘START’ since later on customized roles can be created based on the usage for a group of users over a period of time.