Define a user group as mandatory field in the user root
RS_ABAP_SOURCE_SCAN
Each roll can be written to any number of transport orders. Information about existing records of the same role by other administrators does not take place.
Make sure that reference users are assigned minimal permissions to avoid overreaching dialogue user permissions. There should be no reference users with permissions that are similar to the SAP_ALL profile.
Perform Risk Analysis with the Critical Permissions Report
It must be clarified in advance what constitutes a recognized "emergency" in the first place and which scenarios do not yet justify activating the highly privileged user. In addition, it may only be approved and activated after a justified request and only under the dual control principle. After use, it must be administratively blocked again immediately.
"Shortcut for SAP systems" is a tool that enables the assignment of authorizations even if the IdM system fails.
The website "www.sap-corner.de" offers a lot of useful information about SAP authorizations.
Do this once in your system.