We have common end user role in Production , with transactions sp02, sm37, sbwp, su01d, su53, session _manager, search_sap_menu. and critical authorization objects like S_ADMI_FCD *, S_BTCH_NAM *, S_BTCH_JOB *, S_BTCH_ADMI* .
Related: PFCG Roles and Authorization Concept
Now my argument with my lead is we should not give S_ADMI_FCD IN PROD and all above objects. How can I show that there is chance of backdoor entry by giving these objects in end user role . can any body tell how can show here when we execute this autho checks and this is major conflict (With proof).