IMG auth question

Question: Though the question was discussed many times in this forum but I still want to know:

Question 1): First of all, Config Only W/O Application should be set for consultant in Golden Client. If we only assing SPRO, SM30 t_code to a role, many config lines in SPRO can not be excuted due to lack of authorization. Must we create a roll and pull all T_Codes from table cus_actobj & cus_acth?

Assign * to S_TOCDE is not acceptable. We also have no experience in restricting S_TCODE and other object value for SAP_ALL.

Question 2): Project team want to restrict the authorization by module, example, MM consultant can not config SD module, how to do it?

Question 3): Can we generate a suitable authorization profile from a IMG project? Example, if we create a IMG project just with SD module, can system generate a profile which is suitable for this project?

Answer:
I found /forums/viewtopic.php?t=113853&highlight=img, is this the best solution for question 3?

If we create MM IMG project & SD IMG project, it seems it can also be used for question 2. But for many config, I am sure only SM30 is required no matter in MM or SD module. Is there an object which can control it?

For question 1, I think we can import all T_code from entire IMG like this. Or we can insert all T_code from talbe cus_actobj & cus_acth and generate the profile, which one is better in general?

Thanks for advice.

Answer:
You should create a SPRO role based on all the nodes and remove all the basis and Security authorizaitons. While you can create a module specific role in the IMG you will end up with a poor quality configuration. SAP is too highly integrated to limit access to only one module. You will end up with the configuration team finding a way to make it work rather then iplementing the correct was to make the system work.

Load the tcode from the two tables, S_TABU_DIS and SM30 is not enough to configure the system correctly