Currently an User can access to a Request only if he has access to the Scenario and at least one of the OrgUnit1 and one of the OrgUnit2 and one of the OrgUnit3 if these exist in the Request. Can happen that the Role he needs to manage just has data about Plants so it shouldn't be needed to assign him to a Position Sales Org related. But whit the actual logic we have in DSP that isn't possible, an User that doesn't care about Sales Org. data need to have assigned a Position with Sales Org. just to see the Request in his Request page. That doesn't make so much sense for the clients since there is no connection between Plant and Sales Org.
The idea is to give to the Users the possibility to access to a Request if they have access to one of the OrgUnit1 or OrgUnit2 or OrgUnit3 and to the Scenario of course.
To my opinion, the logic to amend is in the DGE.dbo.webRequest_SecurityIns procedure lines 80 - 110.
Does this make sense for you?
Security is not based on Scenario, it's Business Process then Role and OrgUnit. If you'd like to give a user access to that org unit for all Role and Processes they have access to there is a quick and easy way to do that from the Security Positions main page. Changing how the underlying security is designed in not likely to change.