Update:
As of SAP_BASIS 7.31 there's a new concept called "Security Policies".
For users who are assigned to a Security Policy the profile parameter parameters (such as "login/password_logon_usergroup") are no longer relevant; instead, the Security Policy (and its contained Security Policy Attributes) is evaluated.
Like PFCG roles, a Security Policy can be created (using t-code SECPOL) and then assigned to users (using t-code SU01 and SU10). Security Policies are client-specific customizing settings and can be transported.
Best regards,
Wolfgang