Skip to main content

Rights — Roles

The Rights — Roles screen lists every object-level right granted at the role level on a connected application. The query filters on SER_USER_ID = '*ROLE' — the marker the source system uses to indicate a role-level rule rather than a user-level one. One line per (Application, Role, Object) triplet, restricted to rights where SER_RUN = 'Y'.

This is the core of the role-based access model: what a role grants to all of its holders. Everything else (user-level overrides, menu visibility, OUT-derived rights) builds on top.

At a glance

Nomasx-1 · Applications · Rights · RolesAPPROLEOBJECTFORMVERSIONRUNADDCHGDEL12ACCT_APP0411W0411AZJDE0001YYYN12ACCT_APP0413MW0413AZJDE0001YYYY12APPROVERP43081W43081AZJDE0001YNYN1 — 50 of 26 410 role-level rights

Goal of the view

For each role-level right granted on a connected application:

  • What does the role grant? Object, form, version — the right's scope.
  • Which actions are allowed? Run, Add, Change, Delete — the four action flags. A role granting Change and Delete on a financial object is the centerpiece of a segregation-of-duties analysis.
  • Is the role definition still in line with the business intent? Comparing the actual rights here with the role's documented purpose is the most reliable way to detect role drift — rights accumulated over time that nobody now remembers why.

Columns

ColumnSourceWhat it tells you
Application IDSER_APPS_ID — application identifier. Filterable.Which application the right applies to.
Role IDSER_ROLE_ID — role granting the right. Filterable, scoped to the application.The role the rule belongs to.
ObjectSER_OBJECT — technical object the right applies to. Filterable, scoped to the application.What the role unlocks.
FormSERL_FORM — form code within the object.Specific form within the object.
VersionSER_VERSION — processing version.Configuration variant.
RunSER_RUNY / N.Whether the role can open the screen. Only Y rows surface.
Role Action IDSER_ROLE_ACTION_ID — action identifier.Source-system action descriptor.
Add / Change / DeleteSER_ADD, SER_CHG, SER_DELY / N.Row-level action flags.

Tips & best practices

  • Filter by Role ID + sort by Object to obtain the full inventory of what a role can do — the deliverable to discuss with the role owner during the access review.
  • Hunt the broad rights — rights on a high-level object with all four flags set to Y are the most generous grants. Confirm the role really needs that level.
  • A role with very few rights is also worth a look — it may be redundant with another role and a candidate for retirement (see Roles not used).
  • Combine with Roles / Menus to verify the role grants both the right and the navigation to reach the object.