Skip to main content

Rights — Users / Roles

The Rights — Users / Roles screen pivots the rights matrix by user and role. One line per (Application, User, Role, Object) quadruplet. It returns every SER_RUN = 'Y' row — both the direct user-level rights and the inherited role-level rights resolved on a per-user basis.

This is the effective rights view: what each user actually carries, broken down by where the right comes from.

At a glance

Nomasx-1 · Applications · Rights · Users / RolesAPPUSERROLEOBJECTFORMRUNADDCHGDEL12APMGRACCT_APP0411W0411AYYYN12APMGRAPPROVERP43081W43081AYNYN12APMGR— (direct)P03B11W03B11AYYYY1 — 50 of 41 287 effective rights · user APMGR holds 3 rights via 2 roles + 1 direct

Goal of the view

The pivot makes three questions immediate:

  • What can this user actually do? Filter on a single User ID to obtain the full effective wallet — direct grants and inherited grants together. The roles column tells you which role lit up each row.
  • Through which role? When the same right surfaces under several roles, those roles are partial duplicates — candidates for consolidation.
  • Is the user holding a right outside any role? A row with an empty Role ID is a direct user-level grant — see Rights — Users for the dedicated screen.

Columns

ColumnSourceWhat it tells you
Application IDSER_APPS_ID — application identifier. Filterable.Which application the right applies to.
User IDSER_USER_ID — user holding the right. Filterable, scoped to the application.The effective holder of the right.
Role IDSER_ROLE_ID — role granting the right. Filterable by source.The role the right was inherited from. Empty (or *ROLE) on the source side means direct user-level grant.
ObjectSER_OBJECT — technical object. Filterable, scoped to the application.What the right unlocks.
FormSERL_FORM — form code within the object.Specific form.
VersionSER_VERSION — processing version.Configuration variant.
Run / Add / Change / DeleteSER_RUN, SER_ADD, SER_CHG, SER_DELY / N.Action flags. Only Run = Y rows surface.
Role Action IDSER_ROLE_ACTION_ID — action identifier.Source-system action descriptor.

Tips & best practices

  • Filter on a single User ID to get the user's full effective wallet — the answer most auditors actually need.
  • Group by Object on a user filter to spot when the same object surfaces through multiple roles. Each duplicate is a hint that role membership could be trimmed.
  • A user with rights coming through a single role + few direct grants is the cleanest setup — the inverse (many direct grants, few or no roles) is the heaviest to audit.
  • Combine with the Conflicts → Details screen to confirm the role pair that generates a given SoD conflict.