Skip to main content

Roles matrix

The Roles matrix screen groups users by their exact combination of roles. One line per (Application, Role combination). For every distinct role wallet found across the active user base of an application, the screen shows how many users hold exactly that combination and a sample user as a starting point.

This is the most concise way to see what the security model actually looks like in practice — not what was designed on paper, but what users effectively carry.

At a glance

Nomasx-1 · Security · Roles matrixAPPUSERSROLE COMBINATIONSAMPLE USER1282APMGR_ROZZ_USR_0011237ACCT_APYZ_USR_004123ACCT_AP,ACCT_AR,APPROVERXX_USR_002121ADMIN,FIN_HISTO,LEGACY,PRJMGRXX_USR_003Sorted by user count desc — combinations held by 1 user are the outliers to investigate

Goal of the view

For each connected application, group its active users by the exact set of roles they hold and answer:

  • What is the standard role combination? The line with the largest Users count usually matches the typical onboarding template — every value below it deserves a look.
  • What are the outliers? Combinations held by one or two users only often hide leftover roles from past responsibilities, mis-assignments, or accumulating permissions over time.
  • Where do segregation-of-duties risks live? A combination that mixes incompatible roles (e.g. Create vendor + Approve payment) is the single most useful starting point for an SoD analysis — the matrix surfaces it directly.

The screen complements Assignments by collapsing thousands of rows into a few dozen lines — easier to scan, easier to discuss with the business.

Columns

ColumnSourceWhat it tells you
Application IDAPPS_ID — application identifier from the source system.The application the combination belongs to.
Users countUSERS_COUNTCOUNT(DISTINCT USR_ID) on the combination.How many active users hold this exact role wallet.
Role combinationRLU_ROLE_IDSTRING_AGG(RLU_ROLE_ID, ',' ORDER BY RLU_ROLE_ID) per user.The comma-separated list of roles, deterministically ordered so identical combinations group together.
Sample userUSR_IDMAX(USR_ID) per combination, scoped to the application.One real user holding the combination — convenient handle to jump to the Users Audit screen.

Rows are sorted by Users count descending — the most common combinations appear first.

Tips & best practices

  • Pivot the discussion — instead of arguing about thousands of individual assignments, focus on the dozen most common combinations. Each combination is a de facto role template the company actually uses.
  • Hunt outliers from the bottom of the list — combinations held by 1 to 3 users. They tend to accumulate quietly when access changes are made one-off rather than via a template.
  • Cross-check incompatible pairs — pick a known can't co-exist pair (e.g. Create vendor + Approve payment) and grep through the Role combination column. Every hit is an SoD exception to be confirmed or remediated.
  • Use the Sample user column as a quick teleport into the Users Audit screen — it confirms what the combination concretely enables in the source system.