Skip to main content

Roles not used

The Roles not used screen lists every role that exists in the source system but has no row in the assignments table. One line per (Application, Role) pair. These roles are the cleanup backlog: they widen the catalog without contributing to any active access.

Eliminating unused roles is what keeps the security model readable, and it shrinks the attack surface: a role that nobody holds today can be assigned to a service account tomorrow without anyone noticing.

At a glance

Nomasx-1 · Security · Roles not usedAPPLICATIONROLE ID12 — JDE ProductionACCT_AP_OLD12 — JDE ProductionLEGACY_FIN21 — SAP ProductionZ_TEMP_202321 — SAP ProductionZ_TRAINING17 unused roles across 2 applications

Goal of the view

For each role known to any connected application, surface those with zero active assignment:

  • What should be retired? Roles with zero holders are the obvious cleanup target. The data is precomputed via a LEFT JOIN against SECURITY_ASSIGNMENTS filtered on NULL — no double counting, no false positives.
  • What was the role originally meant for? Use the Roles screen to recall the original purpose before deleting — a role with no current holder may simply be a break-glass role kept ready for an incident.
  • Is the same role repeated under several names? Listing unused roles often reveals naming drift (e.g. ACCT_AP_OLD next to the live ACCT_AP).

The screen is one of the deliverables auditors expect at every quarterly access review.

Columns

ColumnSourceWhat it tells you
Application IDAPPS_ID — application identifier from the source system. Joined to SETTINGS_APPLICATIONS to also show the application name.Which application the unused role belongs to.
Role IDROL_ID — role identifier (technical name). Filtered down by the chosen application.The role that has zero assignment.

The two filter inputs above the grid (Application ID and Role ID) accept the standard contains / equals / not equals / starts with / ends with operators. The Role ID lookup is scoped to the application chosen above.

Tips & best practices

  • Sort by Application ID to review one source at a time — the cleanup decision is usually owned by the security administrator of that application.
  • Cross-reference with the Roles screen to read the original description before deleting — some unused roles are intentional reserves.
  • Confirm with the source system before removing: the row will disappear from the Roles catalog on the next scan, but the underlying role definition must be deleted in the source itself.
  • Re-run the screen after the next scan to confirm the cleanup landed — the row should drop out automatically.