Xpandion Blog

  • Home
    Blog Home This is where you can find all the blog posts throughout the site.
  • Tags
    Tags Displays a list of tags that have been used in the blog.

Discover How Simple It Can Be To Manage a Role Catalog

  • Font size: Larger Smaller
  • Hits: 6179
  • Print

One of your accounting clerks just left on maternity leave (congratulations to Sally). Another employee is replacing her and thus has the new responsibility of performing Invoice Reconciliation (good luck to John). To perform this task, John needs to open a new request in the portal for the proper authorization. Then he must browse through the business process list and select Invoice Reconciliation, add an explanation for the request and submit it. The financial top-user receives the request and approves/disapproves it. Upon approval, John is automatically assigned the required authorization role, and even receives and email indicating this.

iStock 000015614694XSmall


Sounds too simple to be true? Not necessarily, that is if you have a well-planned role catalog in your company. Some of our customers have already managed this successfully and the scenario above is actually their business routine when it comes to allocating authorizations.

A role catalog is essentially a structured list of business processes including all the authorization roles that enable each process. Business processes and business roles are created by business analysts; and authorization roles by technical authorization consultants. Hence a role catalog enables end users to communicate easily with the technical authorization team, saving valuable time in the authorization-allocation process.

Learn what the basic elements of creating a role catalog are

The first step in creating a role catalog is to define the list of business processes in an organization. Remember that most of the authorization requests will now be handled by end users and will include the business role name instead of free text; therefore defining the business process list is of great significance. The list of business roles shouldn’t be too broad or too narrow; this way the amount of business roles is reasonable and easy to manage. If your list is very large (don’t panic), simply split it into areas such as Finance, Human Resources, and into sub-areas like Vendor/Master Data and Finance/Assets.

The next step is to define the activities in each business process and the authorization roles required for each activity. The authorization roles should be master roles, meaning they do not include company codes, plant numbers and other organizational objects; these will be added according to employees’ positions.

The final step is to define the required roles as sensitive, and then define the workflow of authorization request approvals for sensitive and non-sensitive roles. For example, if the role is sensitive you might want to demand additional approval from the security manager before the role is granted. Don’t forget to verify that there are no SoD (Segregation of Duties) conflicts in the roles, per each business process. If SoD conflicts exist, each user that requests this business process is sure to create an SoD violation.

Sit back and let your role catalog start rolling

Upon completing the role catalog, you can integrate it into your organizational portal and concentrate on managing it. Believe me, I know that defining the role catalog is not a simple process technically (and politically), yet once the role catalog is in place the focus is shifted from granting authorizations to managing business processes effectively.  Well-built role catalogs enable organizations to automate authorization management, focus on what really needs attention and overall free up valuable time.  


Yoav Michaeli joined Xpandion in 2008 as a team leader, and in 2010 Mr. Michaeli began managing the entire Research & Development group of the company. Prior to joining Xpandion, Mr. Michaeli served in an elite technological unit of the Israeli Defense Forces as a team leader for various key military projects. Among other achievements, he was instrumental in pioneering the use of advanced .NET technologies for large scale distributed systems. Mr. Michaeli is an expert in programming, agile development, application security and specialized programming techniques.


  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest 24/06/2017


in XpandionPosted by Yoav Michaeli

Optimize Licensing Costs. Increase Security

These are amongst some of the most worrying words that enterprises and managers can hear.  And, yet, they are a part of day to day terminology- whether whispered behind  soundproof board room doors, discussed openly by upper management or colleagues addressing them casually over the wate...
in Security & AuthorizationsPosted by Yoav Michaeli

Who Authorized It?!

"Who authorized it?" is definitely the most asked question following a fraud event or leakage of information.  

in Security & AuthorizationsPosted by Dror Aviv

Get Rid of Power Users Once and For All

Organizations have Power Users in all systems (at least I have not yet come across an organization without them). Power Users hold a vast amount of authorizations, or even full authorizations in specific applications.

in Security & AuthorizationsPosted by Yoav Michaeli

The Adventures of a Bored Programmer

What may be considered by a programmer as just playing around might end up as a security nightmare for a SAP® based enterprise. I actually want this to sound dramatic and grab your attention – I have dealt with the consequences of bored programmers' actions too many times...

in Security & AuthorizationsPosted by Dror Aviv

Granting SAP_ALL to Everybody – Crazy or Not?

True Story A customer from a large enterprise came to us and said, “Our company has an ‘open policy.’ We trust our employees, so we grant all of them SAP_ALL. We know that SAP_ALL includes all authorizations in the system but everything’s working fine and our authorizations are very easy to maintai...



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India