A roles and permissions matrix, an audit requirement in some organizations, is used to ensure that business activities are covered by identifying the responsibilities and roles linked to them.
Once roles are assigned, the activities under each role are then linked to the persons that may perform those activities within the business. A role can be assigned to several employees who share common functions. Staff with the same job title may perform different roles on the system and staff with different job titles may perform the same role on the system.
Roles and permissions matrix is particularly important as it serves as a reference point for checks and balances within the system, as individuals are prevented from performing actions outside their roles and authorities.
It is depicted in a tabular format with the roles contained in vertical columns while activities are shown in the individual rows. The steps involved in developing this matrix are as follows:
Roles are identified using organograms, job descriptions, and user guides, to name a few. The BA may also review what has been documented with stakeholders to confirm completion.
Document and check completeness of activities
Activities may be identified by the BA using process models or functional diagrams
Authorities are the actions roles are allowed to perform. During this exercise, the level of security needed should be considered per authority.