May 29, 2024

Marov Business

Business Blog

Roles and Permissions Matrix

3 min read

How do we minimize fraudulent activities in our applications?

Let’s be clear that not all stakeholders always have the right intent.

Some stakeholders come with the wrong intent. And if they find loopholes in an application, they use them for their benefit. So, for example, I know a particular incident reported by a client where a particular person was in the accounts payable function. So, the person created 56 suppliers and kept paying a small amount to this particular group of suppliers, which never existed. It was a minimal amount, maybe $20, $30 a month, and nobody would catch it. But in about five years’ time, the person had siphoned off half a million dollars from the company. These things are possible if we are not careful. So, is there a technique that can help prevent such incidents? There is one. check out business analyst and business analyst interview questions articles

We will learn about another important business analysis technique, the Roles and Permissions Matrix. But before we get into the technique, let’s take a look at our project context and how we applied this technique to our project context.

Roles and Permissions Matrix ensures coverage of activities by denoting responsibility, identifying roles, and to discover missing roles. Roles and Permissions Matrix can be at different levels:

  • Initiative level roles and responsibilities with RACI matrix.
  • IT system roles and responsibilities with CRUD (Create, Read, Update and Delete) matrix.

Steps to build Roles and Permissions Matrix

Step 1 – Identify roles

Review organizational Chart, job descriptions, procedure manuals and user guides, and discuss with stakeholders. Look for common functions performed by individuals with similar needs.

Step 2 – Identify activities

Use functional decomposition, process model and business analysts use cases.

Step 3 – Identifying authorities

Authorities are actions that identified roles are permitted to perform. For each activity, identify authorities for each role.

Step 4 – Identify delegations

Identify which authorities can be delegated by one individual to another on a short-term or permanent basis.


  • Provides procedural checks and balances, and data security, by restricting individuals from performing all actions.
  • Promotes improved review of transaction history. Audit logs can capture details about any assigned authorities at time.
  • Provides documented roles and responsibilities for activities.


  • Need to recognize required level of detail – Too much detail can be time consuming, too little detail can exclude necessary roles.

Worked out example:

Let us learn how to create a Roles and Permissions Matrix by means of an example for the Governance, Risk and Compliance (GRC) management system.

Governance, Risk and Compliance (GRC) management system is developed for the IT and ITES domain. The primary objective of GRC management system is to help companies implement Governance, Quality, and Information Security Management Systems in an integrated manner. It has various features, one of which is to plan and track projects and programs using standards such as CMMI, ISO 9001, ISO 27001 etc.

Different roles for the solution are: Administrator, Project Manager, Business Analyst and Auditor.

Different activities for the solution are: Create project, Update project, add risks, Update risk

Following is few records from the Roles and Permissions Matrix for the GRC solution

Activity Admin PM BA Auditor
Create project X
Update project details X
Add Risk X X X
Update risks X X X

About Adaptive US

Adaptive US is the World’s #1 Provider of IIBA Certifications Courses and Study Aids on CBAP, CCBA, ECBA, CBDA, CPOA, AAC and CCA. It is the ONLY training institute to provide a 100% Success Guarantee or 100% Refund promise for all IIBA certifications Instructor Led Training. It also provide skill-based trainings to business analysts on business analysis tools and templates.