Role-Based Access Control (RBAC) for AP Accruals

Overview

Role-Based Access Control (RBAC) in AP Accruals ensures that each user has the right level of access to configure accruals, review and approve them, and post them to your ERP—without exposing unnecessary data or permissions.

RBAC is based on roles rather than individual user-by-user settings. Each role comes with a defined set of actions (what the user can do) and scopes (which areas or data they can access). This supports security, separation of duties, and auditability.


AP Accruals Roles Overview

AP Accruals uses a set of dedicated roles to control who can configure accrual logic, who can approve it, who can work with data, and who can only review activity.

At a high level:

  • GL Manager – designs and maintains accrual flows and can post to ERP

  • GL Approver – approves accruals and can post to ERP, but cannot change the flow configuration

  • GL Agent – operational user with access to accrual data and activity, but cannot post to ERP

  • GL Audit – read‑only user with visibility into accrual data and logs, no posting or configuration rights

These roles can be combined with your internal team structure (e.g., GL, AP, controllers, audit) to align with your organization’s control framework.


GL Manager

Purpose
The GL Manager is responsible for configuring and maintaining the accrual flows used by AP Accruals. This role is typically assigned to senior members of the GL or finance team who design how accruals should behave end to end.

Typical capabilities

  • Configure and update AP Accruals / SmartGL flows

  • Define or adjust how data is processed within those flows

  • Review accrual outputs and flow behavior

  • Initiate and execute journal posting to the ERP (write to ERP)

  • Access data management views related to AP Accruals

  • View product‑level audit and activity logs

Typical restrictions

  • Does not have to be the business approver for every accrual (you can separate configuration from approval by using the GL Approver role).

This role is best suited for users who own the accrual design and ERP integration aspects of the process.


GL Approver

Purpose
The GL Approver is focused on business approval and sign‑off. This role is usually given to controllers or finance managers who validate that accruals are correct and ready to be posted to the ERP.

Typical capabilities

  • Review accruals and SmartGL outputs prepared by the team

  • Approve or reject accruals and flow results from a business perspective

  • Add review comments and feedback for the operational team

  • Initiate and execute journal posting to the ERP (write to ERP)

  • Access data management views related to AP Accruals

  • View product‑level audit and activity logs

Typical restrictions

  • Cannot edit or redesign the underlying SmartGL / AP Accruals flows

  • Cannot change configuration logic that defines how accruals are calculated

This creates a clear separation between who configures the flows (GL Manager) and who approves the resulting accruals (GL Approver), supporting standard segregation‑of‑duties requirements.


GL Agent

Purpose
The GL Agent is an operational role for team members who work with accrual data and help prepare or monitor accruals but should not be able to post journals to the ERP.

Typical capabilities

  • Access data management related to AP Accruals (within the scope you assign)

  • Review accrual‑related data and status

  • Support the preparation, investigation, and reconciliation of accruals

  • View product‑level audit and activity logs

Typical restrictions

  • Cannot write or post journals to the ERP

  • Cannot approve accruals as the designated final approver

  • Cannot configure or edit AP Accruals / SmartGL flows

This role is ideal for analysts and operational staff who need full visibility into accrual data and activity but should not execute final postings or change configurations.


GL Audit

Purpose
The GL Audit role is designed for users who need visibility into accruals and related activity for review and oversight only, such as internal audit, external audit, or finance leadership.

Typical capabilities

  • Read‑only access to AP Accruals data within assigned scope

  • Read‑only access to relevant product‑level audit and activity logs

  • Ability to trace how accruals were generated, reviewed, and posted

Typical restrictions

  • Cannot configure or edit AP Accruals / SmartGL flows

  • Cannot approve accruals

  • Cannot write or post journals to the ERP

  • Cannot modify data management settings

This role ensures auditors and reviewers have the transparency they need without introducing any risk of accidental changes.


How RBAC Supports Your Control Framework

Using these roles consistently within AP Accruals helps you:

  • Enforce separation of duties

    • One set of users configures accrual flows (GL Manager).

    • Another set approves results and can post (GL Approver).

    • Operational staff support day‑to‑day work without posting rights (GL Agent).

    • Auditors and reviewers see everything they need but remain read‑only (GL Audit).

  • Limit access to sensitive actions
    Only specific roles can post journals to your ERP or change accrual configuration.

  • Improve auditability
    Actions are tied to roles with clearly defined responsibilities, simplifying reviews and audits.