Overview
Role-Based Access Control (RBAC) in AP Accruals ensures that each user has the right level of access to configure accruals, review and approve them, and post them to your ERP—without exposing unnecessary data or permissions.
RBAC is based on roles rather than individual user-by-user settings. Each role comes with a defined set of actions (what the user can do) and scopes (which areas or data they can access). This supports security, separation of duties, and auditability.
AP Accruals Roles Overview
AP Accruals uses a set of dedicated roles to control who can configure accrual logic, who can approve it, who can work with data, and who can only review activity.
At a high level:
GL Manager – designs and maintains accrual flows and can post to ERP
GL Approver – approves accruals and can post to ERP, but cannot change the flow configuration
GL Agent – operational user with access to accrual data and activity, but cannot post to ERP
GL Audit – read‑only user with visibility into accrual data and logs, no posting or configuration rights
These roles can be combined with your internal team structure (e.g., GL, AP, controllers, audit) to align with your organization’s control framework.
GL Manager
Purpose
The GL Manager is responsible for configuring and maintaining the accrual flows used by AP Accruals. This role is typically assigned to senior members of the GL or finance team who design how accruals should behave end to end.
Typical capabilities
Configure and update AP Accruals / SmartGL flows
Define or adjust how data is processed within those flows
Review accrual outputs and flow behavior
Initiate and execute journal posting to the ERP (write to ERP)
Access data management views related to AP Accruals
View product‑level audit and activity logs
Typical restrictions
Does not have to be the business approver for every accrual (you can separate configuration from approval by using the GL Approver role).
This role is best suited for users who own the accrual design and ERP integration aspects of the process.
GL Approver
Purpose
The GL Approver is focused on business approval and sign‑off. This role is usually given to controllers or finance managers who validate that accruals are correct and ready to be posted to the ERP.
Typical capabilities
Review accruals and SmartGL outputs prepared by the team
Approve or reject accruals and flow results from a business perspective
Add review comments and feedback for the operational team
Initiate and execute journal posting to the ERP (write to ERP)
Access data management views related to AP Accruals
View product‑level audit and activity logs
Typical restrictions
Cannot edit or redesign the underlying SmartGL / AP Accruals flows
Cannot change configuration logic that defines how accruals are calculated
This creates a clear separation between who configures the flows (GL Manager) and who approves the resulting accruals (GL Approver), supporting standard segregation‑of‑duties requirements.
GL Agent
Purpose
The GL Agent is an operational role for team members who work with accrual data and help prepare or monitor accruals but should not be able to post journals to the ERP.
Typical capabilities
Access data management related to AP Accruals (within the scope you assign)
Review accrual‑related data and status
Support the preparation, investigation, and reconciliation of accruals
View product‑level audit and activity logs
Typical restrictions
Cannot write or post journals to the ERP
Cannot approve accruals as the designated final approver
Cannot configure or edit AP Accruals / SmartGL flows
This role is ideal for analysts and operational staff who need full visibility into accrual data and activity but should not execute final postings or change configurations.
GL Audit
Purpose
The GL Audit role is designed for users who need visibility into accruals and related activity for review and oversight only, such as internal audit, external audit, or finance leadership.
Typical capabilities
Read‑only access to AP Accruals data within assigned scope
Read‑only access to relevant product‑level audit and activity logs
Ability to trace how accruals were generated, reviewed, and posted
Typical restrictions
Cannot configure or edit AP Accruals / SmartGL flows
Cannot approve accruals
Cannot write or post journals to the ERP
Cannot modify data management settings
This role ensures auditors and reviewers have the transparency they need without introducing any risk of accidental changes.
How RBAC Supports Your Control Framework
Using these roles consistently within AP Accruals helps you:
Enforce separation of duties
One set of users configures accrual flows (GL Manager).
Another set approves results and can post (GL Approver).
Operational staff support day‑to‑day work without posting rights (GL Agent).
Auditors and reviewers see everything they need but remain read‑only (GL Audit).
Limit access to sensitive actions
Only specific roles can post journals to your ERP or change accrual configuration.Improve auditability
Actions are tied to roles with clearly defined responsibilities, simplifying reviews and audits.