Call Now

Get The App


Role Based Access Control (RBAC) in ERP System

  • In computer systems security, role-based access control is an approach to restricting system access to authorized users.
  • It is used by most enterprises and can implement mandatory access control or discretionary access control.
  • RBAC is sometimes referred to as Role-Based Security. Role-Based-Access-Control (RBAC) is a policy neutral access control mechanism defined around roles and privileges.


  • RBAC can be used to facilitate administration of security in large organizations with hundreds of users and thousands of permissions.
  • Roles for staff are defined in organisation and access to the system can be given according to the role assigned.
  • E.g. a junior accountant in accounting department is assigned a role of recording basic accounting transactions,
  • an executive in human resource department is assigned a role of gathering data for salary calculations on monthly basis, etc.


D. Types of Access

While assigning access to different users, following options are possible.

  • Create – Allows to create data
  • Alter – Allows to alter data
  • View – Allows only to view data
  • Print – Allows to print data

Above type of access can be allowed / disallowed for –

  • Master Data
  • Transaction Data
  • Reports


                Audit of ERP Systems

The fundamental objectives of an audit of controls do not change in an ERP environment. When evaluating controls over ERP systems, decisions must be made regarding the relevance of operational internal control procedures to Information Technology (IT) controls.

Specific control procedures for audit objectives must be tested. Controls are divided into General Controls and Application Controls.


Auditing aspects in case of any ERP system can be summarized as under:

i.Auditing of Data

  • Physical Safety – Ensuring physical control over data.
  • Access Control – Ensuring access to the system is given on “need to know”

ii.Auditing of Processes

  • Functional Audit – This includes testing of different functions / features in the system and
  • testing of the overall process or part of process in the system and its comparison with actual process.

e.g. Purchase Process, Sales Process, Salary Calculation Process, Recruitment Process, etc. Auditor may check this process in the system and compare it with actual process.

It is quite possible that all the aspect present in the actual process may not be integrated in the ERP system. There may be some manual intervention.

  • Input Validations – This stands for checking of rules for input of data into the system. E.g. a transaction of cash sales on sales counter must not be recorded in a date other than today (not a future date or a back date), amount field must not be zero, stock item field shall not be empty, etc. Input validations shall change according to each data input form.

Explore All Chapters