After go-live, there will be situations for users not being able to perform their job because they don’t have the required authorizations. If this happens, at least it is a sign that authorizations were not given too generous. Nevertheless, these issues are to be resolved.
Understandably, users tend to take a short-cut, to get the required authorizations as soon as possible, by contacting the (applications) administrator and requesting extra authorizations. However, this would jeopardize the security of the system. Changing the role definition would allow all users with that role to have more authorizations. And maybe they shouldn’t. Giving the user an extra role (containing the requested authorization) would also give other authorizations, that maybe are not needed or undesired.
Therefore, a process should be in place to process these requests. See below for the process (Click image to enlarge).
The consistency of the role definitions (and therefore the security of the system) can only be safeguarded by having a structured process in place.