This has come up a couple of times recently so I thought I would cover it here.
The scenario is a company wants users to have the ability to enter journal entries but only allow certain users to post to the GL. One answer is to prevent transaction and series posting and require batch approval with a password. This works but requiring an approval requires approval for ALL GL posting including posting from subledgers.
Another way is to control posting through security. Security to posting is controlled via the "Series Posting Permission" type in Security Tasks. By default GL Posting is included in the TRX_FIN_003* and ADMIN_COMPANY_11* tasks. Yeah, you didn't see the ADMIN_COMPANY_11* task coming did you? It also includes batch recovery so more users may have this than you think.
This why I recommend that you don't rely on the default tasks and roles. You really need to know what in there.
[HT to David Musgrave when I brain farted with this. I missed the ADMIN_COMPANY_11* role]