 |
Authorizations for creating other Authorizations |
Three types of authorizations for creating other authorizations
In the Roles Database, ones authority to create (or delete or modify)
other Authorizations is controlled by Authorizations. Note that anyone
authorized to create Authoriations is also authorized to delete or
modify them. Authorizations for maintaining other Authorizations work
in one of three ways:
- Primary Authorizers maintain Authorizations related to a DLC's
resources
A person with an Authorization for either the Function
"HR PRIMARY AUTHORIZER" or "FINANCIAL PRIMARY AUTHORIZER" is able to
maintain Authorizations for a common set of
business Functions with Qualifiers related to the resources of a
specified department.
This is the most common way method for giving
a person the authority to maintain Authorizations. The Qualifier for
these Authorizations is a DLC (Department, Lab or Center).
- Central administrators can maintain Authorizations within a
Category or application area
A person with an Authorization for the Function "CREATE AUTHORIZATIONS",
where the Qualifier is a Category (or application area such as HR or EHS)
can create, delete, or modify any Authorization within the given Category.
Generally, a small number of administrators within central offices
have this level of authority.
- Individuals can be given the authority to create Authorizations
for specific Functions and Qualifiers via the Grant flag
Each Authorization in the Roles Database has a "Grant" flag. If
the Grant flag is set to "Y", then the holder of that Authorization can
create Authorizations with the same Function and either the same Qualifier
or a child of the original Qualifier. For example, suppose we have the
following Authorization:
| Person | Function | Qualifier |
Grant | Do-function |
|---|
| JOE1234 (Joe User) | REPORT ON WIDGETS |
D_SCHOOL_SCI (School or Science) | Y | Y |
This Authorization would allow JOE1234 to REPORT ON WIDGETS for the
School of Science or any of the DLCs within the School of Science, such
as Biology, Mathematics, Chemistry, etc.. Since the Grant flag is set to
"Y", JOE1234 would also be able to grant a similar Authorization to any
user for the Function "REPORT ON WIDGETS" and either the School of Science
or any DLC under the School of Science.
Note that in this example the Do-function flag is set to "Y", which allows
JOE1234 to perform the Function REPORT ON WIDGETS himself. If
Do-function were set to "N", then JOE1234 would be allowed to grant
Authorizations to anyone (including himself), but not actually
REPORT ON WIDGETS himself (unless he modifies or adds an Authorization for
himself).
There is a complete audit trail of all Authorizations granted, making it
easy for auditors or system administrators to report on Authorizations
created by anyone.
Back to main Roles web interface page