Roles Database: What authorizations can I grant

The Roles Database Application: What authorizations can I grant?

You can also do any of the following lookup operations from the Roles Web pages. (See My Authorizations.)

Three levels of authorization granting

There are three different levels at which people are given the authority to create authorizations:

"Central" authority to grant any authorization within a category (e.g., SAP)
Primary Authorizer authority for a department
Authority to delegate individual authorizations (with specific Functions and Qualifiers)

1. "Central" authority to grant any authorization within a category

Only a small number of central administrators are given this authority. To see if you are allowed to grant any authorization in a given category:

Open the "Authorization List" screen.
Choose Selection Set "My Authorizations" from the drop down menu.
Click on Refresh.

Result: The lower portion of the screen displays your authorizations.
You can create any authorization in a category if you have an authorization with category "META" and a Function of CREATE AUTHORIZATIONS.
For example:

User Function Category Qual. Code Qualifier Name

your_kerbname CREATE AUTHORIZATIONS META CATSAP FUNCTION CATEGORY: SAP

Such a "meta-authorization" lets you create any authorization within the Category SAP, i.e., an authorization with any SAP-related Function and any Qualifier (with the right Qualifier Type for the chosen Function).

User	Function	Category	Qual. Code	Qualifier Name
your_kerbname	CREATE AUTHORIZATIONS	META	CATSAP	FUNCTION CATEGORY: SAP

2. Primary Authorizer authority

Primary Authorizers for a department are allowed to grant authorizations for a predefined suite of Functions, with Qualifiers related to the given department. To see if you have Primary Authorizer authority for a department:

Open the "Authorization List" screen.
Choose Selection Set "My Authorizations" from the drop down menu.
Click on Refresh.

Result: The lower portion of the screen displays your authorizations.
You have Primary Authorizer authority if you have an authorization with category "META" and a Function of PRIMARY AUTHORIZER. The Qualifier specifies the department code.
For example:

User Function Category Qual. Code Qualifier Name

your_kerbname PRIMARY AUTHORIZER META D_PHYSICS PHYSICS

Such an authorization lets you create authorizations for Functions within the Primary Authorizer suite of Functions, and a Qualifier related to the designated department code (and the right Qualifier Type for the chosen Function). The list of Functions included in this suite will increase over time.
Here is the list of Functions that can be granted by Primary Authorizers, along with their corresponding Qualifier Types, as of 5/31/2000:

Function Corresponding Qualifier

APPROVER MOD x LEV y a Spending Group associated with the department

CAN SPEND OR COMMIT FUNDS a Fund Center or Fund associated with the department

CAN USE SAP NULL (no qualifier needed)

INVOICE APPROVAL UNLIMITED a Fund Center or Fund associated with the department

JV (FY) NULL (no qualifier needed)

JV (IP) NULL (no qualifier needed)

JV (STANDARD) NULL (no qualifier needed)

MANUAL RESERVATION NULL (no qualifier needed)

REPORT BY CO/PC a Profit Center, group of Profit Centers, or Cost Object associated with the department

REPORT BY FUND/FC a Fund Center or Fund associated with the department

REQUISITIONER NULL (no qualifier needed)

SEE SALARY SUBTOTAL IN REPORTS NULL (no qualifier needed)

TRAVEL DOCUMENTS APPROVAL a Fund Center or Fund associated with the department

User	Function	Category	Qual. Code	Qualifier Name
your_kerbname	PRIMARY AUTHORIZER	META	D_PHYSICS	PHYSICS

Function	Corresponding Qualifier
APPROVER MOD x LEV y	a Spending Group associated with the department
CAN SPEND OR COMMIT FUNDS	a Fund Center or Fund associated with the department
CAN USE SAP	NULL (no qualifier needed)
INVOICE APPROVAL UNLIMITED	a Fund Center or Fund associated with the department
JV (FY)	NULL (no qualifier needed)
JV (IP)	NULL (no qualifier needed)
JV (STANDARD)	NULL (no qualifier needed)
MANUAL RESERVATION	NULL (no qualifier needed)
REPORT BY CO/PC	a Profit Center, group of Profit Centers, or Cost Object associated with the department
REPORT BY FUND/FC	a Fund Center or Fund associated with the department
REQUISITIONER	NULL (no qualifier needed)
SEE SALARY SUBTOTAL IN REPORTS	NULL (no qualifier needed)
TRAVEL DOCUMENTS APPROVAL	a Fund Center or Fund associated with the department

3. Authority to delegate individual authorizations

To see which authorizations you can delegate:

Open the "Authorization List" screen.
Choose Selection Set"My Authorizations that I can delegate" from the drop down menu.
Click on Refresh.

Result: The lower portion of the screen displays your authorizations you can delegate.
If any authorizations are listed, you can grant one or more of these authorizations to other people. You can delegate an authorization to others if the Grant field is set to Y (yes).
Delegating an authorization creates a new authorization with the same Function as the original, and with a Qualifier that is either equal to the original Qualifier or a descendent in the Qualifier hierarchy. (This presumes that Grant = Y and Descend = Y.) For example, suppose jsmith has the following authorization:

User Function Category Qual. Code Qualifier Name

jsmith REPORT BY CO/PC SAP 0HC00004 Sloan School of Mgment

If Grant = Y and Descend = Y, jsmith can create the following authorizations:

User Function Category Qual. Code Qualifier Name

anybody REPORT BY CO/PC SAP 0HC00004 Sloan School of Mgment

whoknows REPORT BY CO/PC SAP 0HC0000401 Behavioral & Policy Sci.

joeuser REPORT BY CO/PC SAP I2516700 Summer Sess. Discr. Acct.

The Qualifier Codes 0HC0000401 and I2516700 are allowed because they are descendents of 0HC00004 in the qualifier hierarchy.

User	Function	Category	Qual. Code	Qualifier Name
anybody	REPORT BY CO/PC	SAP	0HC00004	Sloan School of Mgment
whoknows	REPORT BY CO/PC	SAP	0HC0000401	Behavioral & Policy Sci.
joeuser	REPORT BY CO/PC	SAP	I2516700	Summer Sess. Discr. Acct.