Rules governing which authorizations you can grant

Three kinds of Authorizers

There are three kinds of Authorizers, or people who grant authorizations to others:

Central Authorizers
These are central maintainers of authorizations who can grant an authorization for any function or qualifier within one or more Categories (e.g., SAP, NIMB, GRAD, etc.). (The Central Authorizers for SAP authorizations are the Business Liaison Team .)
Departmental Primary Authorizers
Each department will generally have 1-3 people who can grant authorizations for any of the qualifiers pertaining to that department. They can choose from a standard list of Functions grantable by all Primary Authorizers (PA). (PAs are designated by the the Department Head or equivalent.)
Departmental Secondary Authorizers
Only some departments will have Secondary Authorizers (SA). Where present, an SA will be allowed to grant authorizations for a subset of the qualifiers of a department, possibly just within one Fund Center or Spending Group. The SA will also be limited in the Functions he/she can choose. SAs are set up by a department's Primary Authorizers to help with a subset of authorization duties.

What authorizations can be granted by central authorizers?

To find out which authorizations a Central Authorizer can create, follow the Authorizations for a person link. From the "Show authorizations for a person" screen, enter the Central Authorizer's Kerberos name and select META Roles META-auth from the category drop-down menu.

On the resulting report, look at the Qualifier column (e.g., CATSAP, CATNIMB, CATWRHS) to see the Categories for which the Central Authorizer can grant authorizations. For example, if the Central Authorizer has a "CREATE AUTHORIZATIONS" authorization for CATSAP, then the Central Authorizer can grant any authorization within the SAP category.

For departmental authorizers (both Primary and Secondary), the situation is a little more complicated, and will be explained in the next section.

What authorizations can be granted by departmental authorizers?

To determine what authorizations a departmental Primary Authorizer can grant, you first find all authorizations for the PA where Grant=Y. Suppose user JOEUSER has the following set of authorizations:

Person	Function	Qualifier	Grant
JOEUSER	CAN SPEND OR COMMIT FUNDS	FC_VPIS	Y
JOEUSER	REQUISITIONER	NULL	Y
JOEUSER	INVOICE APPROVAL UNLIMITED	FC_VPIS	Y
JOEUSER	TRAVEL DOCUMENTS APPROVAL	FC_VPIS	Y
JOEUSER	REPORT BY CO/PC	0HPC00102	Y

(An actual PA would be permitted to grant authorizations for more business functions than those listed above, but let's use this list for our discussion.)

JOEUSER could grant (or delete) any authorization to any person at MIT who has a Kerberos username where Function and Qualifier are among the following:

Function Qualifier

CAN SPEND OR COMMIT FUNDS FC_VPIS or any Fund Center or Fund under FC_VPIS

REQUISITIONER NULL

INVOICE APPROVAL UNLIMITED FC_VPIS or any Fund Center or Fund under FC_VPIS

TRAVEL DOCUMENTS APPROVAL FC_VPIS or any Fund Center or Fund under FC_VPIS

REPORT BY CO/PC Profit center node 0HPC00102 or any Cost Object or Profit Center under 0HPC00102

SEE SALARY SUBTOTAL IN REPORTS NULL

Function	Qualifier
CAN SPEND OR COMMIT FUNDS	FC_VPIS or any Fund Center or Fund under FC_VPIS
REQUISITIONER	NULL
INVOICE APPROVAL UNLIMITED	FC_VPIS or any Fund Center or Fund under FC_VPIS
TRAVEL DOCUMENTS APPROVAL	FC_VPIS or any Fund Center or Fund under FC_VPIS
REPORT BY CO/PC	Profit center node 0HPC00102 or any Cost Object or Profit Center under 0HPC00102
SEE SALARY SUBTOTAL IN REPORTS	NULL

You might ask why JOEUSER is permitted to grant an authorization to anyone at MIT. Why isn't he restricted to just people in his department? The reason is that we cannot pre-determine who is "in his department." We could find a list of employees with the same Personnel organization unit number as JOEUSER, but that would exclude the contractors, graduate students, and other non-employees who also need access to departmental resources. And since there are many cross-departmental projects at MIT, a person in one department might need to be authorized for resources in a second department. Since there is no practical way to pre-determine which people will need access to a department's resources, we leave the decision up to the departmental Primary (or Secondary) Authorizer. JOEUSER can grant an authorization for his department's resources to anyone at MIT, and it is his responsibility as a PA to make sure he grants it to the right person.

Cross-departmental effects of qualifier-less authorizations

In the above example, when JOEUSER grants an authorization for Functions CAN SPEND OR COMMIT FUNDS, INVOICE APPROVAL UNLIMITED, TRAVEL DOCUMENTS APPROVAL, or REPORT BY CO/PC, he must pick a Qualifier that falls within his department's Funds and Fund Centers or Cost Objects and Profit Centers.

However in the case of Functions such as CAN USE SAP, REQUISITIONER, CREDIT CARD VERIFIER, or SEE SALARY SUBTOTAL IN REPORTS, the Qualifier is NULL, meaning the Authorization is either "on" or "off". In itself, the Authorization cannot be restricted to the resources within JOEUSER's department, although it may be linked with other authorizations. Let's look at the implications for some of these "qualifier-less" authorizations.

SEE SALARY SUBTOTAL IN REPORTS
The function SEE SALARY SUBTOTAL IN REPORTS is related to the REPORT BY CO/PC and REPORT BY FUND/FC functions. It controls whether a person can see salary subtotals by cost object in a certain MIT-developed report under SAP. If a person is authorized to run reports on two different profit centers, it is not possible to authorize the person to see salary subtotals for one profit center but not the other.
If a person, e.g., TOMUSER, needs to do reporting for two different departments, each of which has a different policy on seeing salary subtotals, then the department with the more restrictive policy (can't see salary subtotals) needs to either (a) relax their policy and let TOMUSER see salary subtotals, or (b) revoke TOMUSER's reporting authorization for their department. The Institute practice has been that an employee's need to know or do something overrides a conflicting preference that the employee not have access to the information or resource.
If you grant a "SEE SALARY SUBTOTAL IN REPORTS" authorization to a user who has reporting authorizations for another department, make sure you notify the Primary Authorizer for the other department that you are making this change. This will allow the other PA to review the employee's reporting access and possibly remove the employee's reporting access for their department.
REQUISITIONER and CREDIT CARD VERIFIER
These functions are linked with the CAN SPEND OR COMMIT FUNDS function. JOEUSER can grant CAN SPEND OR COMMIT FUNDS authorizations to a person, e.g. SUEBUY, for a list of Funds or Fund Centers in his department. Then if he wants her to Requisition on those funds/fund centers he also grants her a REQUISITIONER authorization. If he wants her to do credit card verification on those funds/fund centers, he also grants her a CREDIT CARD VERIFIER authorization. There is no way to allow her to requisition on one Fund Center and do credit card verification on another one. Our implementation of SAP does not allow this.
In practice, this is not a serious problem. Almost all credit card verifiers are also requisitioners. Also, there is a manual step involved in the process of making a person a credit card verifier that gives us additional control over the which credit card transactions a person can approve. (See who to contact for credit card authorizations.)

Last modified by Jim Repa, 1/10/2003.