Roles Database Application

The Roles Database Application: Introduction

What is the Roles Database?

The Roles Database contains authorizations -- rules about people's privileges or roles -- for MIT's financial and other business systems, such as SAP. Authorizations are maintained within the Roles Database by central and departmental people. Related data on people, departments, and financial objects are drawn from other databases such as the Data Warehouse.
The Roles Database does not enforce the authorizations that it stores. It only collects the information and distributes it to the appropriate applications, usually as a nightly data feed.
Applications with an interface to the Roles Database interpret the access rules from the Roles Database and enforce them.
Some users have the authority to create and modify authorizations, and for this they must use the Roles application. Other users only need to view authorization information, and they can use the Web interface for this.
Together, the database, the application, and the Web interface serve as a common tool for users in offices and labs to maintain authorizations for their departmental resources.

What are Authorizations?

In the Roles Database, an authorization is a rule that lets you perform a specific business function within a computer-based application. It is the most important entity maintained in the Roles Database.
Authorizations have three parts: Person, Function, and Qualifier. (SAP authorizations are related but not the same as Roles Database authorizations.) When you connect these three components, an authorization is created.
For example:

Person Function Qualifier

jsmith can view personnel data in the data warehouse within org. unit 152000

jjones can create a requisition for fund center FC123456

ssimms can approve a requisition for line items less than $2500 for spending group SG_Anthro

where:

Person is identified by her or his Kerberos user ID, e.g., jsmith, not by name, e.g, Jo Smith.

Function is what a person is permitted to do within a specific application, such as SAP, WRHS (MIT's Data Warehouse), GRAD (Graduate Admissions Application). For example, jsmith is allowed to view personnel data in the data warehouse.

Qualifier is an organizational unit, cost object, fund center, or some other item that limits the data on which a Person can perform the Function. For example, org. unit 152000
Some types of qualifiers in Roles must be prefixed with a letter that identifies the type of qualifier. For instance, 7654300 in Roles is preceded by a P that identifies it as a WBS element. Use the following prefixes before the appropriate cost element: F (Fund), FC (Fund center), C (Cost Center), I (Internal order), P (WBS element), PC (Profit center). For instance, to specify Fund Center number 123456 within the Roles Database, specify FC123456, not 123456.

Person	Function	Qualifier
jsmith	can view personnel data in the data warehouse	within org. unit 152000
jjones	can create a requisition	for fund center FC123456
ssimms	can approve a requisition for line items less than $2500	for spending group SG_Anthro

In the Roles Database, authorizations about authorizations are called meta-authorizations. Like other authorizations, a meta-authorization consists of a person, a function, and a qualifier. Meta-authorizations belong to the Function Category "META". The two main functions are

VIEW AUTH BY CATEGORY
Allows a user to view other people's authorizations within a Function Category, such as SAP (SAP R/3) or WRHS (the Warehouse) via the Web
CREATE AUTHORIZATIONS
Allows a user to create an authorization for any function or qualifier within a Function Category. Only a few people have this type of meta-authorization. Most authority to grant authorizations to others is restricted to certain functions and qualifiers, and is given via the Grant flag of a (non-meta) authorization.

How do I get a meta-authorization to view authorizations on the Web?

Authorizations are not considered to be highly sensitive data, but it is not our policy to let all Web users view them. Meta-authorizations to "VIEW AUTH BY CATEGORY" are usually given to MIT employees on request. If you have a School or Area Coordinator, contact that person. You can find the name of your school or area coordinator at http://web.mit.edu/fss/sac.html . If you don't have one, or don't know who that person is, then contact the central SAP authorizations maintenance group (r3-accts@mit.edu). Make sure you specify:

Your Kerberos username
Your name
The Function Category or Categories for which you wish to view authorizations, i.e., SAP, NIMB (NIMBUS Budget system), WRHS (Data Warehouse) etc..
Your department and reason for needing access to view the authorizations

If you plan to use Roles as a lookup tool, you can find all the operations you need in the Web at http://rolesweb.mit.edu/webroles.html. If, however, you plan to create, delete, or copy authorizations, you will need the Roles application. To continue, click on Requirements

The Roles Database Application: Introduction

Contents

What is the Roles Database?

What are Authorizations?

What are meta-authorizations?

How do I get a meta-authorization to view authorizations on the Web?

Person	is identified by her or his Kerberos user ID, e.g., jsmith, not by name, e.g, Jo Smith.
Function	is what a person is permitted to do within a specific application, such as SAP, WRHS (MIT's Data Warehouse), GRAD (Graduate Admissions Application). For example, jsmith is allowed to view personnel data in the data warehouse.
Qualifier	is an organizational unit, cost object, fund center, or some other item that limits the data on which a Person can perform the Function. For example, org. unit 152000 Some types of qualifiers in Roles must be prefixed with a letter that identifies the type of qualifier. For instance, 7654300 in Roles is preceded by a P that identifies it as a WBS element. Use the following prefixes before the appropriate cost element: F (Fund), FC (Fund center), C (Cost Center), I (Internal order), P (WBS element), PC (Profit center). For instance, to specify Fund Center number 123456 within the Roles Database, specify FC123456, not 123456.