The Roles Database Application: Introduction
|Intro | Requirements | Download | Getting Started |
The Roles Database contains authorizations -- rules about people's privileges or roles -- for MIT's financial and other business systems, such as SAP. Authorizations are maintained within the Roles Database by central and departmental people. Related data on people, departments, and financial objects are drawn from other databases such as the Data Warehouse.
The Roles Database does not enforce the authorizations that it stores. It only collects the information and distributes it to the appropriate applications, usually as a nightly data feed.
Applications with an interface to the Roles Database interpret the access rules from the Roles Database and enforce them.
Some users have the authority to create and modify authorizations, and for this they must use the Roles application. Other users only need to view authorization information, and they can use the Web interface for this.
Together, the database, the application, and the Web interface serve as a common tool for users in offices and labs to maintain authorizations for their departmental resources.
In the Roles Database, an authorization is a rule that lets you perform a specific business function within a computer-based application. It is the most important entity maintained in the Roles Database.
Authorizations have three parts: Person, Function, and Qualifier. (SAP authorizations are related but not the same as Roles Database authorizations.) When you connect these three components, an authorization is created.
Person Function Qualifier jsmith can view personnel data in the data warehouse within org. unit 152000 jjones can create a requisition for fund center FC123456 ssimms can approve a requisition for line items less than $2500 for spending group SG_Anthro
Person is identified by her or his Kerberos user ID, e.g., jsmith, not by name, e.g, Jo Smith.
Function is what a person is permitted to do within a specific application, such as SAP, WRHS (MIT's Data Warehouse), GRAD (Graduate Admissions Application). For example, jsmith is allowed to view personnel data in the data warehouse.
Qualifier is an organizational unit, cost object, fund center, or some other item that limits the data on which a Person can perform the Function. For example, org. unit 152000
Some types of qualifiers in Roles must be prefixed with a letter that identifies the type of qualifier. For instance, 7654300 in Roles is preceded by a P that identifies it as a WBS element. Use the following prefixes before the appropriate cost element: F (Fund), FC (Fund center), C (Cost Center), I (Internal order), P (WBS element), PC (Profit center). For instance, to specify Fund Center number 123456 within the Roles Database, specify FC123456, not 123456.
If you plan to use Roles as a lookup tool, you can find all the operations you need in the Web at http://rolesweb.mit.edu/webroles.html. If, however, you plan to create, delete, or copy authorizations, you will need the Roles application. To continue, click on Requirements
| Intro | Requirements | Download | Getting Started |