Instructions for Departmental authorizers

People who maintain authorizations for a department's resources (see definitions of departmental Primary and Secondary authorizers) and want to maintain them directly must use the Roles Database.

Most people who use the Roles application find that it only takes a little time to get familiar with the application and start creating authorizations. (Current documentation describes only SAP-related authorizations, but in the future, Primary authorizers will be maintaining authorizations for other business areas as well.) Most of the information you'll need is contained in the following Web-based documents:

1. Setting up authorizations, by task (a task-oriented quick guide)
2. Detailed definitions of SAP-related business functions
3. Using the Roles application
   1. Web-based introduction to the Roles application
   2. PDF-based Navigating the Roles Database, and Using It to Manage SAP Authorizations (Requires Acrobat Reader )
4. Guidelines for Primary authorizers (includes policies and responsibilities)

Things to keep in mind:

• When a person from your department who has authorizations leaves the department or leaves MIT, send e-mail to business-help@mit.edu
  Doing so will help the Business Liaison Team manage usernames in the system. (This is also included in Guidelines for Primary authorizers .)

• Don't forget the REQUISITIONER authorization, where needed. For some business functions, you must grant a combination of authorizations.
  • For a person to create requisitions in SAPgui or SAPweb, you must grant both CAN SPEND OR COMMIT FUNDS and REQUISITIONER authorizations.

• You no longer need to grant the CAN USE SAP authorization. As of 1/10/2003, the CAN USE SAP authorization is implicit for all users who have other SAP-related authorizations. (There is an exception for a few people within central offices, but these special cases will not be handled by Primary Authorizers.)

• All CREDIT CARD VERIFIER authorizations must be done by the VIP Card Administrator. (She also must set up table entries outside of the Roles Database.) Contact vipcard@mit.edu or call x3-8366.

• Where possible, use the Custom Fund Center hierarchy (rather than the standard hierarchy) for specifying the Qualifier in Authorizations. However, some DLCs should use the Profit Center hierarchy for Reporting authorizations because of links to child projects in other Profit Centers. (See explanation .)

• Watch out for redundant authorizations.
  Authorizations granted for a qualifier in the Fund Center, Cost Object, or Spending Group hierarchies can be granted for a whole branch of the hierarchy, e.g., all the Funds and Fund Centers under FC_BIOLOGY. If you grant a CAN SPEND OR COMMIT FUNDS for a Fund Center and another one for a Fund or Fund Center within the first Fund Center, the second authorization is redundant. This won't harm anything in the Roles Database or SAP, but it may cause confusion for people looking at these authorizations. You can find redundant authorizations by using the web-based reports to help you. Try this handy technique for deleting them.

• Be aware of the ramifications of certain authorizations that cross departmental boundaries.
  An authorization such as SEE SALARY SUBTOTAL IN REPORTS acts as a single on/off switch that affects all objects on which a person can report, sometimes within multiple departments. Primary authorizers granting such an authorization should be aware of its affect on other departments' resources, and may need to talk to other PAs to coordinate its use for certain users. (See more details on cross-departmental authorizations .)

• Send requests Nimbus, LDS, warehouse and graduate admissions authorizations to business-help@mit.edu
  At present authorizers cannot grant authorizations for for Nimbus, LDS, warehouse or graduate admissions. However, if you need such authorizations, you can send your request to the Business Liaison Team and they will make sure it gets to the appropriate group.