The Roles Database Application:
Getting Started II

| Intro | Requirements | Download | Getting Started | Selection sets and criteria | Functions|Qualifiers|Persons|


Working with Authorizations

To create, update, or delete an authorization, you yourself must have the proper authorization in the Roles Database. (See What are Authorizations.) Within a given function category, such as SAP or WHRS (Warehouse), a small number of people will have the authority to create any authorization.(See What are Meta-Authorizations.) Most people who are allowed to create authorizations will only be allowed to create authorizations with a limited set of functions and qualifiers. In either case, a person allowed to create authorizations with certain functions or qualifiers is also allowed to update or delete any authorizations with those functions or qualifiers. There are no special authorizations for updating or deleting authorizations: an authorization to create lets you also update, or delete.

The next sections discuss:


Displaying authorizations using the Roles application

The following section describes how to display authorizations in the Roles application. However, we recommend using the Roles Website for conducting most searches, unless, of course, you are already using the application to create new authorizations. In most cases, however, the Web display, which doesn't require the application, is easier for most people.

The "Authorization List" screen displays the following fields within each authorization:

ColumnDescription
UserKerberos name of the authorized user
FunctionFunction name
Category4-character Function category to which the authorization applies
Qual. CodeShort code for the Qualifier.
Qualifier NameName for the Qualifier.

To display more fields, select any part of an authorization by clicking on it and then click the Detail button on the left of the screen or on the Detail icon in the menu bar or double-click on any part of the authorization.

(You can also select multiple authorizations for detailed display; see "Selecting multiple items for viewing, updating, or deleting" below.)

Result: The "Authorization Detail" screen appears.

The additional fields are:

FieldValueDescription
Kerberos Name
The Kerberos name of the authorized user.
Function Name
The name of the function, that the user is authorized to do, e.g., create authorizations.
Qualifier Code
Short code for the Qualifier
Qualifier Name
Name for the Qualifier
Can Do FunctionY or N.If Y, the Person is actually allowed to do the Function with the given Qualifier.

If N, the Person is only allowed to grant or view the authorizations.

Grant/ViewV (View Only)
GD (Grant-do)
This is the default for all Roles users.
Can grant this function to another person.
Descend Y or NNormally this should be Y. If Y, the authorization applies not only to the specified Qualifier, but also to all descendents of the specified Qualifier in the tree.

If N, the authorization applies only to the specified Qualifier and not to descendents.

Effective Date
The date (in mm/dd/yyyy format) on which the authorization becomes effective.
Expires
The date after which the authorization expires (i.e., becomes inoperative).
Modified By
Kerberos name of the last person to modify this authorization.
Modified Date
Last date and time on which this authorization was modified.

Note: In Release 1 of the Roles Database, all Roles users are permitted to view all authorizations.

The following Selection Sets are available for the "Authorization List" screen:

My authorizations
Lists authorizations for your Kerberos name. Optionally, you can display authorizations for a given Function category, Function, or Qualifier.

My authorizations that I can delegate
Lists authorizations for your Kerberos name where Grant and View field is set to permit you to create a similar authorization for other people. You can optionally display only authorizations for a given Function category, Function, or Qualifier.

Authorizations for a person
Similar to "My authorizations", but you can specify the Kerberos name for anybody, not just your own Kerberos name.

Authorizations I created
Lists authorizations that were last modified by you. You can optionally display only authorizations for a given Function category, Function, or Qualifier. You can also optionally limit the display to only those authorizations created before a given date, or after a given date.

Auths. by modify-by and modify date
Similar to "Authorizations I created", but you can display authorizations created by any person that you specify, not just yourself.

Authorizations by category and function
Lists authorizations for all people that fall within a given Function Category and (optionally) have a given Function. You can also optionally limit the list to a given Qualifier.

Compare authorizations for two people
Lists authorizations for two people. This Selection Set shows all authorizations for either of two Kerberos names.

It is an unusual Selection Set because of the either/or criteria used for the two Kerberos names. In all other Selection Sets, all checked criteria must be met by each thing displayed (Authorization, Function, Qualifier, or Person). For "Compare authorizations for two people," either of the two Kerberos name criteria must be met, plus all other checked criteria.

Who can do function X with qualifier Y?
This Selection Set lets you answer the question "Who is authorized to perform a given business function with a given qualifier?". It differs from "Authorizations by category and function" in three ways:

  1. It looks both for authorizations that have a specified qualifier, and for authorizations that have a qualifier that is a parent of the specified qualifier.

  2. It takes into account the DO_Function flag and does not display authorizations where DO_Function = 'N' (i.e., where the person can audit or grant the authorization but not actually perform the business function).

  3. It takes into account the effective date and the expiration date for the authorization, ignoring authorizations that are not in effect today.

Authorizations for a department (by SAP FC group)
Lists all the authorizations for a particular departmental group, e.g., FC_SLOAN.

Authorizations within a branch of a qualifier tree

Creating an authorization

  1. From the "Authorization List:" screen, click the New button.

    Result: The "Authorization Creation" screen appears.

    In this window, enter information defining the person for whom you are creating an authorization and what that person can do in with the authorization. For instance, SAP (Can Do Function) and in Roles (Grant/View). The following table describes each field and the proper entries. All fields are required unless noted otherwise.

    The general procedure for making these selections is to click on one of the fields and then on the List Values... button. When a list with selections for the field appears, make your selection and click on the Pick button. When all the fields are complete, the Add button becomes active. Click on the Add button.

  2. When you have chosen a Kerberos Name, Function, and Qualifier Code, examine the additional flags and fields on the "Authorization Detail" screen.

    Field How to complete...
    Can do function Normally, this should be Y. Use N, if you want someone to be able to grant an authorization to others, but not be able to do the function herself.
    Grant Y (grant-do), if you want the person to be able to grant the authorization to others.

    N, if you do not want the person to be able to grant authorizations.

    Descend Normally, this should be Y. 'Y' means that the authorization applies to the Qualifier and all of its descendents (if any) in the qualifier hierarchy.
    Effective date If you do not want the authorization to take effect until a future date, specify that date here in mm/dd/yyyy format.
    Expires If you want the authorization to expire after a future date, specify that date here in mm/dd/yyyy format.

  3. Click the Add button to create the new authorization.

  4. Click the Close button.

    Result: The "Authorization Detail" screen closes and you return to the "Authorization List" screen.

  5. Click the Refresh button to display the new authorizations.

Deleting an authorization

  1. From the "Authorization List" screen, select an authorization by clicking on it.
  2. Click the Delete button (or select Delete from the Perform menu).

Updating an authorization

To update an authorization, you must have create authority for both the old authorization and the new one.

  1. From the "Authorization List" screen, double-click on an authorization. (Or, single-click the authorization and then click the Detail button or select Delete from the Perform menu).
    Result: The "Authorization Detail" screen appears.
  2. Change the desired fields on the screen, and click the Replace button to update the authorization.

    (Instead of clicking the Replace button, you could select Replace from the Perform menu.)

  3. Close the "Authorization Detail" window and return to the "Authorization List" screen. You may have to click the Refresh button before you see the changes in the authorization displayed on the screen.

Selecting multiple items for viewing, updating, or deleting

A time-saving feature in the Roles application lets you select more than one authorization at a time for viewing detailed information, updating, or deleting.

To select more than one authorization , do the following:

  1. From the "Authorization List" screen, hold down the Ctrl key (on Windows machines) or the Command key (on the Macintosh) and click each of the authorizations you want to select. (The authorizations do not have to be next to each other on the screen.)

  2. When you made your selections, you can display detailed information on them or you can delete them.

    To delete a group of authorizations:

    1. Select them as above and click on the Delete button.
      Result: A dialog box appears.

      Answer the question "Do you really want to delete the selected items?" by clicking on the Yes button.
      Result: The selected authorizations are deleted.

    To modify a group of authorizations:

    1. Click the Detail button or use the menu equivalent.
      Result: The "Authorization Detail" screen appears.

    2. Click the Previous and Next buttons to navigate between the selected authorizations.

    3. If you are authorized, you can change Kerberos Name, Function Name, Qualifier Code, or other fields on the screen, and then click the Add button to create a new authorization or the Replace button to update the existing authorizations.

      You can add or replace a set of authorizations before returning to the "Authorization List" screen.

    4. When you have made all your changes, click the Close button to return to the "Authorization List" screen. You may have to click the Refresh button to see the changes displayed on the screen.

Duplicating authorizations

The Roles application lets you duplicate all of a user's authorizations within a category and assign the authorizations to another user. To do so, you must be authorized to create all of the authorizations you want to copy.

See What authorizations can I grant? if you are unsure whether you have the appropriate authority to grant authorizations.

Suppose you want to take all of the SAP-related authorizations for user XXXXX and duplicate them for user YYYYY. To do so,

  1. Open the "Authorization List" screen.
  2. From the Perform menu, select Duplicate.
    Result: The "Authorization Duplication" screen appears.

  3. Complete the fields on this screen as follows.

    Field How to complete...
    Where Function Category is:Specify the Function category (SAP, WRHS, etc.) from which authorizations are to be duplicated. You can either type in the Category name or put your cursor on the field and click the "List Values..." button to choose it from a pick list.
    From Kerberos Name:Enter the Kerberos name of the person who has the existing authorization that you want to duplicate. (Or pick the Kerberos name from a list by clicking in the field and then clicking the List Values... button.)
    To Kerberos Name:Enter the Kerberos name of the person that you want to include in the duplicated authorization.

  4. When you have entered all the necessary information, click the Copy button to do the duplication.
    Result: For each existing authorization in the specified category for the specified "From Kerberos Name" for which you have create authority, the application will create a new authorization with the Kerberos name set to the "To" Kerberos name.

    The application tells you how many authorizations were duplicated. Note that the authorization will not be duplicated if an authorization already exists with the given Function and Qualifier for the "To" Person.

    However, if you do not have the appropriate authorizations, you will receive an error message telling you that you are not authorized to copy some number of the authorizations you tried to copy. You might find it handy to use the Selection Set "Compare Authorizations for two people" from the "Authorization List" screen to see the results of the Duplicate facility.


|Intro|Requirements|Getting Started|
|Selection sets and criteria|Functions|Qualifiers|Persons|