The Roles Database at MIT Jim Repa Scott Thorne September 21, 2000 CSG Conference Boulder, Colorado See also:

Slides:



Advertisements
Similar presentations
Federal College Work-Study. Agenda Introduction Federal College Work-Study (FCWS): Employment at UVA CAVLink Getting the most out of Oracle Miscellaneous.
Advertisements

Pharos Uniprint 8.3.
Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,
Congratulations on being awarded a grant! NOW WHAT?
SAP Travel OnDemand Travel and Expense Management
Data - Information - Knowledge
Time System What is this all about? The purpose of this project is to automate how Evergreen collects, records and manages employees’ dates and times worked.
Central Authorizer and Roles Presentation to SAPbiz April 14, 2004.
MIT’s Roles Database: Our Model for Authorizations Jim Repa Advanced Campus Architecture Middleware Planning Meeting July 9, 2003 See also:
FY2011 Other Education and General Program Accounts OVERVIEW OF “E” FUNDS.
Oracle General Ledger, Financial Reporting and Data Warehouse 6/22/2015 RIAS PHASE II Overview.
MIT ROLES DB Internet 2 Authority Architectures CAMP, June 2004.
Chapter 1 Introduction to Databases
Open and Shared Information System OaSIS. SUNCOM’s Standard Business Process Centralized ordering for the enterprise Maintenance of an enterprise inventory.
AGENDA 1.Basic Questions 2.Two Personnel Functions Personnel Input Personnel Funding 3.The Eight Tabs 4.PEAR Changes 5.The Audit Trail PEAR Processing.
I/3 Budget FY 2008 Department Request Training Nickie Whitaker Department of Management August 14, 2006.
Automating 100 Processes with Interneer Apps Chris Condon – Director, IT Innovation and Solutions, Los Angeles Firemen’s Credit Union.
UMBC - Delta Initiative UMBC Financial Training For Supervisors July 9, 2003.
Mandatory Annual ACE Training Fiscal Year 2011 – 2012.
Contracts & Grants Functionality Paul Sandoval, University of Arizona Jim Becker, Indiana University.
ENTERPRISE DATA INTEGRATION APPLICATION ARCHITECTURE COMMITTEE OCTOBER 8, Year Strategic Initiatives.
Systems Analysis and Design: The Big Picture
EAST CAROLINA UNIVERSITY OFFICE OF GRANTS AND CONTRACTS Effort Reporting System Departmental Coordinator Training Updated 01/11/2012.
Wolfgang Friebel, April AFS Administration Framework.
DATA GOVERNANCE Presentation to CSG September 27, 2007 Mary Weisse Manager, MIT Data & Reporting Services
Mandatory Annual ACE Training Fiscal Year 2010 – 2011.
- 1 - Roadmap to Re-aligning the Customer Master with Oracle's TCA Northern California OAUG March 7, 2005.
Penn Groups PennGroups Central Authorization System June 2009.
© 2007 by Prentice Hall 1 Introduction to databases.
8.1 Lawson Security Overview Del Dehn Product Manager.
California State University, Northridge Certification Process Team B Carlos Guzman John Kramer Stacey LaMotte University of Phoenix.
UNITED STATES. Understanding NDS for Directory- Enabled Solutions Ed Shropshire, NDS Developer Program Manager Novell, Inc.
Discovering Computers Fundamentals Fifth Edition Chapter 9 Database Management.
Contracts & Grants Functionality Paul Sandoval, University of Arizona Lori Schultz, University of Arizona.
Building Information Systems & Managing Projects.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Identity Management in the Environment of Mendel University in Brno Milan Šorm.
The Roles Database at MIT Scott Thorne Jim Repa December 12, 2001 See also:
MIT’s Roles Database: Our Model for Authorizations Jim Repa Common Solutions Group January 11, 2002 See also:
MIT ROLES DB CSG, May Previous Presentations Talk given by Jim Repa at EDUCAUSE Conference (Long Beach, CA, Oct. 29, 1999) –
UNIVERSITY OF COLORADO Controller Campus Forum Office of University Controller October – November 2005.
B2B MIT CSG, 10/6/1999 Lorraine Rappaport
Windows Role-Based Access Control Longhorn Update
Delivering Fixed Content to Oracle Portal Doug Daniels & Ken Barrette Quest Software.
Database Systems: Design, Implementation, and Management Eighth Edition Chapter 1 Database Systems.
Institutional Data Flows at MIT Paul B. Hill CSG, May 1999.
Effort Reporting Updates, Deadlines, and Open Lab Sessions Commitment Accounting/Effort Reporting Users Group Meeting September 14, 2015.
1 Presenters: Lucretia Parham Sara Connor Armstrong Atlantic State University October 30, :45 – 12:35 Copyright Sara Connor and Lucretia Parham,
Workforce Scheduling Release 5.0 for Windows Implementation Overview OWS Development Team.
Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.
TimeClock Plus UPDATES & ENHANCEMENTS. TCP Version 7 Beta version now being tested Compatible with Apple and mobile devices Different look and numerous.
Multi-year planning Operational, capital, and revenue Multiple scenarios Workflow process model Editing in Microsoft ® Excel ® Aggregation and allocation.
12 Copyright © 2009, Oracle. All rights reserved. Managing Backups, Development Changes, and Security.
LG DATABASE AND REPORTING SYSTEM (LGDRS) 8-9 September 2015
FDMS modules and units FDMS has 22 unique modules Comprising 3 Maintenance units, 7 Commitment units, 4 Report units, 1 Project unit, 2 Funding units,
Eurostat November 2015 Eurostat Unit B3 – IT and standards for data and metadata exchange Jean-Francois LEBLANC Christian SEBASTIAN SDMX IT Tools SDMX.
Page 1Prepared by Sapient for MITVersion 0.1 – August – September 2004 This document represents a snapshot of an evolving set of documents. For information.
Data Coordinators Conference – 2014 Laura Marroquin CASEWORKER/JCMS Specialist Everything New Data Coordinators Should Know.
Web Application Design. Data –What data is available? –How do we store it or how is it stored in the DB? Schema Data types Etc. –Where is the data?
SYSTEMSDESIGNANALYSIS 1 Chapter 21 Implementation Jerry Post Copyright © 1997.
HRMS Implementation Project HRMS Security Overview Module.
6 Copyright © 2007, Oracle. All rights reserved. Managing Security and Metadata.
Purchasing Cards. What is a Purchasing Card? It is a type of commercial credit card, used by organizations for payment of goods and services. This tool.
CedarCrestone’s Effort Reporting Jumpstart Toolkit.
SAP R/3 User Administration1. 2 User administration in a productive environment is an ongoing process of creating, deleting, changing, and monitoring.
Roles Enterprise MIT Rob Campanella Identity & Access Management MIT | IS&T | Systems Optimization & Integration Solutions W |
Take the Guesswork Out of Calculating Your Project Cost
Contracts & Grants Functionality
Marketplace FAQs Treasury 5/1/2019.
SDMX IT Tools SDMX Registry
Presentation transcript:

The Roles Database at MIT Jim Repa Scott Thorne September 21, 2000 CSG Conference Boulder, Colorado See also:

Roles DB: Main Principles Enter authorization info into a central DB, then send it to various target systems Define auths. in understandable business terms, then convert for target systems Define each authorization as Authorization = Person + Function + Qualifier Local department administrators maintain authorizations for their dept.’s resources

Creating and disseminating authorizations Data Warehouse Roles DB Power Builder Appl. Warehouse views Admissions System SAP Financial Supporting information is fed nightly from data warehouse to Roles DB 2.Front-end application is used to create “authorizations” in Roles DB 3.Authorization information is converted and sent to various applications

Enforcing Authorizations Each application enforces its authorizations First, a user must be authenticated via Kerberos or an X.509 certificate –In this model, certificates are used only for authentication: What is the person’s Kerberos username? Then, the application answers the question Can user X do function Y with qualifier Z? using cached (usually) authorizations

Person + Function + Qualifier model: Does it always work? So far it has worked – people must be convinced System administrators may not be used to thinking about high-level roles (Roles V 2 enhancements will help) For some business functions in SAP, a less than optimum set of Roles authorizations must be used to mirror SAP model –e.g., CAN SPEND OR COMMIT FUNDS plus REQUISITIONER and/or CREDIT CARD VERIFIER

Notes on Person/Function/Qual model “Groups” are not appropriate for some types of authorizations One could try a kluge where Groupname = Function + Qualifier, but we prefer keeping Function and Qualifier separate Keeping Qualifiers in a hierarchy and doing dynamic auth checking gives advantages

Function Categories CategoryDescriptionNo. of functions SAPSAP Financials31 GRADGraduate Admissions33 METARoles DB – related (create/view auths, etc.) 9 NIMBBudget system (NIMBUS) 7...

Qualifiers TypeDescriptionCount FUNDFund Centers and Funds41961 COSTProfit Centers and Cost Objects44275 SPGPSpending Groups1845 BAGSBudget Auth. Groups264 ORGUOrg. Units (Payroll)519 AORGOrg. Units (Admissions)91 DEPTConsolidated Dept. (with links)894

Sending Roles authorizations to various systems (non-SAP) Each system “pulls” authorizations periodically and caches them in a local database Systems designed with Roles model in mind need to do little or no conversion of auths. Simple stored functions can handle checking of a user’s authority to do a function with a given qualifier

Mapping Roles authorizations to SAP objects Conversion programs, written in Perl with Oracle DBI, do mapping before data are sent to SAP Programs are partly table-driven. Some new functions can be handled without programming changes.

Can a person change their Kerberos username? Yes, but we discourage it Old userid is deleted in Athena’s database and Roles notices that the userid is gone Authorizations can be transferred to a new username Feeds act as if old username disappeared and a new one was created with similar authorizations

A word about politics This is a new model for system administrators – some have fears about loss of control There are advantages for departmental administrators and end-users – some “grassroots” movement Auditors have been allies after they understood the model

Organizational Units There were similar, but different hierarchies for different applications (examples) Trying to consolidate at high level Qualifiers can have more than one parent – not a strict hierarchy

Org. Units and other qualifiers Different people are responsible for various qualifier types, maintained in other systems and fed into Roles Proposal for new, universal, Department hierarchy – to be maintained by IS

Issues with nightly feeds Currently feeds are nightly More frequent feeds are possible, planned Worst-case scenario (day 1 request Kerberos username, day 2 username gets into Roles DB and auths are created, day 3 auths are sent to other systems and become effective)

Audit trail and historical data We have an audit trail that shows every change to every authorization It would be possible to reconstruct a person’s auths. on any day in the past – but we haven’t coded this yet.

Statistics How many authorizations have been created? ~40,000 for SAP and ~3,000 for other areas How many people have been granted an authorization? ~5,000 How many authorizations per person average authorizations/user = 9.1 maximum authorizations/user = 195 no. of users with > 100 authorizations = 11 (Better grouping of qualifiers could eliminate extremes.)

Effort to design and maintain Development and ramping up: Between 1996 (prototype) and present, we’ve had 1 to 2 FTEs doing software development, maintenance, evangelizing, and assistance for target systems Steady-state rough estimate: –1-2 FTEs for helpdesk, training, assistance, checking exception reports, etc. –½ FTE technical support, maintenance

What we have accomplished Working system supports our model, and is used by SAP, NIMBUS (Budget System), Graduate Admissions, Labor Distribution System, with other systems planned Department-based authorization maintenance for SAP, with a framework in place to expand to other areas

Problems we’ve encountered Who is in charge? Who owns what? After two committees and two reports, we’re still trying to clarify this Some managers for target systems are reluctant to allow authorization maintenance to be distributed Policies for auditing, cleanup, terminating or transferring employees, etc. should be global, but we’re still saddled with application-specific policies

Plans for the future: Technical Support more versatile hierarchy of qualifiers (simple views of a complex web of objects) Support groups of business functions Improvements to user interface - better editing assistance and better exception checking Better integration between HR, Athena users database, and Roles DB (simplicity, less latency) Maybe add an API, other than current Oracle stored-procedure based interface

Plans for the future - operational Consolidated department hierarchy, with central oversight Central oversight committee should clarify the rules about Who owns what Include more systems’ authorizations in departmental distributed maintenance

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.