Authority
Process & Policy

Advanced CAMP
July 9, 2003
Copyright Sandra Senti 2003. This work is the intellectual property of the author. Permission is granted for this
material to be shared for non-commercial, educational purposes, provided that this copyright statement appears
on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate
otherwise or to republish requires written permission from the author.
Vision
Provide a central, shared repository of
authority data that can be used across
Stanford administrative systems and
other enterprise applications which
reflects a business view of managing
privileges, not a system view.
 A University manager wishing to enable
staff to do a job should be able to
activate privileges together, without
needing detailed knowledge of the set of
privileges.

Goals
Simplification of authority policy,
management and interpretation.
 Consistent application of authority rules
and synchronization of administrative
authority data across systems.
 Integration of authority data with
enterprise reference data.
 Role-based authority, that is,
management of privileges based on job
function and assignments rather than
attached to individuals.

Policy Issues

Must have common context across
systems
Organizational structure
 Eligibility for services
 Authority definitions

Must have clear picture of where
authority starts and how it is delegated
 Must always use the central authority
system

Tools which provide:
Support for scoping of authority to
organizational boundaries, i.e. a
hierarchy of privileges based on a
common definition of organizations.
 Support for authority subsystems, like
financial authority.
 Support for privilege enabling based on
departmental affiliation. This provides
automatic revocation of privileges when
one switches departments or leaves
Stanford.

Tools which support (cont.):
Support for sponsorship of privileges
outside home organization, with
effective and expiration dates. This
supports cases of shared personnel, or
temporary retention of duties during
transition periods between departments.
 Integration with provisioning services to
provide automatic activation,
deactivation and appropriate
notifications to those both assigning and
receiving authority.

Tools which support (cont.):



Support for prerequisites to enabling
authority, such as "completed Cost Policy
Training".
Support qualifying information, such as
dollar limits, to be part of the assigned
privileges.
Support for Delegation (extending privileges
you have to others) and Proxy (granting
temporary "acting for" privileges to cover
vacation or other absences).
Authority Representation
Definitions
Roles – reusable authority profiles.
Common roles can be created through
assignment of suitable functions.
 Functions - represent common admin
activities of a department, division or
other University organization. They are
defined such that a typical job can be
represented as a collection of related
functions assigned to a person.

Definitions (cont.)


Tasks - more specific units of work that go
together in support of a function -- register a
student, hire a new employee, etc.
Entitlements - units of authority control
representing specific operations, which will be
translated by the applications into specific
access management settings. Entitlements are
expressed at the lowest level of resolution that
applications and services need to manage
access but are not system specific.
Building & Managing Authority
Driven by the business owner
 Iterative process melding business
requirements with authority,
organization and application definitions
 Initial seeding of top level authority
 Web-based application to facilitate
assignment of authority for managers

What’s underneath
New ERP implementations
 Automated identity management and
service provisioning
 A set of registries that manifest the
common, aggregated view of person,
organization and authority data
 Data administration function
 Clear management support for the
registries as the common integration
point

Questions?