"Higher ed has more decentralized authority." It has been said that a university resembles a large corporation, but one that has 500 CEOs. If one reviews the early literature of RBAC systems, one of the promises was that a very small number of roles would be sufficient for the entire enterprise. The reality is that schemes could be applied successfully at any university. At times it feels like exceptions are the rule. People from one department may have elevated priviliges in another department, but for a narrow set of processes. One of the implications is that a person that has the ability to grant authorizations to others (or delegate privileges to others) must not be constrained in whom to grant the privileges to. In other words a Dean or Administrative Officer in Biology must not be constrained to only grant privileges to people that are directly associated with the Biology department. The grantor must be free to select people from any other department as a subject of an authorization. On the other hand even higher-ed strives to prevent a person with spending authority on account from also being the person that approves spending on the same account.

"Affiliations can become more complex, e.g.  faculty + financial person, or student plus TA" Some industries are contrained by regulatory complience requirements to ensure that an individual does not hold specific sets of authorizations, or hold conflicting roles. For example, in the financial services industry an employee cannot be an investment banker and a broker at the same time. The boundaries in higher-ed tend to have a finer granularity. An administrative or financial officier for a department can conceivably be a student within classes offered by the same department. A TA for a class may be a student in another class, and both classes might be taught by the same faculty member. However, a TA cannot also be a student, for the same class at the same time.

A proper privilege management system must provide auditors with the ability to detect when authorizations are in conflict with organizational business policies.

  • No labels