Authorizationet and rights
If we wanted to summarize Accred in one sentence:
A responsible person authorizes a beneficiary to do one or more actions on a protected resource. The beneficiary therefore obtains one or more rights of action.
For example, if Daenerys Targaryen wants to be able to install software on her workstation, and credit the “ERP-MD” unit of this command, she will have to have the right to access Distrilog on the ERP-MD unit to be able to connect to the Distrilog software installation tool. It is in Accred that Arthur Legrand as head of the ERP-MD unit will be able to give him this authorization.
We must be aware of the difference between an authorization and a right, these are different points of view of the same reality:
- The authorization is given by the person responsible
- The right is acquired by the beneficiary
- An authorization can implicitly group several rights given (see in the rest of the chapter)
Therefore, to give an authorization to a person, you need to know several things in Accred:
- The identity of the person entitled [Daenerys Targaryen];
- The unit where the person works when he exercises the right; this point and the previous point therefore designate the accreditation of work.
- The action to be taken [access to Distrilog] that determines the right to give;
- The name of the protected resource [ERP-MD].
- The name of the person in charge who gives the authorization [Arthur Legrand];
- The duration of the right [without limit];
- The reasons for the authorization [responsible for configuring their workstation].
Note: It is not necessary to be accredited in a unit to be a beneficiary of a right.
Hierarchical authorization and inherited rights
There are 3 types of protected resources in Accred:
- Units, organized in a hierarchical way, School, Faculties, Institutes, Labs, etc.;
- Financial centers that correspond to the financial dimension of the units and have the corresponding hierarchical organization;
- Financial funds that are still attached to level 4 financial centers
An authorization given on a unit that is at a certain hierarchical level implies that the beneficiary receives the right not only on this level but also on all lower level units, we will then talk about hierarchical authorization and inherited rights.
For example, if the dean of the TSI decides to appoint a super-accreditor, they will authorize them to accredit their faculty. This super-accreditor will then hold the accreditation rights in each unit of the STI faculty.
Rights acquired by the accreditation status
As part of the accreditation process, the accreditor must indicate the status and class of the accredited person, which allows the person to benefit from certain rights related to this status and recognized by EPFL. Depending on the needs and status, the accreditor has some room for maneuver to add or withdraw rights through the accreditation properties.
For example, Daenerys Targaryen works for a maintenance company and she is accredited with the Off-EPFL status, the publisher added to her the right to have an Active Directory account so that she can access a certain laboratory infrastructure.
Rights acquired by a role
In order for a person to benefit from the rights included in a role, a responsible person must give him or her authorization to hold that role.
For example, if Daenerys Targaryen must fully access the HR Infocenter of her unit, she must ask her hierarchy to give her authorization to hold the role of unit manager, which includes, among other things, all access rights to the HR Infocenter.
Gestion des autorisations et comment obtenir un droit ?
- The various rights related to accreditation are managed by the accreditor of the unit, it is them you must contact to obtain authorization.
- For an authorization of another right to a protected resource, you must contact a role holder who has this right to that protected resource.
For example, if Daenerys Targaryen must be able to consult the student assistant fund for her unit’s financial center, she will have to ask her unit manager who holds the role of financial center manager, because this role includes this right.
Some authorizations, for example for access rights to the HR infocenter, access rights to the Finance infocenter, the rights to the Signature Register, are subject to a 4-eyes approval, for example including the unit manager and the HR manager or the faculty finance manager.
In principle, the rights obtained by the status are sufficient to perform the common tasks.
The rights of the beneficiaries are accessible via the School’s web directory.
- the confirmdistrilog right allows an administrator of a unit who has given them this right to validate in Distrilog the expensive software purchases of the members of the unit. Thus, if the right is given at the level of an institute, the administrator will be able to validate all the purchases of all the members of the labs that make up the institute. The administrator does not need to be a member of the institute, for example, they could be attached to the faculty’s management unit.
- EPFL employees are automatically accredited in their home unit with Personal status. It is thanks to this status, which gives them the Intranet right, that they can connect to the EPFL WIFI network.
- the communication manager of a unit can delegate the profile management right to a colleague so that they can also administer the personal pages of the members of the unit
Rights are divided into two main categories: