# HarvardKey Generic Authorization Groups ## expand\_more HarvardKey provides applications with a default level of authorization through implementation of authorization groups. When a user attempts to log into your application, HarvardKey first authenticates them and then determines if they are a member of the application’s authorization groups. Every application integrating with HarvardKey is required to have at least one authorization group and may have multiple authorization groups. See the [HarvardKey Application Integration Policy](https://huit.harvard.edu/harvardkey-application-integration-policy) for more information. Groups can be a combination of generic authorization groups, maintained by IAM, or custom authorization groups, maintained by the application team. For general information on authorization groups and best practices for authorization with Okta, please see the following knowledge articles: - [Application Authorization using HarvardKey and IAM Group Services](https://harvard.service-now.com/ithelp?id=kb_article&sys_id=3811d84ddb4597cc83a2f3f7bf9619e5) - [Authorization group best practices with Okta](https://harvard.service-now.com/ithelp?id=kb_article&sys_id=0fe49a2b2b7f26d0e401f84cfe91bfd4) Generic authorization groups may be used by multiple applications. They are created from one or more [IAM Reference Groups](https://harvard.service-now.com/ithelp?id=kb_article&sys_id=932fc321db6ac300a914fff31d96195b), institutionally meaningful cohorts of the Harvard community based on their various affiliations with the University, for example students or faculty. Only people with a current Harvard affiliation are included in Reference Groups. ## Steps to Select Authorization Groups for your Application 1. Review the categories of users who will use your application 2. Review the list of generic authorization groups available 3. Indicate your selections on the [HarvardKey Application Integration form](/links/harvardkey-application-integration-form) - If none of the generic authorization groups meet your needs, select the option “An appropriate authorization group does not exist for my application. Please assist me in creating a new group." on the Registration form. IAM can partner with you to create a custom group for your population, and/or determine a combination of existing groups to use. ### Categories of Users for your Application When choosing authorization groups for your application, consider the broad categories of users listed below for whom reference groups are available. In addition to categories focused on role type, groups can include restrictions by School/Unit or Department. ### **Employees** - Employees of all types – staff, faculty, post-docs, temporary, part-time and student employees - Faculty (F, J) – Ladder faculty (senior & junior) - Staff (A, S) – Administrative, professional and support staff - Service Trade (U, L) - Service and trade hourly and part-time employees - Other Academics (O) – Non-ladder and visiting faculty, research fellows and associates, academic deans, directors, affiliates, etc - Temporary Academics (C) - Special Exclusion (B) - Postdocs (Y, N, Z) - Internal and External Post-Docs - Temporary Staff (T) – Non-student temporary staff including temps and LHTs - Interns (E) - Student Employees (G, D, W) – Graduate student appointments, student temps and temp off-campus work-study - Graduate Student Fellowship Recipients (H) ### **Students** - Registered Students (R,EG,EP) - Registered degree-seeking and non-degree seeking students - Pending Students (P) - Students pending enrollment - Students with Admissions Offer Extended (AE) - Students with Deferred Admission (DF) - Students on Leave of Absence (LA) - Study Abroad (SA) - On Leave Paying Facilities Fees (LF) - Special Program (SP) ### **Other HUID Holders** - Harvard Sponsored Roles: - Individually sponsored roles (previously called Authorized POI): including Restricted Harvard Sponsored Role types and Workforce Sponsored Roles (Consultants and Contingent Workers) - Departmentally sponsored roles (Delegate Payers, Retirees, Smithsonian employees, HLS external affiliates). - See the [Quick Guide for Harvard Sponsored Role Types](https://harvard.service-now.com/ithelp?id=kb_article&sys_id=dd3a2cdadb98985896ab5682ca96197d) for a description of the role types. - Library borrowers: Library borrowers from Widener, Loeb and Countway libraries. Includes special borrowers, research assistants and library donors - Class Participants: Active participants in a non-degree program ### **Alumni** - Alumni - Harvard degree holders, including honorary - Alumni Associate Members – Harvard non-degree holder, or certificate holder - Alumni Program Participant – Harvard non-degree holder that does not qualify for Associate Membership (e.g., Exec Ed) ### **Public** - Includes non-HUID holders (Harvard Guest users) and HUID holders with no active role ### Generic Authorization Groups The tables below lists generic authorization groups currently offered by HarvardKey. They are organized into Red, Orange, Yellow and Green [affiliation and assurance tiers](/file_url/520) and school-specific. \**Unless a group explicitly includes Alumni, alumni users can access the application only if they have another Harvard affiliation that is included in the group. To enable your application to allow Alumni access, please request approval from* [*Alumni Affairs and Development (AA&D*](https://harvard.service-now.com/ithelp?id=kb_article&sys_id=12dd722c1bba49d0485411b6bc4bcb5a)*).* ### ***RED TIER*** SortAuthorization Group NameIncluded User Groupsauthorized-users-assurance-tier-red Includes current registered and study abroad students in degree programs (Student status-codes Registered-R,EG,EP and Degree is not XX). All current paid employees except External Postdoctoral (Employee Pay status = Y and employee class-codes Admin and Professional-A, Support Staff-S, Temporary Staff-T, Temporary Student-D, Temporary Off Campus Work Study-W, Intern-E, Senior and Junior Faculty-FJ, Temporary and Other Academic-CO, Graduate Student-G, TAs and Other Staff-I, Internal Post Docs-Y, Hourly and Part-time Service and Trade-UL, and Exclusion-B). Current Harvard Sponsored Roles of types Consultant and Contingent Worker. authorized-users-employees-paid Includes all current paid employees of any classification. ### ***ORANGE TIER*** SortAuthorization Group NameIncluded User Groupsauthorized-users-assurance-tier-orange Includes all members in the Red Affiliation & Assurance Tier group, plus current students on leave of absence and pending students (Student status-code On Leave-LA, On Leave Paying Facilities Fees-LF, and Pending-P). Current External Postdocs (Employee class-code Ext Post Docs Harvard Research-Z, External Post Docs NHR-N). Current unpaid employees (Employee Pay status = N and employee class-codes Admin and Professional-A, Support Staff-S, Temporary Staff-T, Temporary Student-D, Temporary Off Campus Work Study-W, Intern-E, Senior and Junior Faculty-FJ, Temporary and Other Academic-CO, Graduate Student-G, TAs and Other Staff-I, Internal Post Docs-Y, Hourly and Part-time Service and Trade-UL, and Exclusion-B). Current Harvard Sponsored Roles of types Incoming Employee/Transfer, Research Collaborator, Overseer, Hospital Administrator, Extended Affiliate, Retiree and Surviving Partner. authorized-users-assurance-tier-orange-with-alumni * Includes all members in authorized-users-assurance-tier-orange, plus Alumni of role type ALUMNI who have claimed their HarvardKey. Does not include Alumni types of Associate Members or Program Participants. authorized-users-employees Includes all current employees of any employee classification, paid and un-paid. authorized-users-employees-incoming-employees Includes current employees of any classification, plus Harvard Sponsored Role of type Incoming Employees/Transfer. authorized-users-faculty-staff Includes all current faculty (employee class-codes Senior Faculty-F, Junior Faculty-J and Other Academic-O) and staff (employee class codes Admin and Professional-A, and Support Staff-S). authorized-users-employees-retirees Includes all current employees of any classification, plus Harvard Sponsored Role of type Retiree. authorized-users-employees-consultants-contractors Includes current employees of any classification, plus Harvard Sponsored Role of types Consultant and Contingent Worker (previously Contractor). authorized-users-employees-consultants-contractors-alumni * Includes current employees of any classification, Harvard Sponsored Role of types Consultant and Contingent Worker (previously Contractor), and Alumni of role type ALUMNI who have claimed their HarvardKey. Does not include Alumni types of Associate Members or Program Participants. authorized-users-alumni * Includes alumni in all schools and who have claimed a HarvardKey. ### ***YELLOW TIER*** SortAuthorization Group NameIncluded User Groupsauthorized-users-assurance-tier-yellow Includes all members in the Red and Orange Affiliation & Assurance Tier groups, plus admitted and deferred students and active class participants (Student status-code Admissions Offer Extended-AE, Deferred Admission-DF, Active Class Participant-A), and non-degree students (Degree is XX). Current Harvard Sponsored Roles of type Academic Advisor, AA&D Affiliate, External Administrative Affiliate, Interschool Affiliate, External Core Customer, Field Education Supervisor, Family Member/Family Support, Tenant, Vendor, Visitor, Volunteer, HMC Employee, SAO Employee, Security Service Provider, UHS Dependent, and Other. Current library borrowers of any type from Widener, Loeb and Countway libraries. authorized-users-assurance-tier-yellow-with-alumni * Includes all members in authorized-users-assurance-tier-yellow, plus Harvard Alumni types Alumni, Associate Members, and Program Participants who have claimed a HarvardKey. authorized-users-employees-sponsoredroles Includes all current employees of any classification, and all Harvard Sponsored Roles except Retirees. authorized-users-employees-students-sponsoredroles Includes current employees of any classification, students, and all Harvard Sponsored Roles except Retirees. authorized-users-employees-students-classparticipants-sponsoredroles Includes current employees of any classification, students, class participants, and all Harvard Sponsored Roles except Retirees. authorized-users-employees-students-class-participants-sponsored-roles-retirees Includes current employees of any classification, students, class participants, and all Harvard Sponsored Roles including Retirees. authorized-users-employees-students-class-participants-sponsored-roles-alumni * Includes current employees of any classification, students, class participants, all Harvard Sponsored Roles except Retirees, and Alumni of role type ALUMNI who have claimed their HarvardKey. Does not include Alumni types of Associate Members or Program Participants. authorized-users-nontemp-employees-students Includes all current non-temporary employees and students. authorized-users-nontemp-employees-students-class-participants Includes all current non-temporary employees, students, and class participants. authorized-users-nontemp-employees-registered-students Includes all current non-temporary employees and registered students. authorized-users-employees-students-consultants-contractors Includes all current employees of any classification, students, and Harvard Sponsored Role types Consultant and Contingent Worker (previously Contractor). authorized-users-employees-students-class-participants-consultants-contingent-workers Includes all current employees of any classification, students, class participants, and Harvard Sponsored Roles types Consultant and Contingent Worker. authorized-users-employees-consultants-contractors-vendors Includes all current employees of any classification, and Harvard Sponsored Roles types Consultant, Contingent Worker, and Vendor. authorized-users-employees-paid-consultants-contingent-workers-vendors Includes all current paid employees of any classification and Harvard Sponsored Roles types Consultant, Contingent Worker, and Vendor. authorized-users-employees-paid-consultants-contingent-workers-vendors-collaborators Includes all current paid employees of any classification and Harvard Sponsored Roles types Consultant, Contingent Worker, Vendor, and Research Collaborator. authorized-users-employees-consultants-contingent-workers-alumni-assocmembers-progparticipants * Includes current employees of any classification, Harvard Sponsored Role of types Consultant and Contingent Worker, and Harvard Alumni types Alumni, Associate Members, and Program Participants, who have claimed a HarvardKey. authorized-users-students-employees-consultants-contingent-workers-alumni * Includes all current employees of any classification, students, Harvard Sponsored Role types Consultant and Contingent Worker, and Alumni role type Alumni, who have claimed a HarvardKey. authorized-users-students-employees-consultants-contingent-workers-alumni-assocmembers-progparticipants * Includes current students, employees of any classification, Harvard Sponsored Role types Consultant and Contingent Worker, and Harvard Alumni types Alumni, Associate Members, and Program Participants, who have claimed a HarvardKey. authorized-users-students-registered-pending Includes all registered and pending students. ### ***Green Tier*** Any user with a HarvardKey or Harvard Guest account can access your system regardless of whether they have an active role at the University except for users in the University Excluded Users group, a centrally-managed collection of users that are not permitted to access any HarvardKey-protected applications. For applications with risk or data levels above 1, this option may only be selected if the application has appropriate local authorization in place to ensure that lower assurance users are only permitted to access their own data and are not granted administrative privileges. ### ***School or Department Specific Generic Authorization Groups*** SortAuthorization Group NameIncluded User Groups**Central Administration (CA)** authorized-users-ca-all Includes all employees and Harvard Sponsored Roles, except Retirees, in Harvard Central Administration (CA). authorized-users-huit-all Includes all employees and Harvard Sponsored Roles, except Retirees, in Harvard University IT (HUIT). authorized-users-huit-employees-consultants-contingent-workers Includes all employees and Harvard Sponsored Roles of type Consultants and Contingent Workers in Harvard University IT (HUIT). authorized-users-huit-iam-all Includes all employees and Harvard Sponsored Roles, except Retirees, in HUIT Identity and Access Management (IAM). **Faculty of Arts and Sciences (FAS)** authorized-users-fas-all Includes all current students, class participants, employees and Harvard Sponsored Roles, except Retirees, in FAS. **Graduate School of Arts and Sciences (GSAS)** authorized-users-gsas-students-registered Includes current registered students in GSAS. Student status-codes Registered-R,EG,EP. gsas-students-registered-incl-onleave Includes current registered students in GSAS, including students on leave. Student status-codes Registered-R,EG,EP, On Leave Paying Facilities Fees-LF, and Leave of Absence-LA. **Graduate School of Design (GSD)** authorized-users-gsd-all Includes all current students, class participants, employees and Harvard Sponsored Roles, except Retirees, in GSD. **Graduate School of Education (GSE)** authorized-users-gse-all Includes all current students, class participants, employees and Harvard Sponsored Roles, except Retirees, in GSE. authorized-users-gse-employees-excl-faculty Includes all current employee classifications except Senior and Junior Faculty, in GSE. **Harvard Art Museums (HAM)** authorized-users-ham-employees Includes all current employees in the Harvard Art Museums (HAM). **Harvard Divinity School (HDS)** authorized-users-hds-employees-sponsoredroles Includes all employees, including temporary, and Harvard Sponsored Roles in HDS. authorized-users-hds-employees-sponsoredroles-other-staff Includes all employees, including temporary, and Harvard Sponsored Roles in HDS, plus other non-HDS shared services staff as identified by HDS. authorized-users-hds-students-employees-sponsoredroles-other-staff Includes all students, and employees, including temporary, and Harvard Sponsored Roles in HDS, plus other non-HDS shared services staff as identified by HDS. **Harvard Law School (HLS)** authorized-users-hls-all Includes all current students, class participants, employees and Harvard Sponsored Roles, except Retirees, in HLS. authorized-users-hls-all-and-alumni * Includes all current students, class participants, employees, Harvard Sponsored Roles, except Retirees, Extended Affiliates, and Alumni in HLS. authorized-users-hls-employees Includes all current employees in HLS. authorized-users-hls-employees-sponsoredroles Includes all current employees and Harvard Sponsored Roles, except Retirees, in HLS. authorized-users-hls-employees-students Includes all current employees and Students in HLS. **Harvard Medical School (HMS)** authorized-users-hms-all Includes all current students, class participants, employees and Harvard Sponsored Roles, except Retirees, in HMS. Does not include the School of Dental Medicine (SDM). authorized-users-hms-employees Includes all current employees in HMS. Does not include the School of Dental Medicine (SDM). **Harvard Medical School (HMS) and Harvard School of Dental Medicine (SDM)** authorized-users-hms-sdm-all Includes all current students, class participants, employees and Harvard Sponsored Roles, except Retirees, in HMS and SDM. **Harvard T.H.Chan School of Public Health (HSPH)** authorized-users-sph-all Includes all current students, class participants, employees and Harvard Sponsored Roles, except Retirees, in HSPH. authorized-users-sph-all-employees Includes all current employees of any employee classification, including temporary, in HSPH. authorized-users-sph-all-employees-sponsoredroles Includes all current employees of any employee classification, including temporary, and Harvard Sponsored Roles in HSPH. authorized-users-sph-faculty-staff Includes all current faculty and staff in HSPH. Includes faculty (employee class-codes Senior Faculty-F, Junior Faculty-J and Other Academic-O) and staff (employee class codes Admin and Professional-A, and Support Staff-S). authorized-users-sph-staff Includes all current staff in HSPH. Includes employee class-codes Admin and Professional-A, and Support Staff-S. authorized-users-sph-employees-students-class-participants Includes all employees of any employee classification, including temporary, students and class participants in HSPH. **Harvard University Health Services (HUHS) and Harvard University Information Technology (HUIT)** authorized-users-huhs-huit-employees-sponsoredroles Includes all current employees and Harvard Sponsored roles in HUHS and HUIT. authorized-users-huhs-huit-employees-consultants-contingentworkers Includes all employees and Harvard Sponsored Roles of type Consultant and Contingent Worker, in HUHS and HUIT. ### **Related Resources** - [HarvardKey Application Integration ](/get-started/app-integration)