Users involved in installation, customization, and configuration

The users described here are involved in planning, installing, customizing, and configuring FTM SWIFT.

Table 1. Users involved in installation, customization, and configuration
User Description Authorization
Planner This user determines:
  • The number and names of instances, OUs, broker servers, application servers, and SAG servers
  • Which services are to be assigned to each OU-server combination
  • Which type of SAG clustering is to be used, and the composition of each SAG cluster
  • Resource requirements such as storage requirements
  • Who is to carry out all installation and customization tasks
 (none)
Installer This user installs and uninstalls FTM SWIFT.

Recommended user ID: UIM1

On the installation system, this user requires membership in a primary group that has the rights specified for the group DNIINST.

OMVS segment required.
Customizer This user employs the CDP to manage instances, servers, and OUs, and transfers deployment data to runtime systems.

Recommended user ID: UCUST1

 On the customization system, this user requires:
  • Membership in a primary group that has the rights specified for the group DNICUSGR
  • Membership in group DNIADMIN
  • Authorization to create new partitioned data sets using the prefix specified in the initialization file of the Customization Definition Program. The default value for this prefix is FTMDEP.FTMSW300.
  • A region size of at least 400 MB

OMVS segment required.
Database administrator This user configures and maintains database resources, including those that are needed by FTM SWIFT, and carries out the following tasks:
  • Prepares and runs database configuration jobs
  • Creates the FTM SWIFT database
  • Creates storage groups, table spaces, tables, and indices for FTM SWIFT
  • Installs routines
  • Grant and revoke database privileges
  • Creates or drops procedures
  • Loads initial data into the runtime database
  • Binds plans and packages
  • Carries out housekeeping tasks such as backing up and archiving data
  • Starts and stops the database

Recommended user ID: UDB2ADM1

 On the runtime system on which the database is located, this user requires:
  • Membership in group DNILPP
  • Read and write access to the following data sets: 
    prefix.DNIvINST.ADMIN
prefix.DNIvINST.ADMIN.ou
    where prefix represents the prefix used by the deployment data sets, for example FTMDEP.FTMSW300.
  • Read access to the Db2® program DSNTEP2
  • A region size of at least 2 GB
  • If the schema name of the runtime tables is:
    • Identical to the primary authorization ID of this user, either SYSADM authority or the rights described in Choosing a schema name
    • Not identical to the primary authorization ID of this user, SYSADM authority
ESM administrator This user administers an external security manager (ESM) such as IBM® Resource Access Control Facility (RACF®):
  • Creates user IDs and groups
  • Creates security profiles
  • Assigns users or groups to security profiles

Recommended user ID: UESM1

On the runtime systems, this user requires membership in group DNICUSGR.

OMVS segment required.
IBM MQ administrator This user configures and maintains IBM MQ queues and queue managers, including those that are needed by FTM SWIFT.

Recommended user ID: UWMQADM1
On the runtime systems, this user requires:
  • Membership in group DNICUSGR
If queue manager security is activated, this user must have the right to define queues and channels.
IBM Integration Bus application developer This user copies projects and plug-ins to a Toolkit workstation. Installs plug-ins, imports sample projects, and creates message flows. Creates and deploys BAR files in a test environment.

Recommended user ID: UWMBAD1

 On the runtime system where the message broker for test purposes runs:
  • Membership in group DNIADMIN.

OMVS segment required.
IBM Integration Bus administrator This user configures the brokers used by FTM SWIFT. Issues broker commands, for example, to activate broker statistics and accounting. Starts and stops brokers. Runs the Broker Administration Program (BAP) to deploy and customize the BAR files.

Recommended user ID: UWMBA1
On the runtime system on which the broker runs, this user requires:
  • Membership in group DNILPP
  • Membership in group DNICUSGR
  • Read, write, and execute permissions for the members of the broker PDSE
  • Permission to create a broker PDSE (when migrating)
  • Administration security permissions to administer the broker
  • A region size of at least 400 MB

OMVS segment required.
broker started task This is the user ID under which the broker procedure runs.

Recommended user ID: UBRK1

 On the runtime system on which the broker runs, this user requires:
  • The role SWIFTNetFINSender for each business OU for which the MER Facility is to process FIN messages that are routed to the SIPN FIN or FMT FIN services
  • The role DnfEfaApplication for each business OU on behalf of which messages are routed to the MSIF transfer service, for example:
    • MX messages processed by the MER Facility
    • RMA messages
  • Membership in group DNILPP
  • Membership in the group specified by the placeholder DNIvSGRP
  • Read permission for the vault that is created in step 2.a in Activating the data integrity framework

OMVS segment required.
user ID of Java WLM application environment This is the user ID that is associated with the address space of the Java WLM application environment. On the runtime system, this user requires read permission for the vault that is created in step 2.a in Activating the data integrity framework.
application server started task This is the user ID under which the application server procedure runs.

Recommended user ID: UWAS1
On the runtime system on which the application server runs, this user requires:
  • Read and write access to the installation directory of the application server
On the runtime system on which the queue manager of the application server runs, this user requires:
  • Membership in the group specified by the placeholders DNIvWGRP, DNIvYGRP, and DNIvOGRP
  • Permission to connect to the queue manager
  • If context security checking is switched on, permission to set the user identifier
WebSphere® Application Server administrator This user authorizes the installation of the FTM SWIFT enterprise applications, and uses the administrative console to:
  • Configure application servers
  • Start, stop, and configure enterprise applications
  • In network deployment environments (not single-server environments), start and stop application servers

Recommended user ID: UWASA1

This user must be part of the configured external user registry (for example, LDAP) of the WebSphere Application Server environment and have the administration and security roles in the WebSphere Application Server environment. This user does not need to be defined in the local operating system.
WebSphere Application Server operator This user:
  • Starts and stops application servers
  • Installs the FTM SWIFT enterprise applications

Recommended user ID: UWASO1
On the runtime system on which the application server runs, this user requires:
  • Membership in group DNILPP
  • Read and write access to the installation directory of the application server
On the customization system this user requires:
  • Membership in group DNICUSGR

OMVS segment required.
Runtime data accessor In an application-server authentication alias for JDBC data sources, this user is used to authenticate the connection between an FTM SWIFT enterprise application and the runtime database.

Recommended user ID: URUNDA1

 On the runtime system, on which the database is located, this user requires:
  • Permission to connect to the runtime database of the instance by means of JDBC
  • Read and write access to the database tables by being member of the group DNIvUGRP
Reference data accessor This user is used in an application server authentication alias for JDBC data sources to authenticate the connection between the Reference Data component of an FTM SWIFT enterprise application and the runtime database that contains the reference data tables. Reference data tables can be shared among several instances, and the runtime database in which they are located can be different from the runtime database of the instance in which the enterprise application is deployed.

Recommended user ID: UREFDA1

 On the runtime system on which the database that contains the reference data tables is located, this user requires:
  • Permission to connect, by means of JDBC, to the runtime database
  • Read access to the reference data tables by being member of the group DNIvRGRP
Web-application queue accessor An FTM SWIFT enterprise application uses the user ID of this user to obtain configuration and security data. The user ID of this user is specified as the environment entry during configuration of the application server.

Recommended user ID: UWEBQA1

 This user requires:
  • The role DnfRmCfg for SYSOU, DNFSYSOU, and for each business OU for which the RMA Facility is to manage relationships
  • The role DnpAoCfg for SYSOU
  • The role DnqERCfg for SYSOU, and for each business OU for which the MER Facility is to process messages
First FTM SWIFT system configuration administrator This user:
  • Creates, commits, approves, and deploys FTM SWIFT configuration entities
  • Can switch off dual authorization for the system administration and security administration services

Recommended user ID: SA1

 On the runtime system where the broker runs, this user requires:
  • The role DniSA for the SYSOU
  • Membership in group DNILPP
  • Membership in group DNICUSGR
  • Membership in the group specified by the placeholder DNIvYGRP
  • Membership in the group specified by the placeholder DNIvOGRP
  • The right to connect to the queue manager used by the FTM SWIFT CLI (see Granting the right to connect to the queue manager)

OMVS segment required.
Second FTM SWIFT system configuration administrator This user:
  • If dual authorization is active, approves FTM SWIFT configuration entities that were committed by the first FTM SWIFT system configuration administrator (SA1)
  • Approves the switching off of dual authorization for the system administration and security administration services

Recommended user ID: SA2

Note: The user ID of this user must be different from that of the first FTM SWIFT system configuration administrator.
 Same as for the first FTM SWIFT system configuration administrator.
First FTM SWIFT security administrator This user creates and commits the FTM SWIFT roles and relationships that are required to work with OUs and COs, and that determine the access rights of each user.

Recommended user ID: UA1

 On the runtime system where the broker runs, this user requires:
  • The role DniUA for the SYSOU
  • Membership in group DNILPP
  • Membership in group DNICUSGR
  • Membership in the group specified by the placeholder DNIvYGRP
  • Membership in the group specified by the placeholder DNIvOGRP
  • The right to connect to the queue manager used by the FTM SWIFT CLI (see Granting the right to connect to the queue manager)

OMVS segment required.
Second FTM SWIFT security administrator If dual authorization is not active, this user is not needed. If dual authorization is active, this user approves the FTM SWIFT roles and relationships committed by the first FTM SWIFT security administrator (UA1).

Recommended user ID: UA2

Note: The user ID of this user must be different from that of the first FTM SWIFT security administrator.
 Same as for the first FTM SWIFT security administrator.
SAG Add-On Installer The SAG Add-On must be installed on the SAG workstation by the root user (AIX®, RHEL x86, and Solaris) or by a user having administrative rights (Windows).  
RA owner During installation of the SAG Add-On, the root user must specify the user ID of the RA owner, because only the RA owner has authorization to access the SAG remote API, and the SAG Add-On uses that API to communicate with SAG.

This user ID must be used to customize the SAG Add-On configuration profile as described in Setting the SAG operator password		 This user ID must also be defined on the broker runtime system, and must have access to the remote event service and the queues used by the SAG Add-On.