grantRole

Purpose

Use this command to assign a role for a particular service to a user. The role that is assigned is not an FTM SWIFT role but to a SWIFTNet role. You must grant the role only once for each SWIFTNet user, even if you have several SAGs. You must obtain the names of the SWIFTNet user roles from the SWIFTNet service providers.

The authoriser DN you specify for this command must have one of the following SWIFT roles:
Delegator
Issue the command without a four-eyes token. The command is processed.
Delegator4eyes
Issue the command without a four-eyes token. The command returns a four-eyes token. Another user with a similar role must then reissue this command with that four-eyes token.
SWIFT automatically assigns each security officer (SO) the Delegator role. A security officer then can decide to uses the gr command to create other security officers.
Notes:
  1. This command can take a few minutes to process. To ensure that you receive the result, use the .set command to set the timeout interval to a higher value. For example, to set the timeout interval to 300 seconds (=300 000 milliseconds), enter: 
    INST1.DNFSYSOU.DNFSAGCFG>.set -to 300000
    For more information about setting the timeout interval, see Setting environment variables for the CLI.
  2. Due to memory cache refreshment at switches in the SIPN, there can be a delay of up to 5 minutes between the time a role is granted or ungranted and the time when the associated operations become permissible.
Required access rights: See Table 4
Predefined roles that provide required access rights: See Table 2
Required SWIFTNet role: Delegator or Delegator4eyes
Issue for OU: DNFSYSOU
Issue to service: DNFSAGCFG

Format

Read syntax diagramSkip visual syntax diagramgrantRolegr -sagsag  -ouou  -useruser  -rolerole  -serviceservice  -qualifier( -namename -valuevalue) -foureyestokentoken -authDnauthoriserDN  -reqDnrequestorDN

Parameters

-sag sag
Name of the SAG.
-ou ou
Name of the business OU defined for FTM SWIFT. FTM SWIFT checks if the user who invokes the command is authorized to use the distinguished names (DN) specified in this command, for example, if the FTM SWIFT user is authorized to act on behalf of the specified DNs. The user must have the role DnfDNSec. The -ou parameter is only used by FTM SWIFT for access checking and is not attached to the command sent to SWIFTNet (see Configuring DNs and access to them).
-user user
User ID.
-role role
The role to grant.
-service service
The service, such as the FIN service.
-qualifier
A set of qualifications.
name name
Service parameter name.
value value
Service parameter value.
-foureyestoken token
Specify the four-eyes token that was returned after another user with the SWIFTNet role Delegator4eyes entered this command.
-authDn authoriserDN
Distinguished name (DN) of the authoriser of this command. FTM SWIFT attaches the DN to the command and sends it to the SIPN. The SIPN checks if the DN is authorized to invoke this command. The specified DN must be certified and have the necessary roles assigned. You can use the DN of your local SWIFT security officer. See Configuring DNs and access to them.
-reqDn requestorDN
Distinguished name (DN) of the requestor of this command. FTM SWIFT attaches the DN to the command to specify the sender of the command and sends it to the SIPN. You can use the DN of your local SWIFT security officer. See Configuring DNs and access to them.

Examples

The following command, entered on a single line, grants the FIN role of the FIN service to the user john-smith: 
INST1.DNFSYSOU.DNFSAGCFG>gr -sag SAG1
                            -ou BANKA
                            -user cn=john-smith,o=xxxxdeff,o=swift
                            -role fin
                            -service swift.fin
                            -authDn cn=sec-officer,o=xxxxdeff,o=swift
                            -reqDn cn=sec-officer,o=xxxxdeff,o=swift